Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 10 participants
- 27046 discussions
FreeRADIUS keeps complaining about TLS 1.0/1.1, despite tls_min_version setting has been set to 1.2
by Viacheslav Mikhailow 11 Mar '23
by Viacheslav Mikhailow 11 Mar '23
11 Mar '23
Hi everyone
I've published an issue on a question board
<https://serverfault.com/questions/1125788/freeradius-keeps-complaining-abou…>,
concerning the FreeRADIUS server. Could anyone answer it?
Thank you
--
*BR,*
*Václav*
1
0
Fwd: Way to configure logging to emit SSL Certificate info with a failure message?
by Andy Arp 09 Mar '23
by Andy Arp 09 Mar '23
09 Mar '23
Looking for ways to configure version 3.0.x to emit additional log data
when an SSL error occurs. Specifically looking for ways to emit the SAN or
even the ID of the certificate being presented to make it easier to track
down badly configured clients without having to turn on debug mode.
Example of log message we're seeing as too generic currently:
Mon Mar 6 10:32:59 2023 : ERROR: (0) ERROR: SSL says error 23 :
certificate revoked
2
4
hello list.
On my last freeradius upgrade (to Version 3.2.1) I changed config files
to reach this goal :
Force the vlan for unknown mac adresses OR eduroam SSID
use user's one (comming from ldap module) for known mac adresses
(yes it looks like a small network access control)
That for, I add this unlang command in default site :
authorize {
.....
authorized_macs
if (!ok) {
update reply {
Tunnel-Private-Group-Id := 602
}
} else {
if (Called-Station-Id =~ /.*eduroam.*/i ) {
update reply {
Tunnel-Private-Group-Id := 602
}
}
}
and of course in ldap module :
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId'
Not shure why but sometimes, known mac addresses fall in vlan 602.
reading debug log, I see that access-accept request has 2
Tunnel-Private-Group-Id values.
(917721) Login OK: [anonymous] (from client APs port 0 cli 9C-B6-D0-93-43-9B)
(917721) Sent Access-Accept Id 235 from 10..x.x.x:1812 to 10.y.y.y:34406 length 206
(917721)*Tunnel-Private-Group-Id := "602"*
(917721) MS-MPPE-Recv-Key = 0x8b027fe2eb7a469ab2511b31ea16e1ea2c6f11b9846db09dce876d4333d99077
(917721) MS-MPPE-Send-Key = 0xc9b83651e9ff3adefbdf2371f127d2fbdc2b5334f3ed37c0729a1e4b468945ab
(917721) EAP-Message = 0x03170004
(917721) Message-Authenticator = 0x00000000000000000000000000000000
(917721) User-Name = "anonymous"
(917721) Framed-MTU += 1014
(917721) Tunnel-Type += VLAN
(917721) Tunnel-Medium-Type += IEEE-802
(917721)*Tunnel-Private-Group-Id += "1001"*
(917721) Service-Type += Administrative-User
(917721) Finished request
How can the WAP know which one apply ???
My questions are :
- Is that method a valid one ? If not, how to ?
- should I use an other operator to set Tunnel-Private-Group-Id value ?
- why is the attribute present twice even if := operator is always used
and wiki says :
*:=* Attribute := value Always matches as a check item, and replaces
in the configuration items any attribute of the same name. If no
attribute of that name appears in the request, then this attribute is
added.
Thanks for your attention.
Cédric
--
*Cédric Delaunay
*
*Service Infrastructure Systèmes et Réseaux / Direction du Système
d'Information*
*RSSI Suppléant *
Tel. : +33 (0)2 23 23 8568
*INSA Rennes*
20 avenue des Buttes de Coêsmes
CS 70839 - 35 708 RENNES Cedex 7
www.insa-rennes.fr <http://www.insa-rennes.fr/>
3
7
Hello,
I started to learn network authentication and I want to setup a litle poc with Freeradius and EAP-TLS.
I have previously tested my working configuration with the bob user as in the freeradius docker example.
I use freeradius docker image https://hub.docker.com/r/freeradius/freeradius-server/ in a container.
The configs files have been extracted to be configured in my host system and mounted at container's start.
I have follow this tutorial for the radiusd.conf file : https://www.dslreports.com/forum/r9286052-FreeRADIUS-WinXP-Authentication-S…
As I use the container's default keys, the user file is just a line :
user(a)example.org Auth-Type := EAP, EAP-Type := EAP-TLS
On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X.
The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it.
The username I use on the phone side is "user(a)example.org", the domain is "example.org".
When I click on connect on my phone, I get an access reject as shown in the debug output below.
I wanted to know if I am doing wrong somewhere and possibly where ?
(Freeradius Version 3.2.0)
(0) Received Access-Request Id 0 from 10.17.30.60:1061 to 172.17.0.2:1812 length 212
(0) Message-Authenticator = 0x46c9071611e746712984ef9165b516eb
(0) Service-Type = Framed-User
(0) User-Name = "user(a)example.org"
(0) Framed-MTU = 1488
(0) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(0) Calling-Station-Id = "22-85-59-7C-27-7A"
(0) NAS-Identifier = "D-Link Access Point"
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 54Mbps 802.11g"
(0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(0) NAS-IP-Address = 10.17.30.60
(0) NAS-Port = 1
(0) NAS-Port-Id = "STA port # 1"
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(0) suffix: No such realm "example.org"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 21
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) Initiating new session
(0) eap_tls: (TLS) Setting verify mode to require certificate from client
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xbced3a8cbcec3700
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1061 length 64
(0) EAP-Message = 0x010100060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xbced3a8cbcec37005a032dcfba50bf3a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 10.17.30.60:1061 to 172.17.0.2:1812 length 215
(1) Message-Authenticator = 0x2660937420c3367bd057db626b743cc5
(1) Service-Type = Framed-User
(1) User-Name = "user(a)example.org"
(1) Framed-MTU = 1488
(1) State = 0xbced3a8cbcec37005a032dcfba50bf3a
(1) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(1) Calling-Station-Id = "22-85-59-7C-27-7A"
(1) NAS-Identifier = "D-Link Access Point"
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 54Mbps 802.11g"
(1) EAP-Message = 0x020100060300
(1) NAS-IP-Address = 10.17.30.60
(1) NAS-Port = 1
(1) NAS-Port-Id = "STA port # 1"
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(1) suffix: No such realm "example.org"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry user(a)example.org at line 2
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xbced3a8cbcec3700
(1) eap: Finished EAP session with state 0xbced3a8cbcec3700
(1) eap: Previous EAP request found for state 0xbced3a8cbcec3700, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Peer NAK'd indicating it is not willing to continue
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> user(a)example.org
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1061 length 44
(1) EAP-Message = 0x04010004
(1) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(2) Received Access-Request Id 0 from 10.17.30.60:1063 to 172.17.0.2:1812 length 212
(2) Message-Authenticator = 0x10dad86d8ca96900ee9e41a3f3215e04
(2) Service-Type = Framed-User
(2) User-Name = "user(a)example.org"
(2) Framed-MTU = 1488
(2) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(2) Calling-Station-Id = "22-85-59-7C-27-7A"
(2) NAS-Identifier = "D-Link Access Point"
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 54Mbps 802.11g"
(2) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(2) NAS-IP-Address = 10.17.30.60
(2) NAS-Port = 1
(2) NAS-Port-Id = "STA port # 1"
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(2) suffix: No such realm "example.org"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 0 length 21
(2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: (TLS) Initiating new session
(2) eap_tls: (TLS) Setting verify mode to require certificate from client
(2) eap: Sending EAP Request (code 1) ID 1 length 6
(2) eap: EAP session adding &reply:State = 0x61a7200961a62df0
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1063 length 64
(2) EAP-Message = 0x010100060d20
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x61a7200961a62df0743c98b3a07aed8f
(2) Finished request
Waking up in 1.9 seconds.
(3) Received Access-Request Id 1 from 10.17.30.60:1063 to 172.17.0.2:1812 length 215
(3) Message-Authenticator = 0x2946bae5a640bdd89ef938aa738b4b94
(3) Service-Type = Framed-User
(3) User-Name = "user(a)example.org"
(3) Framed-MTU = 1488
(3) State = 0x61a7200961a62df0743c98b3a07aed8f
(3) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(3) Calling-Station-Id = "22-85-59-7C-27-7A"
(3) NAS-Identifier = "D-Link Access Point"
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 54Mbps 802.11g"
(3) EAP-Message = 0x020100060300
(3) NAS-IP-Address = 10.17.30.60
(3) NAS-Port = 1
(3) NAS-Port-Id = "STA port # 1"
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(3) suffix: No such realm "example.org"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 1 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) files: users: Matched entry user(a)example.org at line 2
(3) [files] = ok
(3) [expiration] = noop
(3) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x61a7200961a62df0
(3) eap: Finished EAP session with state 0x61a7200961a62df0
(3) eap: Previous EAP request found for state 0x61a7200961a62df0, released from the list
(3) eap: Peer sent packet with method EAP NAK (3)
(3) eap: Peer NAK'd indicating it is not willing to continue
(3) eap: Sending EAP Failure (code 4) ID 1 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> user(a)example.org
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1063 length 44
(3) EAP-Message = 0x04010004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.8 seconds.
(0) Cleaning up request packet ID 0 with timestamp +74 due to cleanup_delay was reached
(1) Cleaning up request packet ID 1 with timestamp +74 due to cleanup_delay was reached
Waking up in 3.0 seconds.
(4) Received Access-Request Id 0 from 10.17.30.60:1065 to 172.17.0.2:1812 length 212
(4) Message-Authenticator = 0x7e90cef35650d96b0188a6bcc9040100
(4) Service-Type = Framed-User
(4) User-Name = "user(a)example.org"
(4) Framed-MTU = 1488
(4) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(4) Calling-Station-Id = "22-85-59-7C-27-7A"
(4) NAS-Identifier = "D-Link Access Point"
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 54Mbps 802.11g"
(4) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(4) NAS-IP-Address = 10.17.30.60
(4) NAS-Port = 1
(4) NAS-Port-Id = "STA port # 1"
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(4) suffix: No such realm "example.org"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 0 length 21
(4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Peer sent packet with method EAP Identity (1)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: (TLS) Initiating new session
(4) eap_tls: (TLS) Setting verify mode to require certificate from client
(4) eap: Sending EAP Request (code 1) ID 1 length 6
(4) eap: EAP session adding &reply:State = 0x10b8d47310b9d97a
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1065 length 64
(4) EAP-Message = 0x010100060d20
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x10b8d47310b9d97a65ed29a95486330e
(4) Finished request
Waking up in 1.8 seconds.
(5) Received Access-Request Id 1 from 10.17.30.60:1065 to 172.17.0.2:1812 length 215
(5) Message-Authenticator = 0x4024c8a365e14657a651ceb71b9f5f61
(5) Service-Type = Framed-User
(5) User-Name = "user(a)example.org"
(5) Framed-MTU = 1488
(5) State = 0x10b8d47310b9d97a65ed29a95486330e
(5) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(5) Calling-Station-Id = "22-85-59-7C-27-7A"
(5) NAS-Identifier = "D-Link Access Point"
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 54Mbps 802.11g"
(5) EAP-Message = 0x020100060300
(5) NAS-IP-Address = 10.17.30.60
(5) NAS-Port = 1
(5) NAS-Port-Id = "STA port # 1"
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(5) suffix: No such realm "example.org"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 1 length 6
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) files: users: Matched entry user(a)example.org at line 2
(5) [files] = ok
(5) [expiration] = noop
(5) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x10b8d47310b9d97a
(5) eap: Finished EAP session with state 0x10b8d47310b9d97a
(5) eap: Previous EAP request found for state 0x10b8d47310b9d97a, released from the list
(5) eap: Peer sent packet with method EAP NAK (3)
(5) eap: Peer NAK'd indicating it is not willing to continue
(5) eap: Sending EAP Failure (code 4) ID 1 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> user(a)example.org
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1065 length 44
(5) EAP-Message = 0x04010004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.8 seconds.
(2) Cleaning up request packet ID 0 with timestamp +77 due to cleanup_delay was reached
(3) Cleaning up request packet ID 1 with timestamp +77 due to cleanup_delay was reached
Waking up in 3.1 seconds.
(4) Cleaning up request packet ID 0 with timestamp +80 due to cleanup_delay was reached
(5) Cleaning up request packet ID 1 with timestamp +80 due to cleanup_delay was reached
Ready to process requests
Thanks,
Clément
Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires.
Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur par e-mail.
Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Les communications sur Internet n'etant pas securisees, l'expediteur informe qu'il ne peut accepter aucune responsabilite quant au contenu de ce message.
This mail message and attachments (the "message") are solely intended for the addresses. It is confidential in nature.
If you receive this message in error, please delete it and immediately notify the sender by e-mail.
Any use other than its intended purpose, dissemination or disclosure, either whole or partial, is prohibited except if formal approval is granted. As communication on the Internet is not secure, the sender does not accept responsibility for the content of this message.
2
6
Hello,
My FreeRADIUS is talking to an LDAP directory (OpenLDAP) over TLS and I need to check the revocation status of the LDAP server's certificate using a CRL.
I tried adding check_crl in the tls section (of the LDAP module) but to no avail (see debug output below : check_crl is ignored when parsing the configuration) :
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls = yes
# ca_file = /etc/ssl/certs/ca-bundle.crt
ca_path = /etc/ssl/certs
certificate_file = ${certdir}/radsrv1.crt
private_key_file = ${certdir}/radsrv1.key
check_crl = yes
# random_file = /dev/urandom
# Certificate Verification requirements. Can be:
# 'never' (do not even bother trying)
# 'allow' (try, but don't fail if the certificate
# cannot be verified)
# 'demand' (fail if the certificate does not verify)
# 'hard' (similar to 'demand' but fails if TLS
# cannot negotiate)
#
# The default is libldap's default, which varies based
# on the contents of ldap.conf.
require_cert = 'demand'
}
Verifying the LDAP server's certificate using OpenSSL (using the -crl_check option) works as expected (the certificate is flagged as revoked) as everything (CRL and CA) has been c_rehash'd in /etc/ssl/certs.
The full debug output when I start FreeRADIUS is the following (using -xX because the line stating that check_crl is ignored is not included with just -X) :
Wed Mar 8 11:03:22 2023 : Debug: Server was built with:
Wed Mar 8 11:03:22 2023 : Debug: accounting : yes
Wed Mar 8 11:03:22 2023 : Debug: authentication : yes
Wed Mar 8 11:03:22 2023 : Debug: ascend-binary-attributes : yes
Wed Mar 8 11:03:22 2023 : Debug: coa : yes
Wed Mar 8 11:03:22 2023 : Debug: control-socket : yes
Wed Mar 8 11:03:22 2023 : Debug: detail : yes
Wed Mar 8 11:03:22 2023 : Debug: dhcp : yes
Wed Mar 8 11:03:22 2023 : Debug: dynamic-clients : yes
Wed Mar 8 11:03:22 2023 : Debug: osfc2 : no
Wed Mar 8 11:03:22 2023 : Debug: proxy : yes
Wed Mar 8 11:03:22 2023 : Debug: regex-pcre : yes
Wed Mar 8 11:03:22 2023 : Debug: regex-posix : no
Wed Mar 8 11:03:22 2023 : Debug: regex-posix-extended : no
Wed Mar 8 11:03:22 2023 : Debug: session-management : yes
Wed Mar 8 11:03:22 2023 : Debug: stats : yes
Wed Mar 8 11:03:22 2023 : Debug: systemd : no
Wed Mar 8 11:03:22 2023 : Debug: tcp : yes
Wed Mar 8 11:03:22 2023 : Debug: threads : yes
Wed Mar 8 11:03:22 2023 : Debug: tls : yes
Wed Mar 8 11:03:22 2023 : Debug: unlang : yes
Wed Mar 8 11:03:22 2023 : Debug: vmps : yes
Wed Mar 8 11:03:22 2023 : Debug: developer : no
Wed Mar 8 11:03:22 2023 : Debug: Server core libs:
Wed Mar 8 11:03:22 2023 : Debug: freeradius-server : 3.0.20
Wed Mar 8 11:03:22 2023 : Debug: talloc : 2.3.*
Wed Mar 8 11:03:22 2023 : Debug: ssl : 1.1.1k release
Wed Mar 8 11:03:22 2023 : Debug: pcre : 8.42 2018-03-20
Wed Mar 8 11:03:22 2023 : Debug: Endianness:
Wed Mar 8 11:03:22 2023 : Debug: little
Wed Mar 8 11:03:22 2023 : Debug: Compilation flags:
Wed Mar 8 11:03:22 2023 : Debug: cppflags :
Wed Mar 8 11:03:22 2023 : Debug: cflags : -I. -Isrc -include src/freeradius-devel/autoconf.h -include src/freeradius-devel/build.h -include src/freeradius-devel/features.h -include src/freeradius-devel/radpaths.h -fno-strict-aliasing -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
Wed Mar 8 11:03:22 2023 : Debug: ldflags : -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
Wed Mar 8 11:03:22 2023 : Debug: libs : -lcrypto -lssl -ltalloc -lpcre -lresolv -ldl -lpthread -lreadline
Wed Mar 8 11:03:22 2023 : Debug:
Wed Mar 8 11:03:22 2023 : Info: FreeRADIUS Version 3.0.20
Wed Mar 8 11:03:22 2023 : Info: Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
Wed Mar 8 11:03:22 2023 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Wed Mar 8 11:03:22 2023 : Info: PARTICULAR PURPOSE
Wed Mar 8 11:03:22 2023 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Wed Mar 8 11:03:22 2023 : Info: GNU General Public License
Wed Mar 8 11:03:22 2023 : Info: For more information about these matters, see the file named COPYRIGHT
Wed Mar 8 11:03:22 2023 : Info: Starting - reading configuration files ...
Wed Mar 8 11:03:22 2023 : Debug: including dictionary file /usr/share/freeradius/dictionary
Wed Mar 8 11:03:22 2023 : Debug: including dictionary file /usr/share/freeradius/dictionary.dhcp
Wed Mar 8 11:03:22 2023 : Debug: including dictionary file /usr/share/freeradius/dictionary.vqp
Wed Mar 8 11:03:22 2023 : Debug: including dictionary file /etc/raddb/dictionary
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/radiusd.conf
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/proxy.conf
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/clients.conf
Wed Mar 8 11:03:22 2023 : Debug: including files in directory /etc/raddb/mods-enabled/
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/cache_eap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/chap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/date
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/detail
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/digest
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/dynamic_clients
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/eap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/echo
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/exec
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/expiration
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/expr
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/files
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/logintime
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/mschap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/ntlm_auth
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/pap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/passwd
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/preprocess
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/radutmp
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/replicate
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/soh
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/sradutmp
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/unix
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/unpack
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/utf8
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/ldap
Wed Mar 8 11:03:22 2023 : Debug: including files in directory /etc/raddb/policy.d/
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/accounting
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/canonicalization
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/control
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/cui
Wed Mar 8 11:03:22 2023 : Debug: OPTIMIZING (${policy.cui_require_operator_name} == yes) --> FALSE
Wed Mar 8 11:03:22 2023 : Debug: OPTIMIZING (no == yes) --> FALSE
Wed Mar 8 11:03:22 2023 : Debug: OPTIMIZING (${policy.cui_require_operator_name} == yes) --> FALSE
Wed Mar 8 11:03:22 2023 : Debug: OPTIMIZING (no == yes) --> FALSE
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/debug
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/dhcp
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/eap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/filter
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/operator-name
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/rfc7542
Wed Mar 8 11:03:22 2023 : Debug: including files in directory /etc/raddb/sites-enabled/
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/sites-enabled/default
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/sites-enabled/inner-tunnel
Wed Mar 8 11:03:22 2023 : Debug: main {
Wed Mar 8 11:03:22 2023 : Debug: security {
Wed Mar 8 11:03:22 2023 : Debug: user = "radiusd"
Wed Mar 8 11:03:22 2023 : Debug: group = "radiusd"
Wed Mar 8 11:03:22 2023 : Debug: allow_core_dumps = no
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[526]: The item 'max_attributes' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[544]: The item 'reject_delay' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[564]: The item 'status_server' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: name = "radiusd"
Wed Mar 8 11:03:22 2023 : Debug: prefix = "/usr"
Wed Mar 8 11:03:22 2023 : Debug: localstatedir = "/var"
Wed Mar 8 11:03:22 2023 : Debug: logdir = "/var/log/radius"
Wed Mar 8 11:03:22 2023 : Debug: run_dir = "/var/run/radiusd"
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[84]: The item 'exec_prefix' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[97]: The item 'confdir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[103]: The item 'db_dir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[137]: The item 'libdir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[148]: The item 'pidfile' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[169]: The item 'correct_escapes' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[223]: The item 'max_request_time' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[242]: The item 'cleanup_delay' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[279]: The item 'hostname_lookups' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[382]: The item 'checkrad' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[585]: The item 'proxy_requests' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: main {
Wed Mar 8 11:03:22 2023 : Debug: name = "radiusd"
Wed Mar 8 11:03:22 2023 : Debug: prefix = "/usr"
Wed Mar 8 11:03:22 2023 : Debug: localstatedir = "/var"
Wed Mar 8 11:03:22 2023 : Debug: sbindir = "/usr/sbin"
Wed Mar 8 11:03:22 2023 : Debug: logdir = "/var/log/radius"
Wed Mar 8 11:03:22 2023 : Debug: run_dir = "/var/run/radiusd"
Wed Mar 8 11:03:22 2023 : Debug: libdir = "/usr/lib64/freeradius"
Wed Mar 8 11:03:22 2023 : Debug: radacctdir = "/var/log/radius/radacct"
Wed Mar 8 11:03:22 2023 : Debug: hostname_lookups = no
Wed Mar 8 11:03:22 2023 : Debug: max_request_time = 30
Wed Mar 8 11:03:22 2023 : Debug: cleanup_delay = 5
Wed Mar 8 11:03:22 2023 : Debug: max_requests = 16384
Wed Mar 8 11:03:22 2023 : Debug: pidfile = "/var/run/radiusd/radiusd.pid"
Wed Mar 8 11:03:22 2023 : Debug: checkrad = "/usr/sbin/checkrad"
Wed Mar 8 11:03:22 2023 : Debug: debug_level = 0
Wed Mar 8 11:03:22 2023 : Debug: proxy_requests = yes
Wed Mar 8 11:03:22 2023 : Debug: log {
Wed Mar 8 11:03:22 2023 : Debug: stripped_names = no
Wed Mar 8 11:03:22 2023 : Debug: auth = no
Wed Mar 8 11:03:22 2023 : Debug: auth_badpass = no
Wed Mar 8 11:03:22 2023 : Debug: auth_goodpass = no
Wed Mar 8 11:03:22 2023 : Debug: colourise = yes
Wed Mar 8 11:03:22 2023 : Debug: msg_denied = "You are already logged in - access denied"
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[297]: The item 'destination' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[314]: The item 'file' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[322]: The item 'syslog_facility' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: resources {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: security {
Wed Mar 8 11:03:22 2023 : Debug: max_attributes = 200
Wed Mar 8 11:03:22 2023 : Debug: reject_delay = 1.000000
Wed Mar 8 11:03:22 2023 : Debug: status_server = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[84]: The item 'exec_prefix' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[97]: The item 'confdir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[103]: The item 'db_dir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[169]: The item 'correct_escapes' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: radiusd: #### Loading Realms and Home Servers ####
Wed Mar 8 11:03:22 2023 : Debug: proxy server {
Wed Mar 8 11:03:22 2023 : Debug: retry_delay = 5
Wed Mar 8 11:03:22 2023 : Debug: retry_count = 3
Wed Mar 8 11:03:22 2023 : Debug: default_fallback = no
Wed Mar 8 11:03:22 2023 : Debug: dead_time = 120
Wed Mar 8 11:03:22 2023 : Debug: wake_all_if_all_dead = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: home_server localhost {
Wed Mar 8 11:03:22 2023 : Debug: ipaddr = 127.0.0.1
Wed Mar 8 11:03:22 2023 : Debug: port = 1812
Wed Mar 8 11:03:22 2023 : Debug: type = "auth"
Wed Mar 8 11:03:22 2023 : Debug: secret = "testing123"
Wed Mar 8 11:03:22 2023 : Debug: response_window = 20.000000
Wed Mar 8 11:03:22 2023 : Debug: response_timeouts = 1
Wed Mar 8 11:03:22 2023 : Debug: max_outstanding = 65536
Wed Mar 8 11:03:22 2023 : Debug: zombie_period = 40
Wed Mar 8 11:03:22 2023 : Debug: status_check = "status-server"
Wed Mar 8 11:03:22 2023 : Debug: ping_interval = 30
Wed Mar 8 11:03:22 2023 : Debug: check_interval = 30
Wed Mar 8 11:03:22 2023 : Debug: check_timeout = 4
Wed Mar 8 11:03:22 2023 : Debug: num_answers_to_alive = 3
Wed Mar 8 11:03:22 2023 : Debug: revive_interval = 120
Wed Mar 8 11:03:22 2023 : Debug: limit {
Wed Mar 8 11:03:22 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:22 2023 : Debug: max_requests = 0
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:22 2023 : Debug: idle_timeout = 0
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: coa {
Wed Mar 8 11:03:22 2023 : Debug: irt = 2
Wed Mar 8 11:03:22 2023 : Debug: mrt = 16
Wed Mar 8 11:03:22 2023 : Debug: mrc = 5
Wed Mar 8 11:03:22 2023 : Debug: mrd = 30
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: home_server_pool my_auth_failover {
Wed Mar 8 11:03:22 2023 : Debug: type = fail-over
Wed Mar 8 11:03:22 2023 : Debug: home_server = localhost
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: realm example.com {
Wed Mar 8 11:03:22 2023 : Debug: auth_pool = my_auth_failover
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: realm LOCAL {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: radiusd: #### Loading Clients ####
Wed Mar 8 11:03:22 2023 : Debug: client localhost {
Wed Mar 8 11:03:22 2023 : Debug: ipaddr = 127.0.0.1
Wed Mar 8 11:03:22 2023 : Debug: require_message_authenticator = no
Wed Mar 8 11:03:22 2023 : Debug: secret = "testing123"
Wed Mar 8 11:03:22 2023 : Debug: nas_type = "other"
Wed Mar 8 11:03:22 2023 : Debug: proto = "*"
Wed Mar 8 11:03:22 2023 : Debug: limit {
Wed Mar 8 11:03:22 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:22 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Adding client 127.0.0.1/32 (127.0.0.1) to prefix tree 32
Wed Mar 8 11:03:22 2023 : Debug: client localhost_ipv6 {
Wed Mar 8 11:03:22 2023 : Debug: ipv6addr = ::1
Wed Mar 8 11:03:22 2023 : Debug: require_message_authenticator = no
Wed Mar 8 11:03:22 2023 : Debug: secret = "testing123"
Wed Mar 8 11:03:22 2023 : Debug: limit {
Wed Mar 8 11:03:22 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:22 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Adding client ::1/128 (::1) to prefix tree 128
Wed Mar 8 11:03:22 2023 : Debug: client radclient {
Wed Mar 8 11:03:22 2023 : Debug: ipaddr = 192.168.222.131
Wed Mar 8 11:03:22 2023 : Debug: require_message_authenticator = no
Wed Mar 8 11:03:22 2023 : Debug: secret = "radsecret"
Wed Mar 8 11:03:22 2023 : Debug: limit {
Wed Mar 8 11:03:22 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:22 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Adding client 192.168.222.131/32 (192.168.222.131) to prefix tree 32
Wed Mar 8 11:03:22 2023 : Info: Debugger not attached
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = mschap
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = digest
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = eap
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = PAP
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = CHAP
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = MS-CHAP
Wed Mar 8 11:03:22 2023 : Debug: radiusd: #### Instantiating modules ####
Wed Mar 8 11:03:22 2023 : Debug: modules {
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_always, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_always
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "reject" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always reject {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "reject"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "fail" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always fail {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "fail"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "ok" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always ok {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "ok"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "handled" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always handled {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "handled"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "invalid" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always invalid {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "invalid"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "userlock" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always userlock {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "userlock"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "notfound" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always notfound {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "notfound"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "noop" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always noop {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "noop"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "updated" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always updated {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "updated"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_attr_filter, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_attr_filter
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.post-proxy {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{Realm}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.pre-proxy {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{Realm}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.access_reject {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/access_reject"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.access_challenge {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.accounting_response {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_cache, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_cache
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
Wed Mar 8 11:03:22 2023 : Debug: cache cache_eap {
Wed Mar 8 11:03:22 2023 : Debug: driver = "rlm_cache_rbtree"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
Wed Mar 8 11:03:22 2023 : Debug: ttl = 15
Wed Mar 8 11:03:22 2023 : Debug: max_entries = 0
Wed Mar 8 11:03:22 2023 : Debug: epoch = 0
Wed Mar 8 11:03:22 2023 : Debug: add_stats = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_chap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_chap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "chap" from file /etc/raddb/mods-enabled/chap
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_date, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_date
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "date" from file /etc/raddb/mods-enabled/date
Wed Mar 8 11:03:22 2023 : Debug: date {
Wed Mar 8 11:03:22 2023 : Debug: format = "%b %e %Y %H:%M:%S %Z"
Wed Mar 8 11:03:22 2023 : Debug: utc = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
Wed Mar 8 11:03:22 2023 : Debug: date wispr2date {
Wed Mar 8 11:03:22 2023 : Debug: format = "%Y-%m-%dT%H:%M:%S"
Wed Mar 8 11:03:22 2023 : Debug: utc = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_detail, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_detail
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "detail" from file /etc/raddb/mods-enabled/detail
Wed Mar 8 11:03:22 2023 : Debug: detail {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: detail auth_log {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: detail reply_log {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: detail pre_proxy_log {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: detail post_proxy_log {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_digest, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_digest
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "digest" from file /etc/raddb/mods-enabled/digest
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_dynamic_clients, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_dynamic_clients
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_eap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_eap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "eap" from file /etc/raddb/mods-enabled/eap
Wed Mar 8 11:03:22 2023 : Debug: eap {
Wed Mar 8 11:03:22 2023 : Debug: default_eap_type = "md5"
Wed Mar 8 11:03:22 2023 : Debug: timer_expire = 60
Wed Mar 8 11:03:22 2023 : Debug: ignore_unknown_eap_types = no
Wed Mar 8 11:03:22 2023 : Debug: cisco_accounting_username_bug = no
Wed Mar 8 11:03:22 2023 : Debug: max_sessions = 16384
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_exec, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_exec
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "echo" from file /etc/raddb/mods-enabled/echo
Wed Mar 8 11:03:22 2023 : Debug: exec echo {
Wed Mar 8 11:03:22 2023 : Debug: wait = yes
Wed Mar 8 11:03:22 2023 : Debug: program = "/bin/echo %{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: input_pairs = "request"
Wed Mar 8 11:03:22 2023 : Debug: output_pairs = "reply"
Wed Mar 8 11:03:22 2023 : Debug: shell_escape = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "exec" from file /etc/raddb/mods-enabled/exec
Wed Mar 8 11:03:22 2023 : Debug: exec {
Wed Mar 8 11:03:22 2023 : Debug: wait = no
Wed Mar 8 11:03:22 2023 : Debug: input_pairs = "request"
Wed Mar 8 11:03:22 2023 : Debug: shell_escape = yes
Wed Mar 8 11:03:22 2023 : Debug: timeout = 10
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_expiration, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_expiration
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_expr, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_expr
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "expr" from file /etc/raddb/mods-enabled/expr
Wed Mar 8 11:03:22 2023 : Debug: expr {
Wed Mar 8 11:03:22 2023 : Debug: safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_files, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_files
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "files" from file /etc/raddb/mods-enabled/files
Wed Mar 8 11:03:22 2023 : Debug: files {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/files/authorize"
Wed Mar 8 11:03:22 2023 : Debug: acctusersfile = "/etc/raddb/mods-config/files/accounting"
Wed Mar 8 11:03:22 2023 : Debug: preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_linelog, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_linelog
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: linelog {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/linelog"
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: syslog_severity = "info"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: format = "This is a log message for %{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: reference = "messages.%{%{reply:Packet-Type}:-default}"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: linelog log_accounting {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/linelog-accounting"
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: syslog_severity = "info"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: format = ""
Wed Mar 8 11:03:22 2023 : Debug: reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_logintime, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_logintime
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
Wed Mar 8 11:03:22 2023 : Debug: logintime {
Wed Mar 8 11:03:22 2023 : Debug: minimum_timeout = 60
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_mschap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_mschap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
Wed Mar 8 11:03:22 2023 : Debug: mschap {
Wed Mar 8 11:03:22 2023 : Debug: use_mppe = yes
Wed Mar 8 11:03:22 2023 : Debug: require_encryption = no
Wed Mar 8 11:03:22 2023 : Debug: require_strong = no
Wed Mar 8 11:03:22 2023 : Debug: with_ntdomain_hack = yes
Wed Mar 8 11:03:22 2023 : Debug: passchange {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: allow_retry = yes
Wed Mar 8 11:03:22 2023 : Debug: winbind_retry_with_normalised_username = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
Wed Mar 8 11:03:22 2023 : Debug: exec ntlm_auth {
Wed Mar 8 11:03:22 2023 : Debug: wait = yes
Wed Mar 8 11:03:22 2023 : Debug: program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
Wed Mar 8 11:03:22 2023 : Debug: shell_escape = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_pap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_pap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "pap" from file /etc/raddb/mods-enabled/pap
Wed Mar 8 11:03:22 2023 : Debug: pap {
Wed Mar 8 11:03:22 2023 : Debug: normalise = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_passwd, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_passwd
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
Wed Mar 8 11:03:22 2023 : Debug: passwd etc_passwd {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/passwd"
Wed Mar 8 11:03:22 2023 : Debug: format = "*User-Name:Crypt-Password:"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = ":"
Wed Mar 8 11:03:22 2023 : Debug: ignore_nislike = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_empty = yes
Wed Mar 8 11:03:22 2023 : Debug: allow_multiple_keys = no
Wed Mar 8 11:03:22 2023 : Debug: hash_size = 100
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_preprocess, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_preprocess
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
Wed Mar 8 11:03:22 2023 : Debug: preprocess {
Wed Mar 8 11:03:22 2023 : Debug: huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
Wed Mar 8 11:03:22 2023 : Debug: hints = "/etc/raddb/mods-config/preprocess/hints"
Wed Mar 8 11:03:22 2023 : Debug: with_ascend_hack = no
Wed Mar 8 11:03:22 2023 : Debug: ascend_channels_per_line = 23
Wed Mar 8 11:03:22 2023 : Debug: with_ntdomain_hack = no
Wed Mar 8 11:03:22 2023 : Debug: with_specialix_jetstream_hack = no
Wed Mar 8 11:03:22 2023 : Debug: with_cisco_vsa_hack = no
Wed Mar 8 11:03:22 2023 : Debug: with_alvarion_vsa_hack = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_radutmp, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_radutmp
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
Wed Mar 8 11:03:22 2023 : Debug: radutmp {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radutmp"
Wed Mar 8 11:03:22 2023 : Debug: username = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: case_sensitive = yes
Wed Mar 8 11:03:22 2023 : Debug: check_with_nas = yes
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: caller_id = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_realm, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_realm
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm IPASS {
Wed Mar 8 11:03:22 2023 : Debug: format = "prefix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "/"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm suffix {
Wed Mar 8 11:03:22 2023 : Debug: format = "suffix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "@"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm bangpath {
Wed Mar 8 11:03:22 2023 : Debug: format = "prefix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "!"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm realmpercent {
Wed Mar 8 11:03:22 2023 : Debug: format = "suffix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "%"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm ntdomain {
Wed Mar 8 11:03:22 2023 : Debug: format = "prefix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "\\"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_replicate, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_replicate
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_soh, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_soh
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "soh" from file /etc/raddb/mods-enabled/soh
Wed Mar 8 11:03:22 2023 : Debug: soh {
Wed Mar 8 11:03:22 2023 : Debug: dhcp = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
Wed Mar 8 11:03:22 2023 : Debug: radutmp sradutmp {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/sradutmp"
Wed Mar 8 11:03:22 2023 : Debug: username = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: case_sensitive = yes
Wed Mar 8 11:03:22 2023 : Debug: check_with_nas = yes
Wed Mar 8 11:03:22 2023 : Debug: permissions = 420
Wed Mar 8 11:03:22 2023 : Debug: caller_id = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_unix, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_unix
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "unix" from file /etc/raddb/mods-enabled/unix
Wed Mar 8 11:03:22 2023 : Debug: unix {
Wed Mar 8 11:03:22 2023 : Debug: radwtmp = "/var/log/radius/radwtmp"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Creating attribute Unix-Group
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_unpack, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_unpack
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_utf8, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_utf8
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_ldap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_ldap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
Wed Mar 8 11:03:22 2023 : Debug: ldap {
Wed Mar 8 11:03:22 2023 : Debug: server = "ldapsrv1.lab.fr"
Wed Mar 8 11:03:22 2023 : Debug: identity = "cn=manager,o=lab"
Wed Mar 8 11:03:22 2023 : Debug: password = "manager"
Wed Mar 8 11:03:22 2023 : Debug: sasl {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: user_dn = "LDAP-UserDn"
Wed Mar 8 11:03:22 2023 : Debug: user {
Wed Mar 8 11:03:22 2023 : Debug: scope = "sub"
Wed Mar 8 11:03:22 2023 : Debug: access_positive = yes
Wed Mar 8 11:03:22 2023 : Debug: sasl {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: group {
Wed Mar 8 11:03:22 2023 : Debug: filter = "(objectClass=posixGroup)"
Wed Mar 8 11:03:22 2023 : Debug: scope = "sub"
Wed Mar 8 11:03:22 2023 : Debug: name_attribute = "cn"
Wed Mar 8 11:03:22 2023 : Debug: membership_attribute = "memberOf"
Wed Mar 8 11:03:22 2023 : Debug: cacheable_name = no
Wed Mar 8 11:03:22 2023 : Debug: cacheable_dn = no
Wed Mar 8 11:03:22 2023 : Debug: allow_dangling_group_ref = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: client {
Wed Mar 8 11:03:22 2023 : Debug: filter = "(objectClass=radiusClient)"
Wed Mar 8 11:03:22 2023 : Debug: scope = "sub"
Wed Mar 8 11:03:22 2023 : Debug: base_dn = "o=lab"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: profile {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: options {
Wed Mar 8 11:03:22 2023 : Debug: ldap_debug = 40
Wed Mar 8 11:03:22 2023 : Debug: chase_referrals = yes
Wed Mar 8 11:03:22 2023 : Debug: rebind = yes
Wed Mar 8 11:03:22 2023 : Debug: net_timeout = 1
Wed Mar 8 11:03:22 2023 : Debug: res_timeout = 10
Wed Mar 8 11:03:22 2023 : Debug: srv_timelimit = 3
Wed Mar 8 11:03:22 2023 : Debug: idle = 60
Wed Mar 8 11:03:22 2023 : Debug: probes = 3
Wed Mar 8 11:03:22 2023 : Debug: interval = 3
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: tls {
Wed Mar 8 11:03:22 2023 : Debug: ca_path = "/etc/ssl/certs"
Wed Mar 8 11:03:22 2023 : Debug: certificate_file = "/etc/raddb/certs/radsrv1.crt"
Wed Mar 8 11:03:22 2023 : Debug: private_key_file = "/etc/raddb/certs/radsrv1.key"
Wed Mar 8 11:03:22 2023 : Debug: start_tls = yes
Wed Mar 8 11:03:22 2023 : Debug: require_cert = "demand"
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/mods-enabled/ldap[564]: The item 'check_crl' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Creating attribute LDAP-Group
Wed Mar 8 11:03:22 2023 : Debug: instantiate {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
Wed Mar 8 11:03:22 2023 : Debug: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_md5
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_leap
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_gtc
Wed Mar 8 11:03:22 2023 : Debug: gtc {
Wed Mar 8 11:03:22 2023 : Debug: challenge = "Password: "
Wed Mar 8 11:03:22 2023 : Debug: auth_type = "PAP"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_tls
Wed Mar 8 11:03:22 2023 : Debug: tls {
Wed Mar 8 11:03:22 2023 : Debug: tls = "tls-common"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: tls-config tls-common {
Wed Mar 8 11:03:22 2023 : Debug: verify_depth = 0
Wed Mar 8 11:03:22 2023 : Debug: ca_path = "/etc/raddb/certs"
Wed Mar 8 11:03:22 2023 : Debug: pem_file_type = yes
Wed Mar 8 11:03:22 2023 : Debug: private_key_file = "/etc/raddb/certs/server.pem"
Wed Mar 8 11:03:22 2023 : Debug: certificate_file = "/etc/raddb/certs/server.pem"
Wed Mar 8 11:03:22 2023 : Debug: ca_file = "/etc/raddb/certs/ca.pem"
Wed Mar 8 11:03:22 2023 : Debug: private_key_password = "whatever"
Wed Mar 8 11:03:22 2023 : Debug: dh_file = "/etc/raddb/certs/dh"
Wed Mar 8 11:03:22 2023 : Debug: fragment_size = 1024
Wed Mar 8 11:03:22 2023 : Debug: include_length = yes
Wed Mar 8 11:03:22 2023 : Debug: auto_chain = yes
Wed Mar 8 11:03:22 2023 : Debug: check_crl = no
Wed Mar 8 11:03:22 2023 : Debug: check_all_crl = no
Wed Mar 8 11:03:22 2023 : Debug: cipher_list = "PROFILE=SYSTEM"
Wed Mar 8 11:03:22 2023 : Debug: cipher_server_preference = no
Wed Mar 8 11:03:22 2023 : Debug: ecdh_curve = "prime256v1"
Wed Mar 8 11:03:22 2023 : Debug: disable_tlsv1 = yes
Wed Mar 8 11:03:22 2023 : Debug: disable_tlsv1_1 = yes
Wed Mar 8 11:03:22 2023 : Debug: tls_max_version = "1.2"
Wed Mar 8 11:03:22 2023 : Debug: tls_min_version = "1.2"
Wed Mar 8 11:03:22 2023 : Debug: cache {
Wed Mar 8 11:03:22 2023 : Debug: enable = no
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 24
Wed Mar 8 11:03:22 2023 : Debug: max_entries = 255
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: verify {
Wed Mar 8 11:03:22 2023 : Debug: skip_if_ocsp_ok = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: ocsp {
Wed Mar 8 11:03:22 2023 : Debug: enable = no
Wed Mar 8 11:03:22 2023 : Debug: override_cert_url = yes
Wed Mar 8 11:03:22 2023 : Debug: url = "http://127.0.0.1/ocsp/"
Wed Mar 8 11:03:22 2023 : Debug: use_nonce = yes
Wed Mar 8 11:03:22 2023 : Debug: timeout = 0
Wed Mar 8 11:03:22 2023 : Debug: softfail = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Warning: Please use tls_min_version and tls_max_version instead of disable_tlsv1
Wed Mar 8 11:03:22 2023 : Warning: Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_ttls
Wed Mar 8 11:03:22 2023 : Debug: ttls {
Wed Mar 8 11:03:22 2023 : Debug: tls = "tls-common"
Wed Mar 8 11:03:22 2023 : Debug: default_eap_type = "md5"
Wed Mar 8 11:03:22 2023 : Debug: copy_request_to_tunnel = no
Wed Mar 8 11:03:22 2023 : Debug: use_tunneled_reply = no
Wed Mar 8 11:03:22 2023 : Debug: virtual_server = "inner-tunnel"
Wed Mar 8 11:03:22 2023 : Debug: include_length = yes
Wed Mar 8 11:03:22 2023 : Debug: require_client_cert = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: tls: Using cached TLS configuration from previous invocation
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_peap
Wed Mar 8 11:03:22 2023 : Debug: peap {
Wed Mar 8 11:03:22 2023 : Debug: tls = "tls-common"
Wed Mar 8 11:03:22 2023 : Debug: default_eap_type = "mschapv2"
Wed Mar 8 11:03:22 2023 : Debug: copy_request_to_tunnel = no
Wed Mar 8 11:03:22 2023 : Debug: use_tunneled_reply = no
Wed Mar 8 11:03:22 2023 : Debug: proxy_tunneled_request_as_eap = yes
Wed Mar 8 11:03:22 2023 : Debug: virtual_server = "inner-tunnel"
Wed Mar 8 11:03:22 2023 : Debug: soh = no
Wed Mar 8 11:03:22 2023 : Debug: require_client_cert = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: tls: Using cached TLS configuration from previous invocation
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_mschapv2
Wed Mar 8 11:03:22 2023 : Debug: mschapv2 {
Wed Mar 8 11:03:22 2023 : Debug: with_ntdomain_hack = no
Wed Mar 8 11:03:22 2023 : Debug: send_error = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "files" from file /etc/raddb/mods-enabled/files
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/files/authorize
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/files/accounting
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/files/pre-proxy
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
Wed Mar 8 11:03:22 2023 : Debug: rlm_mschap (mschap): using internal authentication
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
Wed Mar 8 11:03:22 2023 : Debug: rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/preprocess/hints
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20446
Wed Mar 8 11:03:42 2023 : Debug: accounting {
Wed Mar 8 11:03:42 2023 : Debug: reference = "%{tolower:type.%{Acct-Status-Type}}"
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: post-auth {
Wed Mar 8 11:03:42 2023 : Debug: reference = "."
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Initialising connection pool
Wed Mar 8 11:03:42 2023 : Debug: pool {
Wed Mar 8 11:03:42 2023 : Debug: start = 5
Wed Mar 8 11:03:42 2023 : Debug: min = 3
Wed Mar 8 11:03:42 2023 : Debug: max = 32
Wed Mar 8 11:03:42 2023 : Debug: spare = 10
Wed Mar 8 11:03:42 2023 : Debug: uses = 0
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: cleanup_interval = 30
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 60
Wed Mar 8 11:03:42 2023 : Debug: retry_delay = 30
Wed Mar 8 11:03:42 2023 : Debug: spread = no
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f13631fd30
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f136364840
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f13644b720
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f136531400
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f1366178a0
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Debug: } # modules
Wed Mar 8 11:03:42 2023 : Debug: radiusd: #### Loading Virtual Servers ####
Wed Mar 8 11:03:42 2023 : Debug: server { # from file /etc/raddb/radiusd.conf
Wed Mar 8 11:03:42 2023 : Debug: } # server
Wed Mar 8 11:03:42 2023 : Debug: server default { # from file /etc/raddb/sites-enabled/default
Wed Mar 8 11:03:42 2023 : Debug: # Loading authenticate {...}
Wed Mar 8 11:03:42 2023 : Debug: mschap
Wed Mar 8 11:03:42 2023 : Debug: digest
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: # Loading authorize {...}
Wed Mar 8 11:03:42 2023 : Debug: policy filter_username {
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name) {
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ / /) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: User-Name contains whitespace'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /@[^@]*@/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Multiple @ in User-Name'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /\.\./) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /@/ && !&User-Name =~ /(a)(.+)\.(.+)$/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm does not have at least one dot separator'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /\.$/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm ends with a dot'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /(a)\./) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm begins with a dot'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: preprocess
Wed Mar 8 11:03:42 2023 : Debug: chap
Wed Mar 8 11:03:42 2023 : Debug: mschap
Wed Mar 8 11:03:42 2023 : Debug: digest
Wed Mar 8 11:03:42 2023 : Debug: suffix
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: files
Wed Mar 8 11:03:42 2023 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Wed Mar 8 11:03:42 2023 : Debug: ldap
Wed Mar 8 11:03:42 2023 : Debug: expiration
Wed Mar 8 11:03:42 2023 : Debug: logintime
Wed Mar 8 11:03:42 2023 : Debug: pap
Wed Mar 8 11:03:42 2023 : Debug: # Loading preacct {...}
Wed Mar 8 11:03:42 2023 : Debug: preprocess
Wed Mar 8 11:03:42 2023 : Debug: policy acct_unique {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Tmp-String-9 := "ai:"
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if ("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/ && "%{string:&Class}" =~ /^ai:([0-9a-f]{32})/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: else {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: suffix
Wed Mar 8 11:03:42 2023 : Debug: files
Wed Mar 8 11:03:42 2023 : Debug: # Loading accounting {...}
Wed Mar 8 11:03:42 2023 : Debug: detail
Wed Mar 8 11:03:42 2023 : Debug: unix
Wed Mar 8 11:03:42 2023 : Debug: exec
Wed Mar 8 11:03:42 2023 : Debug: attr_filter.accounting_response
Wed Mar 8 11:03:42 2023 : Debug: # Loading post-proxy {...}
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: # Loading post-auth {...}
Wed Mar 8 11:03:42 2023 : Debug: if (&session-state:User-Name && &reply:User-Name && &User-Name && &reply:User-Name == &User-Name) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &reply:User-Name !* ANY
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &reply:[*] += &session-state:[*]
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: exec
Wed Mar 8 11:03:42 2023 : Debug: policy remove_reply_message_if_eap {
Wed Mar 8 11:03:42 2023 : Debug: if (&reply:EAP-Message && &reply:Reply-Message) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &reply:Reply-Message !* ANY
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: else {
Wed Mar 8 11:03:42 2023 : Debug: noop
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: } # server default
Wed Mar 8 11:03:42 2023 : Debug: server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
Wed Mar 8 11:03:42 2023 : Debug: # Loading authenticate {...}
Wed Mar 8 11:03:42 2023 : Debug: mschap
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: # Loading authorize {...}
Wed Mar 8 11:03:42 2023 : Debug: policy filter_username {
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name) {
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ / /) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: User-Name contains whitespace'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /@[^@]*@/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Multiple @ in User-Name'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /\.\./) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /@/ && !&User-Name =~ /(a)(.+)\.(.+)$/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm does not have at least one dot separator'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /\.$/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm ends with a dot'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /(a)\./) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm begins with a dot'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: chap
Wed Mar 8 11:03:42 2023 : Debug: mschap
Wed Mar 8 11:03:42 2023 : Debug: suffix
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &control:Proxy-To-Realm := LOCAL
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: files
Wed Mar 8 11:03:42 2023 : Debug: ldap
Wed Mar 8 11:03:42 2023 : Debug: expiration
Wed Mar 8 11:03:42 2023 : Debug: logintime
Wed Mar 8 11:03:42 2023 : Debug: pap
Wed Mar 8 11:03:42 2023 : Debug: # Loading session {...}
Wed Mar 8 11:03:42 2023 : Debug: radutmp
Wed Mar 8 11:03:42 2023 : Debug: # Loading post-proxy {...}
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: # Loading post-auth {...}
Wed Mar 8 11:03:42 2023 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:336
Wed Mar 8 11:03:42 2023 : Debug: if (false) {
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: } # server inner-tunnel
Wed Mar 8 11:03:42 2023 : Debug: radiusd: #### Opening IP addresses and Ports ####
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "auth"
Wed Mar 8 11:03:42 2023 : Debug: ipaddr = *
Wed Mar 8 11:03:42 2023 : Debug: port = 0
Wed Mar 8 11:03:42 2023 : Debug: limit {
Wed Mar 8 11:03:42 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "acct"
Wed Mar 8 11:03:42 2023 : Debug: ipaddr = *
Wed Mar 8 11:03:42 2023 : Debug: port = 0
Wed Mar 8 11:03:42 2023 : Debug: limit {
Wed Mar 8 11:03:42 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "auth"
Wed Mar 8 11:03:42 2023 : Debug: ipv6addr = ::
Wed Mar 8 11:03:42 2023 : Debug: port = 0
Wed Mar 8 11:03:42 2023 : Debug: limit {
Wed Mar 8 11:03:42 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "acct"
Wed Mar 8 11:03:42 2023 : Debug: ipv6addr = ::
Wed Mar 8 11:03:42 2023 : Debug: port = 0
Wed Mar 8 11:03:42 2023 : Debug: limit {
Wed Mar 8 11:03:42 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "auth"
Wed Mar 8 11:03:42 2023 : Debug: ipaddr = 127.0.0.1
Wed Mar 8 11:03:42 2023 : Debug: port = 18120
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: Listening on auth address * port 1812 bound to server default
Wed Mar 8 11:03:42 2023 : Debug: Listening on acct address * port 1813 bound to server default
Wed Mar 8 11:03:42 2023 : Debug: Listening on auth address :: port 1812 bound to server default
Wed Mar 8 11:03:42 2023 : Debug: Listening on acct address :: port 1813 bound to server default
Wed Mar 8 11:03:42 2023 : Debug: Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Wed Mar 8 11:03:42 2023 : Debug: Opened new proxy socket 'proxy address * port 33378'
Wed Mar 8 11:03:42 2023 : Debug: Listening on proxy address * port 33378
Wed Mar 8 11:03:42 2023 : Debug: Opened new proxy socket 'proxy address :: port 33848'
Wed Mar 8 11:03:42 2023 : Debug: Listening on proxy address :: port 33848
Wed Mar 8 11:03:42 2023 : Info: Ready to process requests
I know checking the revocation status of EAP client's certificate is well supported (in mods-available/eap) but I was wondering whether checking the revocation status of "backend" servers' certificates was as well and if so what I did wrong.
Have a good day,
Benjamin
2
2
Re: Freeradius-Users Digest, Vol 214, Issue 31 Re: pam_radius with only otp (Jorge Pereira)
by Joe Jones 05 Mar '23
by Joe Jones 05 Mar '23
05 Mar '23
On Tue, Feb 28, 2023, 3:45 AM <freeradius-users-request(a)lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: pam_radius with only otp (Jorge Pereira)
> 2. Re: How to check the Extended Key Usage in freeradius?
> (Alan DeKok)
> 3. EAP-TLS default config (clement.legoffic(a)kelio.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 27 Feb 2023 14:36:08 -0300
> From: Jorge Pereira <jpereira(a)freeradius.org>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: pam_radius with only otp
> Message-ID: <216B4E15-D452-448B-B9A5-163889996A25(a)freeradius.org>
> Content-Type: text/plain; charset=us-ascii
>
> The pam_radius just forward to the FreeRADIUS. In that case, you should do
> that trick there.
>
Thank you for the reply. I do not understand what is mean, can you please
elaborate?
I am using a 3rd party radius server. O ce again, the password + otp works
fine but username + otp does not.
Thanks
>
> > On 23 Feb 2023, at 19:31, Joe Jones <09cicada(a)gmail.com> wrote:
> >
> > Hi all,
> >
> > Is it possible to use the pam_radius .so module with only a otp? It works
> > fine with a password+otp but I cannot get it working with only otp.
> >
> > Thanks
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Jorge Pereira
> jpereira(a)networkradius.com
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 27 Feb 2023 13:34:02 -0500
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: How to check the Extended Key Usage in freeradius?
> Message-ID: <9ED0EA34-872E-4445-88E0-BC3A4AE4F241(a)deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer(a)cpa.de> wrote:
> > It seems that this doesn't work for me.
>
> Read the debug log. If there's an extended key usage OID, it will show
> up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
>
> If there's no extended key usage OID, them it won't show up.
>
> > In the session-state is only TLS-Session-Information,
> TLS-Session-Cipher-Suite, TLS-Session-Version.
> > But it seems I can work directly with TLS-Client-Cert-Issuer and
> TLS-Client-Cert-Subject-Alt-Name-Dns, but not with
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
>
> Does it exist?
>
> Does it show up in the debug log?
>
> The debug log shows every TLS related attribute it creates.
>
> > Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
> > - in the session-state
>
> Does it exist?
>
> > (see below ' (11) policy debug_session_state {')
> > Or
> > - like TLS-Client-Cert-Issuer to use it directly
>
> Does TLS-Client-Cert-Issuer exist?
>
> > ...
> > freeradius | (10) eap_tls: (TLS) Creating attributes from server
> certificate
> > freeradius | (10) eap_tls: TLS-Cert-Serial :=
> "1400000002219c173715ec84d9000000000002"
> > freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z"
> > freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z"
> > freeradius | (10) eap_tls: TLS-Cert-Subject :=
> "/DC=org/DC=example/CN=XY Sub CA"
> > freeradius | (10) eap_tls: TLS-Cert-Issuer :=
> "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA"
> > freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA"
> > freeradius | (10) eap_tls: (TLS) Creating attributes from client
> certificate
> > freeradius | (10) eap_tls: TLS-Client-Cert-Serial :=
> "16000028666eef874492e150cd000000002866"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Expiration :=
> "240209105026Z"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since :=
> "230209105026Z"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Issuer :=
> "/DC=org/DC=example/CN=XY Sub CA"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "
> host1.XY.example.org"
> > freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage
> += "TLS Web Client Authentication,
> 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
> "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
> "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
> "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
>
> OK, that's good. For the initial creation, those attributes are in the
> request. For subsequent packets, they should be in the session-state list.
>
> > ...
> > freeradius | (11) Restoring &session-state
> > freeradius | (11) &session-state:Framed-MTU = 1014
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.3 Handshake, ClientHello"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerHello"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, Certificate"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerKeyExchange"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, CertificateRequest"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerHelloDone"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, Certificate"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, ClientKeyExchange"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, CertificateVerify"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, Finished"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 ChangeCipherSpec"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, Finished"
> > freeradius | (11) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> > freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
>
> Hmm... you can always copy the attributes to the session-state list,
> where they will automatically be stored and restored.
>
> I'll have to check what's going on behind the scenes. It's been a while
> since I used v3 like this.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 28 Feb 2023 10:44:38 +0000
> From: "clement.legoffic(a)kelio.com" <clement.legoffic(a)kelio.com>
> To: "freeradius-users(a)lists.freeradius.org"
> <freeradius-users(a)lists.freeradius.org>
> Subject: EAP-TLS default config
> Message-ID: <0c68af239c1c4ccea93f58f34928defd(a)kelio.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
> I started to learn network authentication and I want to setup a litle poc
> with Freeradius and EAP-TLS.
> I have previously tested my working configuration with the bob user as in
> the freeradius docker example.
>
> I use freeradius docker image
> https://hub.docker.com/r/freeradius/freeradius-server/ in a container.
> The configs files have been extracted to be configured in my host system
> and mounted at container's start.
>
> I have follow this tutorial for the radiusd.conf file :
> https://www.dslreports.com/forum/r9286052-FreeRADIUS-WinXP-Authentication-S…
>
> As I use the container's default keys, the user file is just a line :
>
> user(a)example.org Auth-Type := EAP, EAP-Type := EAP-TLS
>
> On my android phone, I connect to a dlink wifi access point (DWL-2100AP)
> configured for 802.1X.
> The ca.pem has been installed on my phone in order to use it for EAP-TLS
> when I select it.
> The username I use on the phone side is "user(a)example.org", the domain is
> "example.org".
>
> When I click on connect on my phone, I get an access reject as shown in
> the debug output below.
> I wanted to know if I am doing wrong somewhere and possibly where ?
>
> (Freeradius Version 3.2.0)
>
> (0) Received Access-Request Id 0 from 10.17.30.60:1061 to 172.17.0.2:1812
> length 212
> (0) Message-Authenticator = 0x46c9071611e746712984ef9165b516eb
> (0) Service-Type = Framed-User
> (0) User-Name = "user(a)example.org"
> (0) Framed-MTU = 1488
> (0) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (0) Calling-Station-Id = "22-85-59-7C-27-7A"
> (0) NAS-Identifier = "D-Link Access Point"
> (0) NAS-Port-Type = Wireless-802.11
> (0) Connect-Info = "CONNECT 54Mbps 802.11g"
> (0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (0) NAS-IP-Address = 10.17.30.60
> (0) NAS-Port = 1
> (0) NAS-Port-Id = "STA port # 1"
> (0) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /(a)\./) {
> (0) if (&User-Name =~ /(a)\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (0) suffix: No such realm "example.org"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_tls to process data
> (0) eap_tls: (TLS) Initiating new session
> (0) eap_tls: (TLS) Setting verify mode to require certificate from client
> (0) eap: Sending EAP Request (code 1) ID 1 length 6
> (0) eap: EAP session adding &reply:State = 0xbced3a8cbcec3700
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) Challenge { ... } # empty sub-section is ignored
> (0) session-state: Saving cached attributes
> (0) Framed-MTU = 994
> (0) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1061
> length 64
> (0) EAP-Message = 0x010100060d20
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xbced3a8cbcec37005a032dcfba50bf3a
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 1 from 10.17.30.60:1061 to 172.17.0.2:1812
> length 215
> (1) Message-Authenticator = 0x2660937420c3367bd057db626b743cc5
> (1) Service-Type = Framed-User
> (1) User-Name = "user(a)example.org"
> (1) Framed-MTU = 1488
> (1) State = 0xbced3a8cbcec37005a032dcfba50bf3a
> (1) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (1) Calling-Station-Id = "22-85-59-7C-27-7A"
> (1) NAS-Identifier = "D-Link Access Point"
> (1) NAS-Port-Type = Wireless-802.11
> (1) Connect-Info = "CONNECT 54Mbps 802.11g"
> (1) EAP-Message = 0x020100060300
> (1) NAS-IP-Address = 10.17.30.60
> (1) NAS-Port = 1
> (1) NAS-Port-Id = "STA port # 1"
> (1) Restoring &session-state
> (1) &session-state:Framed-MTU = 994
> (1) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /(a)\./) {
> (1) if (&User-Name =~ /(a)\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (1) suffix: No such realm "example.org"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) files: users: Matched entry user(a)example.org at line 2
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0xbced3a8cbcec3700
> (1) eap: Finished EAP session with state 0xbced3a8cbcec3700
> (1) eap: Previous EAP request found for state 0xbced3a8cbcec3700, released
> from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Peer NAK'd indicating it is not willing to continue
> (1) eap: Sending EAP Failure (code 4) ID 1 length 4
> (1) eap: Failed in EAP select
> (1) [eap] = invalid
> (1) } # authenticate = invalid
> (1) Failed to authenticate the user
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject: --> user(a)example.org
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1) [attr_filter.access_reject] = updated
> (1) [eap] = noop
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (1) Sending delayed response
> (1) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1061
> length 44
> (1) EAP-Message = 0x04010004
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> (2) Received Access-Request Id 0 from 10.17.30.60:1063 to 172.17.0.2:1812
> length 212
> (2) Message-Authenticator = 0x10dad86d8ca96900ee9e41a3f3215e04
> (2) Service-Type = Framed-User
> (2) User-Name = "user(a)example.org"
> (2) Framed-MTU = 1488
> (2) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (2) Calling-Station-Id = "22-85-59-7C-27-7A"
> (2) NAS-Identifier = "D-Link Access Point"
> (2) NAS-Port-Type = Wireless-802.11
> (2) Connect-Info = "CONNECT 54Mbps 802.11g"
> (2) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (2) NAS-IP-Address = 10.17.30.60
> (2) NAS-Port = 1
> (2) NAS-Port-Id = "STA port # 1"
> (2) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /(a)\./) {
> (2) if (&User-Name =~ /(a)\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (2) suffix: No such realm "example.org"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) authenticate {
> (2) eap: Peer sent packet with method EAP Identity (1)
> (2) eap: Calling submodule eap_tls to process data
> (2) eap_tls: (TLS) Initiating new session
> (2) eap_tls: (TLS) Setting verify mode to require certificate from client
> (2) eap: Sending EAP Request (code 1) ID 1 length 6
> (2) eap: EAP session adding &reply:State = 0x61a7200961a62df0
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) Challenge { ... } # empty sub-section is ignored
> (2) session-state: Saving cached attributes
> (2) Framed-MTU = 994
> (2) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1063
> length 64
> (2) EAP-Message = 0x010100060d20
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x61a7200961a62df0743c98b3a07aed8f
> (2) Finished request
> Waking up in 1.9 seconds.
> (3) Received Access-Request Id 1 from 10.17.30.60:1063 to 172.17.0.2:1812
> length 215
> (3) Message-Authenticator = 0x2946bae5a640bdd89ef938aa738b4b94
> (3) Service-Type = Framed-User
> (3) User-Name = "user(a)example.org"
> (3) Framed-MTU = 1488
> (3) State = 0x61a7200961a62df0743c98b3a07aed8f
> (3) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (3) Calling-Station-Id = "22-85-59-7C-27-7A"
> (3) NAS-Identifier = "D-Link Access Point"
> (3) NAS-Port-Type = Wireless-802.11
> (3) Connect-Info = "CONNECT 54Mbps 802.11g"
> (3) EAP-Message = 0x020100060300
> (3) NAS-IP-Address = 10.17.30.60
> (3) NAS-Port = 1
> (3) NAS-Port-Id = "STA port # 1"
> (3) Restoring &session-state
> (3) &session-state:Framed-MTU = 994
> (3) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /(a)\./) {
> (3) if (&User-Name =~ /(a)\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (3) suffix: No such realm "example.org"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (3) eap: No EAP Start, assuming it's an on-going EAP conversation
> (3) [eap] = updated
> (3) files: users: Matched entry user(a)example.org at line 2
> (3) [files] = ok
> (3) [expiration] = noop
> (3) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (3) [pap] = noop
> (3) } # authorize = updated
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x61a7200961a62df0
> (3) eap: Finished EAP session with state 0x61a7200961a62df0
> (3) eap: Previous EAP request found for state 0x61a7200961a62df0, released
> from the list
> (3) eap: Peer sent packet with method EAP NAK (3)
> (3) eap: Peer NAK'd indicating it is not willing to continue
> (3) eap: Sending EAP Failure (code 4) ID 1 length 4
> (3) eap: Failed in EAP select
> (3) [eap] = invalid
> (3) } # authenticate = invalid
> (3) Failed to authenticate the user
> (3) Using Post-Auth-Type Reject
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) Post-Auth-Type REJECT {
> (3) attr_filter.access_reject: EXPAND %{User-Name}
> (3) attr_filter.access_reject: --> user(a)example.org
> (3) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (3) [attr_filter.access_reject] = updated
> (3) [eap] = noop
> (3) policy remove_reply_message_if_eap {
> (3) if (&reply:EAP-Message && &reply:Reply-Message) {
> (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (3) else {
> (3) [noop] = noop
> (3) } # else = noop
> (3) } # policy remove_reply_message_if_eap = noop
> (3) } # Post-Auth-Type REJECT = updated
> (3) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (3) Sending delayed response
> (3) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1063
> length 44
> (3) EAP-Message = 0x04010004
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 0.8 seconds.
> (0) Cleaning up request packet ID 0 with timestamp +74 due to
> cleanup_delay was reached
> (1) Cleaning up request packet ID 1 with timestamp +74 due to
> cleanup_delay was reached
> Waking up in 3.0 seconds.
> (4) Received Access-Request Id 0 from 10.17.30.60:1065 to 172.17.0.2:1812
> length 212
> (4) Message-Authenticator = 0x7e90cef35650d96b0188a6bcc9040100
> (4) Service-Type = Framed-User
> (4) User-Name = "user(a)example.org"
> (4) Framed-MTU = 1488
> (4) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (4) Calling-Station-Id = "22-85-59-7C-27-7A"
> (4) NAS-Identifier = "D-Link Access Point"
> (4) NAS-Port-Type = Wireless-802.11
> (4) Connect-Info = "CONNECT 54Mbps 802.11g"
> (4) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (4) NAS-IP-Address = 10.17.30.60
> (4) NAS-Port = 1
> (4) NAS-Port-Id = "STA port # 1"
> (4) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /(a)\./) {
> (4) if (&User-Name =~ /(a)\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (4) suffix: No such realm "example.org"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) authenticate {
> (4) eap: Peer sent packet with method EAP Identity (1)
> (4) eap: Calling submodule eap_tls to process data
> (4) eap_tls: (TLS) Initiating new session
> (4) eap_tls: (TLS) Setting verify mode to require certificate from client
> (4) eap: Sending EAP Request (code 1) ID 1 length 6
> (4) eap: EAP session adding &reply:State = 0x10b8d47310b9d97a
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) Challenge { ... } # empty sub-section is ignored
> (4) session-state: Saving cached attributes
> (4) Framed-MTU = 994
> (4) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1065
> length 64
> (4) EAP-Message = 0x010100060d20
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x10b8d47310b9d97a65ed29a95486330e
> (4) Finished request
> Waking up in 1.8 seconds.
> (5) Received Access-Request Id 1 from 10.17.30.60:1065 to 172.17.0.2:1812
> length 215
> (5) Message-Authenticator = 0x4024c8a365e14657a651ceb71b9f5f61
> (5) Service-Type = Framed-User
> (5) User-Name = "user(a)example.org"
> (5) Framed-MTU = 1488
> (5) State = 0x10b8d47310b9d97a65ed29a95486330e
> (5) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (5) Calling-Station-Id = "22-85-59-7C-27-7A"
> (5) NAS-Identifier = "D-Link Access Point"
> (5) NAS-Port-Type = Wireless-802.11
> (5) Connect-Info = "CONNECT 54Mbps 802.11g"
> (5) EAP-Message = 0x020100060300
> (5) NAS-IP-Address = 10.17.30.60
> (5) NAS-Port = 1
> (5) NAS-Port-Id = "STA port # 1"
> (5) Restoring &session-state
> (5) &session-state:Framed-MTU = 994
> (5) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /(a)\./) {
> (5) if (&User-Name =~ /(a)\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (5) suffix: No such realm "example.org"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (5) eap: No EAP Start, assuming it's an on-going EAP conversation
> (5) [eap] = updated
> (5) files: users: Matched entry user(a)example.org at line 2
> (5) [files] = ok
> (5) [expiration] = noop
> (5) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (5) [pap] = noop
> (5) } # authorize = updated
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x10b8d47310b9d97a
> (5) eap: Finished EAP session with state 0x10b8d47310b9d97a
> (5) eap: Previous EAP request found for state 0x10b8d47310b9d97a, released
> from the list
> (5) eap: Peer sent packet with method EAP NAK (3)
> (5) eap: Peer NAK'd indicating it is not willing to continue
> (5) eap: Sending EAP Failure (code 4) ID 1 length 4
> (5) eap: Failed in EAP select
> (5) [eap] = invalid
> (5) } # authenticate = invalid
> (5) Failed to authenticate the user
> (5) Using Post-Auth-Type Reject
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) Post-Auth-Type REJECT {
> (5) attr_filter.access_reject: EXPAND %{User-Name}
> (5) attr_filter.access_reject: --> user(a)example.org
> (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (5) [attr_filter.access_reject] = updated
> (5) [eap] = noop
> (5) policy remove_reply_message_if_eap {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (5) else {
> (5) [noop] = noop
> (5) } # else = noop
> (5) } # policy remove_reply_message_if_eap = noop
> (5) } # Post-Auth-Type REJECT = updated
> (5) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (5) Sending delayed response
> (5) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1065
> length 44
> (5) EAP-Message = 0x04010004
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 0.8 seconds.
> (2) Cleaning up request packet ID 0 with timestamp +77 due to
> cleanup_delay was reached
> (3) Cleaning up request packet ID 1 with timestamp +77 due to
> cleanup_delay was reached
> Waking up in 3.1 seconds.
> (4) Cleaning up request packet ID 0 with timestamp +80 due to
> cleanup_delay was reached
> (5) Cleaning up request packet ID 1 with timestamp +80 due to
> cleanup_delay was reached
> Ready to process requests
>
> Thanks,
>
> Cl?ment
>
>
>
>
>
>
> Ce message et toutes les pieces jointes (ci-apres le "message") sont
> etablis a l'intention exclusive de ses destinataires.
> Si vous recevez ce message par erreur, merci de le detruire et d'en
> avertir immediatement l'expediteur par e-mail.
> Toute utilisation de ce message non conforme a sa destination, toute
> diffusion ou toute publication, totale ou partielle, est interdite, sauf
> autorisation expresse. Les communications sur Internet n'etant pas
> securisees, l'expediteur informe qu'il ne peut accepter aucune
> responsabilite quant au contenu de ce message.
> This mail message and attachments (the "message") are solely intended for
> the addresses. It is confidential in nature.
> If you receive this message in error, please delete it and immediately
> notify the sender by e-mail.
> Any use other than its intended purpose, dissemination or disclosure,
> either whole or partial, is prohibited except if formal approval is
> granted. As communication on the Internet is not secure, the sender does
> not accept responsibility for the content of this message.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 214, Issue 31
> *************************************************
>
2
1
Greetings!
I am trying to understand the conception of coa server. What
functionality does it brings ? Is it a some kind of proxy ?
For example, I have a NAS server with configured coa port. I can send a
disconnect request directly into it. If I configure a coa server on a
freeradius server, will I be able to send a disconnect request to the
freeradius instead and that is all?
Thanks in advance for your answers!
--
Best regards,
Yuriy Ivkin
3
6
Hello, I have installed freeradius and daloradius
It has been successfully installed but it's not working. I create nas and users with daloradius, users and nas has been inserted in database correctly , but it's not working.
ports 1812, 1813, 18120 are listening. If I try to do a request never arrive. Either trying radtest or with freeradius -X and using Ntradping to send request and nothing appear. I have used tcpdump -eqntl -i eth0 port 1812 and nothing appears.
Could you help me in this issue? I need to fix it. Regards!
Debugfile is attached.
[cid:3eafdd60-4125-4524-a2ef-fc96e51528f2]<http://redes4u.com>
2
1
I'm configuring a freeradius server for authenticating Wifi clients with EAP-TLS.
The solution should check certificates with EAP-TLS and everything is working fine, but checking the "extended key usage" to reply with a specific VLAN is not working as expected.
So in my site config I have:
if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "1"
}
}
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "2"
}
}
} elsif (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XYZ\.xxxxx\.de$/) {
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.16530950.3") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "3"
}
}
} else {
update reply {
Reply-Message := "Certificate Extended-Key-Usage with wrong or missing Group."
Auth-Type := Reject
}
reject
}
In the log I see that the Attribute is in the tls-cert:
freeradius | (342) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "user.XY.xxxxx.de"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2"
But when I scroll down, I see that the result of the if-check is false:
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) -> TRUE
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") -> FALSE
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") -> FALSE ### This should be TRUE ###
freeradius | (343) } # if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) = noop
TLS-Client-Cert-X509v3-Extended-Key-Usage-OID is a list, do I have to check it in a different way?
Thanks in advance.
Daniel
2
4
Hi all,
Is it possible to use the pam_radius .so module with only a otp? It works
fine with a password+otp but I cannot get it working with only otp.
Thanks
2
1