Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 10 participants
- 27046 discussions
Hi,
With FR 3.2.1, ubuntu 20.04, I can't bind to LDAP server using an old
TLS 1.0 version.
With TLS section parameters in ldap.conf :
tls {
start_tls = no
ca_file = "/etc/freeradius/ca_cert_hosting/12126560.pem"
require_cert = demand
tls_min_version = "1.0"
cipher_list = "DEFAULT@SECLEVEL=1"
}
I have in debug log for this LDAP server :
# Loaded module rlm_ldap
...
tls {
ca_file = "/etc/freeradius/ca_cert_hosting/12126560.pem"
tls_min_version = "1.0"
start_tls = no
require_cert = "demand"
}
And the error when trying to bind :
TLS: can't connect: (unknown error code).
It seems that 'cipher_list' parameter has disappeared in the debug log,
is this parameter
supported in ldap.conf ?
If not, how can I bind and check certificate ('demand' or 'hard' option)
to a TLS 1.0
LDAP server ?
Regards,
Arnaud
2
2
1
0
Hi Alan,
Is that mean Freeradius will show 0 in the Queue Statistics in both cases:
Full / Empty? this is what we are getting now.
Is there another way to check if the Queue full rather than checking the
logs?
Thanks
On Mon, Jan 23, 2023 at 6:39 PM <
freeradius-users-request(a)lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Queue Statistics always showing 0 (Alan DeKok)
> 2. FR 3.0.26 and TLS 1.3 (Chris Howley)
> 3. Freeradius-server-3.0.25 docking mariadb error
> (=?gb18030?B?zfjC58qxtPo=?=)
> 4. Freeradius Google Secure LDAP EAP-GTC issues (Henning Kessler)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 23 Jan 2023 08:46:56 -0500
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Queue Statistics always showing 0
> Message-ID: <4F2136FC-DB9C-418B-995D-2C499FF7BD82(a)deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Jan 23, 2023, at 3:24 AM, Ashraf Al-Basti <albasti(a)gmail.com> wrote:
> > I'm trying to get Freeradius statistics but I can see that the Queue
> > statistics are always 0.
>
> That's a side effect of moving to the faster atomic queues. It''s more
> difficult to get accurate stats for the queue length.
>
> Plus, the queue starts are generally meaningless. Either everything is
> OK, and the queue length is zero, or things are going wrong, and the queue
> is full.
>
> There is very very few situations where the queue are partially full.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 23 Jan 2023 14:18:56 +0000
> From: Chris Howley <C.P.Howley(a)leeds.ac.uk>
> To: "freeradius-users(a)lists.freeradius.org"
> <freeradius-users(a)lists.freeradius.org>
> Subject: FR 3.0.26 and TLS 1.3
> Message-ID:
> <
> AS4PR03MB823284ABA3422F7FBDAB898E8EC89(a)AS4PR03MB8232.eurprd03.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello Support team,
>
> I recently download the FR packages from your CentOS 7 repository, and I
> noticed that the 3.0.26 server was built with OpenSSL 1.0.2k (see below).
> Should the server be built with OpenSSL 1.1.1 to support TLS 1.3? Please
> excuse my ignorance if I've asked a stupid question.
>
> Thanks,
>
> Chris Howley
>
> Mon Jan 23 13:50:17 2023 : Debug: Server was built with:
> Mon Jan 23 13:50:17 2023 : Debug: accounting : yes
> Mon Jan 23 13:50:17 2023 : Debug: authentication : yes
> Mon Jan 23 13:50:17 2023 : Debug: ascend-binary-attributes : yes
> Mon Jan 23 13:50:17 2023 : Debug: coa : yes
> Mon Jan 23 13:50:17 2023 : Debug: control-socket : yes
> Mon Jan 23 13:50:17 2023 : Debug: detail : yes
> Mon Jan 23 13:50:17 2023 : Debug: dhcp : yes
> Mon Jan 23 13:50:17 2023 : Debug: dynamic-clients : yes
> Mon Jan 23 13:50:17 2023 : Debug: osfc2 : no
> Mon Jan 23 13:50:17 2023 : Debug: proxy : yes
> Mon Jan 23 13:50:17 2023 : Debug: regex-pcre : yes
> Mon Jan 23 13:50:17 2023 : Debug: regex-posix : no
> Mon Jan 23 13:50:17 2023 : Debug: regex-posix-extended : no
> Mon Jan 23 13:50:17 2023 : Debug: session-management : yes
> Mon Jan 23 13:50:17 2023 : Debug: stats : yes
> Mon Jan 23 13:50:17 2023 : Debug: systemd : yes
> Mon Jan 23 13:50:17 2023 : Debug: tcp : yes
> Mon Jan 23 13:50:17 2023 : Debug: threads : yes
> Mon Jan 23 13:50:17 2023 : Debug: tls : yes
> Mon Jan 23 13:50:17 2023 : Debug: unlang : yes
> Mon Jan 23 13:50:17 2023 : Debug: vmps : yes
> Mon Jan 23 13:50:17 2023 : Debug: developer : no
> Mon Jan 23 13:50:17 2023 : Debug: Server core libs:
> Mon Jan 23 13:50:17 2023 : Debug: freeradius-server : 3.0.26
> Mon Jan 23 13:50:17 2023 : Debug: talloc : 2.1.*
> Mon Jan 23 13:50:17 2023 : Debug: ssl : 1.0.2k
> release
> Mon Jan 23 13:50:17 2023 : Debug: pcre : 8.32
> 2012-11-30
> Mon Jan 23 13:50:17 2023 : Debug: Endianness:
> Mon Jan 23 13:50:17 2023 : Debug: little
> Mon Jan 23 13:50:17 2023 : Debug: Compilation flags:
> Mon Jan 23 13:50:17 2023 : Debug: cppflags :
> Mon Jan 23 13:50:17 2023 : Debug: cflags : -I. -Isrc -include
> src/freeradius-devel/autoconf.h -include src/freeradius-devel/build.h
> -include src/freeradius-devel/featur
> es.h -include src/freeradius-devel/radpaths.h -fno-strict-aliasing
> -Wno-date-time -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector-strong --param=s
> sp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -std=c99
> -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5
> -DNDEBUG -DIS_MODULE=1
> Mon Jan 23 13:50:17 2023 : Debug: ldflags : -Wl,--build-id
> Mon Jan 23 13:50:17 2023 : Debug: libs : -lcrypto -lssl -ltalloc
> -lpcre -lnsl -lresolv -ldl -lpthread -lreadline
> Mon Jan 23 13:50:17 2023 : Debug:
> Mon Jan 23 13:50:17 2023 : Info: FreeRADIUS Version 3.0.26
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 23 Jan 2023 22:29:20 +0800
> From: "=?gb18030?B?zfjC58qxtPo=?=" <1511815642(a)qq.com>
> To: "=?gb18030?B?ZnJlZXJhZGl1cy11c2Vycw==?="
> <freeradius-users(a)lists.freeradius.org>
> Subject: Freeradius-server-3.0.25 docking mariadb error
> Message-ID: <tencent_7F1BF56F0ABA0721320788A7754655CCA108(a)qq.com>
> Content-Type: text/plain; charset="gb18030"
>
> Hello,
> ezhangiso@ezhangiso-virtual-machine:/$ docker exec -it radius-test
> /bin/bash
> root@4ff809b932fe:/# chgrp -h freerad /etc/freeradius/mods-available/sql
> root@4ff809b932fe:/# chown -R freerad:freerad
> /etc/freeradius/mods-enabled/sql
> root@4ff809b932fe:/# vi etc/freeradius/mods-available/sql
> root@4ff809b932fe:/# vi /etc/freeradius/sites-available/default
> root@4ff809b932fe:/# vi /etc/freeradius/sites-available/inner-tunnel
> root@4ff809b932fe:/# vi radiusd.conf
> root@4ff809b932fe:/# vi /etc/freeradius/radiusd.conf
> root@4ff809b932fe:/# cat etc/freeradius/mods-available/sql
>
>
> dialect = "mysql"
> driver = "rlm_sql_mysql"
> sqlite {
> filename = "/tmp/freeradius.db"
> busy_timeout = 200
> bootstrap =
> "${modconfdir}/${..:name}/main/sqlite/schema.sql"
> }
>
>
> mysql {
>
> tls_required = no
> tls_check_cert = no
> tls_check_cert_cn = no
> }
> warnings = auto
> }
>
>
> postgresql {
>
>
> send_application_name = yes
> }
>
>
> #
> mongo {
> appname = "freeradius"
>
>
> tls {
> certificate_file = /path/to/file
> certificate_password = "password"
> ca_file = /path/to/file
> ca_dir = /path/to/directory
> crl_file = /path/to/file
> weak_cert_validation = false
> allow_invalid_hostname = false
>
>
> server = "10.0.8.31"
> port = 3306
> login = "radius"
> password = "radius"
>
>
> radius_db = "radius"
> acct_table1 = "radacct"
> acct_table2 = "radacct"
> postauth_table = "radpostauth"
> authcheck_table = "radcheck"
> groupcheck_table = "radgroupcheck"
> authreply_table = "radreply"
> groupreply_table = "radgroupreply"
> usergroup_table = "radusergroup"
>
>
> delete_stale_sessions = yes
>
>
> pool {
> start = ${thread[pool].start_servers}
> min = ${thread[pool].min_spare_servers}
> max = ${thread[pool].max_servers}
> uses = 0
> retry_delay = 30
> lifetime = 0
> idle_timeout = 60
> client_table = "nas"
> group_attribute = "SQL-Group"
> $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
> }
> root@4ff809b932fe:/# cat /etc/freeradius/radiusd.conf
>
>
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log/freeradius
> raddbdir = /etc/freeradius
> radacctdir = ${logdir}/radacct
>
>
> name = freeradius
>
>
> confdir = ${raddbdir}
> modconfdir = ${confdir}/mods-config
> certdir = ${confdir}/certs
> cadir = ${confdir}/certs
> run_dir = ${localstatedir}/run/${name}
>
>
> db_dir = ${raddbdir}
>
>
> libdir = /usr/lib/freeradius
>
>
> pidfile = ${run_dir}/${name}.pid
>
>
> correct_escapes = true
> max_request_time = 30
> cleanup_delay = 5
> hostname_lookups = no
> log {
> destination = files
> colourise = yes
> file = ${logdir}/radius.log
> syslog_facility = daemon
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> msg_denied = "You are already logged in - access denied"
> }
> checkrad = ${sbindir}/checkrad
> ENV {
> }
>
>
> security {
> user = freerad
> group = freerad
> allow_core_dumps = no
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
>
>
> proxy_requests = yes
> $INCLUDE proxy.conf
> $INCLUDE clients.conf
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> modules {
> $INCLUDE mods-enabled/sql
>
>
> $INCLUDE mods-enabled/
> }
>
>
> policy {
> $INCLUDE policy.d/
> }
>
>
> $INCLUDE sites-enabled/
>
>
> root@4ff809b932fe:/# apt install mariadb-client
>
>
> root@4ff809b932fe:/# mysql -h 10.0.8.31 -uradius -p radius
> Enter password:
> Reading table information for completion of table and column names
> You can turn off this feature to get a quicker startup with -A
>
>
> Welcome to the MariaDB monitor. Commands end with ; or \g.
> Your MariaDB connection id is 3
> Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary
> distribution
>
>
> Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
>
>
> Type 'help;' or '\h' for help. Type '\c' to clear the current input
> statement.
>
>
> MariaDB [radius]> show tables;
> +------------------+
> | Tables_in_radius |
> +------------------+
> | nas |
> | radacct |
> | radcheck |
> | radgroupcheck |
> | radgroupreply |
> | radpostauth |
> | radreply |
> | radusergroup |
> +------------------+
> 8 rows in set (0.00 sec)
>
>
> MariaDB [radius]> exit
> Bye
> root@4ff809b932fe:/# exit
> exit
> ezhangiso@ezhangiso-virtual-machine:/$ docker commit radius-test
> radius-mariadb
> sha256:1b5a68d2c3c3aaf70be72f8dcbfda27a7cf63e7ba448f412b73bd5f0d8aef63b
> ezhangiso@ezhangiso-virtual-machine:/$ docker stop radius-test
> radius-test
> ezhangiso@ezhangiso-virtual-machine:/$ docker run --rm --name myradius -t
> -p1812-1813:1812-1813/udp radius-mariadb -X
> FreeRADIUS Version 3.0.25
> Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/freeradius/dictionary
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/proxy.conf
> including configuration file /etc/freeradius/clients.conf
> including configuration file /etc/freeradius/mods-enabled/sql
> /etc/freeradius/mods-enabled/sql[365]: Reference "${dialect}" not found
> Errors reading or parsing /etc/freeradius/radiusd.conf
> ezhangiso@ezhangiso-virtual-machine:/$
>
>
> Can anyone shed some light on this and point me in the right direction what
> else should I do?
>
> ------------------------------
>
> Message: 4
> Date: Mon, 23 Jan 2023 15:38:42 +0100
> From: Henning Kessler <maillist(a)henningkessler.de>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Freeradius Google Secure LDAP EAP-GTC issues
> Message-ID: <54ECCD6B-D2B4-4F67-9E5A-89EB44B2EBE3(a)henningkessler.de>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> I followed this tutorial (
> https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes
> several times and it worked flawlessly. several month later I wanted to put
> it in production and it stop working.
>
> This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried
> the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients
> macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I
> tried an Ubuntu client as well.
>
> Binding to Google LDAP works without any issues (radtest results in
> Access-Accept) I even see that the Radius server sends an ?Access-Accept?
> to the clients but shortly after the client starts another Access-Request
> an that fails with:
>
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x864de94f8144fc95
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed in handler
>
> Any idea what is happening here?
>
> Here the full output of a test with freeradius -X
>
> Ready to process requests
> (0) Received Access-Request Id 18 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 253
> (0) User-Name = "klaus.mustermann"
> (0) NAS-IP-Address = 10.100.2.39
> (0) NAS-Identifier = "8283c219e7f9"
> (0) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (0) NAS-Port-Type = Wireless-802.11
> (0) Service-Type = Framed-User
> (0) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (0) Connect-Info = "CONNECT 0Mbps 802.11b"
> (0) Acct-Session-Id = "690B866461ACEC60"
> (0) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (0) Mobility-Domain-Id = 46476
> (0) WLAN-Pairwise-Cipher = 1027076
> (0) WLAN-Group-Cipher = 1027076
> (0) WLAN-AKM-Suite = 1027075
> (0) Framed-MTU = 1400
> (0) EAP-Message = 0x02670015016b6c6175732e6d75737465726d616e6e
> (0) Message-Authenticator = 0x8d4fe3c9b693e2d71ed16670b1d148a8
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /(a)\./) {
> (0) if (&User-Name =~ /(a)\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 103 length 21
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_ttls to process data
> (0) eap_ttls: (TLS) Initiating new session
> (0) eap: Sending EAP Request (code 1) ID 104 length 6
> (0) eap: EAP session adding &reply:State = 0x33754777331d52c5
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Challenge { ... } # empty sub-section is ignored
> (0) session-state: Saving cached attributes
> (0) Framed-MTU = 994
> (0) Sent Access-Challenge Id 18 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 64
> (0) EAP-Message = 0x016800061520
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0x33754777331d52c5d9592c39c6f43193
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 19 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 411
> (1) User-Name = "klaus.mustermann"
> (1) NAS-IP-Address = 10.100.2.39
> (1) NAS-Identifier = "8283c219e7f9"
> (1) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (1) NAS-Port-Type = Wireless-802.11
> (1) Service-Type = Framed-User
> (1) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (1) Connect-Info = "CONNECT 0Mbps 802.11b"
> (1) Acct-Session-Id = "690B866461ACEC60"
> (1) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (1) Mobility-Domain-Id = 46476
> (1) WLAN-Pairwise-Cipher = 1027076
> (1) WLAN-Group-Cipher = 1027076
> (1) WLAN-AKM-Suite = 1027075
> (1) Framed-MTU = 1400
> (1) EAP-Message =
> 0x026800a115800000009716030100920100008e030363ce9a00af0158c4304b8191e349a5c4d7e344c71cf9ceb42fc1dc05eee1d4ea00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
> (1) State = 0x33754777331d52c5d9592c39c6f43193
> (1) Message-Authenticator = 0xaf2835db2d901930a1abf923e81f8d4b
> (1) Restoring &session-state
> (1) &session-state:Framed-MTU = 994
> (1) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /(a)\./) {
> (1) if (&User-Name =~ /(a)\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 104 length 161
> (1) eap: Continuing tunnel setup
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0x33754777331d52c5
> (1) eap: Finished EAP session with state 0x33754777331d52c5
> (1) eap: Previous EAP request found for state 0x33754777331d52c5, released
> from the list
> (1) eap: Peer sent packet with method EAP TTLS (21)
> (1) eap: Calling submodule eap_ttls to process data
> (1) eap_ttls: Authenticate
> (1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151
> bytes
> (1) eap_ttls: (TLS) EAP Got all data (151 bytes)
> (1) eap_ttls: (TLS) Handshake state - before SSL initialization
> (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
> (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
> (1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
> (1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write
> server done
> (1) eap_ttls: (TLS) In Handshake Phase
> (1) eap: Sending EAP Request (code 1) ID 105 length 1004
> (1) eap: EAP session adding &reply:State = 0x33754777321c52c5
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) Challenge { ... } # empty sub-section is ignored
> (1) session-state: Saving cached attributes
> (1) Framed-MTU = 994
> (1) Sent Access-Challenge Id 19 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (1) EAP-Message =
> 0x016903ec15c000001151160303003d02000039030333251bb0257a7e942419ced1c14e2115f3355723303c682158f6d50e662be4da00c030000011ff01000100000b000403000102001700001603030eaf0b000eab000ea800071930820715308204fda0030201020208651e057cf4b3407c300d06092a864886f70d01010b05003081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3233303130323030303030305a170d3235303430353233353935395a3081bb310b3009060355040613024445310f300d0603
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0x33754777321c52c5d9592c39c6f43193
> (1) Finished request
> Waking up in 4.8 seconds.
> (2) Received Access-Request Id 20 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (2) User-Name = "klaus.mustermann"
> (2) NAS-IP-Address = 10.100.2.39
> (2) NAS-Identifier = "8283c219e7f9"
> (2) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (2) NAS-Port-Type = Wireless-802.11
> (2) Service-Type = Framed-User
> (2) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (2) Connect-Info = "CONNECT 0Mbps 802.11b"
> (2) Acct-Session-Id = "690B866461ACEC60"
> (2) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (2) Mobility-Domain-Id = 46476
> (2) WLAN-Pairwise-Cipher = 1027076
> (2) WLAN-Group-Cipher = 1027076
> (2) WLAN-AKM-Suite = 1027075
> (2) Framed-MTU = 1400
> (2) EAP-Message = 0x026900061500
> (2) State = 0x33754777321c52c5d9592c39c6f43193
> (2) Message-Authenticator = 0x61c34e69e7f5f253a9fdf8868c0f8826
> (2) Restoring &session-state
> (2) &session-state:Framed-MTU = 994
> (2) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /(a)\./) {
> (2) if (&User-Name =~ /(a)\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 105 length 6
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0x33754777321c52c5
> (2) eap: Finished EAP session with state 0x33754777321c52c5
> (2) eap: Previous EAP request found for state 0x33754777321c52c5, released
> from the list
> (2) eap: Peer sent packet with method EAP TTLS (21)
> (2) eap: Calling submodule eap_ttls to process data
> (2) eap_ttls: Authenticate
> (2) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (2) eap: Sending EAP Request (code 1) ID 106 length 1004
> (2) eap: EAP session adding &reply:State = 0x33754777311f52c5
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) Challenge { ... } # empty sub-section is ignored
> (2) session-state: Saving cached attributes
> (2) Framed-MTU = 994
> (2) Sent Access-Challenge Id 20 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (2) EAP-Message =
> 0x016a03ec15c000001151634a5ca32fca591c963a10e1e4fc909ecc4cf2f3259d2cc70fde28bea17fe514687c8e2ceb902a9d47fde53d01733845bba3e9d6a95f90195118e26a7a98ef957393cd519e06e02ec652ceb9fef0ef8e67a1dc250203010001a382011730820113300c0603551d130101ff04023000301d0603551d0e041604140d3fc210b4abae8368f6656c2f4182ded3cba973301f0603551d23041830168014bb50e659b6554824eb10703f59de33b5ab10d343300e0603551d0f0101ff0404030203e830130603551d25040c300a06082b0601050507030130260603551d11041f301d821b6265723072616430342e696e742e62756464796272616e642e646530430603551d1f0101ff043930373035a033a031862f687474703a2f2f63726c2e62756464796272616e642e64653a383038302f696e746572636130345f63726c2e70656d301106096086480186f8420101040403020640301e06096086480186f842010d0411160f7863612063657274
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x33754777311f52c5d9592c39c6f43193
> (2) Finished request
> Waking up in 4.8 seconds.
> (3) Received Access-Request Id 21 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (3) User-Name = "klaus.mustermann"
> (3) NAS-IP-Address = 10.100.2.39
> (3) NAS-Identifier = "8283c219e7f9"
> (3) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (3) NAS-Port-Type = Wireless-802.11
> (3) Service-Type = Framed-User
> (3) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (3) Connect-Info = "CONNECT 0Mbps 802.11b"
> (3) Acct-Session-Id = "690B866461ACEC60"
> (3) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (3) Mobility-Domain-Id = 46476
> (3) WLAN-Pairwise-Cipher = 1027076
> (3) WLAN-Group-Cipher = 1027076
> (3) WLAN-AKM-Suite = 1027075
> (3) Framed-MTU = 1400
> (3) EAP-Message = 0x026a00061500
> (3) State = 0x33754777311f52c5d9592c39c6f43193
> (3) Message-Authenticator = 0xc8e04779851766a986a21ceea4790d00
> (3) Restoring &session-state
> (3) &session-state:Framed-MTU = 994
> (3) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /(a)\./) {
> (3) if (&User-Name =~ /(a)\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 106 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x33754777311f52c5
> (3) eap: Finished EAP session with state 0x33754777311f52c5
> (3) eap: Previous EAP request found for state 0x33754777311f52c5, released
> from the list
> (3) eap: Peer sent packet with method EAP TTLS (21)
> (3) eap: Calling submodule eap_ttls to process data
> (3) eap_ttls: Authenticate
> (3) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (3) eap: Sending EAP Request (code 1) ID 107 length 1004
> (3) eap: EAP session adding &reply:State = 0x33754777301e52c5
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) Challenge { ... } # empty sub-section is ignored
> (3) session-state: Saving cached attributes
> (3) Framed-MTU = 994
> (3) Sent Access-Challenge Id 21 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (3) EAP-Message =
> 0x016b03ec15c0000011516e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3231303432333131353030305a170d3331303432333131353030305a3081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e646530820222300d06092a
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0x33754777301e52c5d9592c39c6f43193
> (3) Finished request
> Waking up in 4.8 seconds.
> (4) Received Access-Request Id 22 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (4) User-Name = "klaus.mustermann"
> (4) NAS-IP-Address = 10.100.2.39
> (4) NAS-Identifier = "8283c219e7f9"
> (4) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (4) NAS-Port-Type = Wireless-802.11
> (4) Service-Type = Framed-User
> (4) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (4) Connect-Info = "CONNECT 0Mbps 802.11b"
> (4) Acct-Session-Id = "690B866461ACEC60"
> (4) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (4) Mobility-Domain-Id = 46476
> (4) WLAN-Pairwise-Cipher = 1027076
> (4) WLAN-Group-Cipher = 1027076
> (4) WLAN-AKM-Suite = 1027075
> (4) Framed-MTU = 1400
> (4) EAP-Message = 0x026b00061500
> (4) State = 0x33754777301e52c5d9592c39c6f43193
> (4) Message-Authenticator = 0x8ebe69d74f104b81490506fbfd4fcc22
> (4) Restoring &session-state
> (4) &session-state:Framed-MTU = 994
> (4) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /(a)\./) {
> (4) if (&User-Name =~ /(a)\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 107 length 6
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0x33754777301e52c5
> (4) eap: Finished EAP session with state 0x33754777301e52c5
> (4) eap: Previous EAP request found for state 0x33754777301e52c5, released
> from the list
> (4) eap: Peer sent packet with method EAP TTLS (21)
> (4) eap: Calling submodule eap_ttls to process data
> (4) eap_ttls: Authenticate
> (4) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (4) eap: Sending EAP Request (code 1) ID 108 length 1004
> (4) eap: EAP session adding &reply:State = 0x33754777371952c5
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) Challenge { ... } # empty sub-section is ignored
> (4) session-state: Saving cached attributes
> (4) Framed-MTU = 994
> (4) Sent Access-Challenge Id 22 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (4) EAP-Message =
> 0x016c03ec15c00000115155040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e64658209009ce5d9f001129991300e0603551d0f0101ff04040302018630400603551d1f0101ff043630343032a030a02e862c687474703a2f2f63726c2e62756464796272616e642e64653a383038302f726f6f7463615f63726c2e70656d301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d01010b0500038202010014ba00b7b369be8d469dc9fe7cb4ea2b8b69f5ddf664529e7cfa7e5c23
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x33754777371952c5d9592c39c6f43193
> (4) Finished request
> Waking up in 4.7 seconds.
> (5) Received Access-Request Id 23 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (5) User-Name = "klaus.mustermann"
> (5) NAS-IP-Address = 10.100.2.39
> (5) NAS-Identifier = "8283c219e7f9"
> (5) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (5) NAS-Port-Type = Wireless-802.11
> (5) Service-Type = Framed-User
> (5) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (5) Connect-Info = "CONNECT 0Mbps 802.11b"
> (5) Acct-Session-Id = "690B866461ACEC60"
> (5) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (5) Mobility-Domain-Id = 46476
> (5) WLAN-Pairwise-Cipher = 1027076
> (5) WLAN-Group-Cipher = 1027076
> (5) WLAN-AKM-Suite = 1027075
> (5) Framed-MTU = 1400
> (5) EAP-Message = 0x026c00061500
> (5) State = 0x33754777371952c5d9592c39c6f43193
> (5) Message-Authenticator = 0x2954664567eb90b58df983559fafc7ef
> (5) Restoring &session-state
> (5) &session-state:Framed-MTU = 994
> (5) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /(a)\./) {
> (5) if (&User-Name =~ /(a)\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 108 length 6
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x33754777371952c5
> (5) eap: Finished EAP session with state 0x33754777371952c5
> (5) eap: Previous EAP request found for state 0x33754777371952c5, released
> from the list
> (5) eap: Peer sent packet with method EAP TTLS (21)
> (5) eap: Calling submodule eap_ttls to process data
> (5) eap_ttls: Authenticate
> (5) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (5) eap: Sending EAP Request (code 1) ID 109 length 467
> (5) eap: EAP session adding &reply:State = 0x33754777361852c5
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) Challenge { ... } # empty sub-section is ignored
> (5) session-state: Saving cached attributes
> (5) Framed-MTU = 994
> (5) Sent Access-Challenge Id 23 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 527
> (5) EAP-Message =
> 0x016d01d3158000001151c7ae0d9a4018dc0ce7aab22f77890b68228d8c81607a7cd59e58e5b314f938dfe8d81ca660735e53afd3f6eb0939e78859296a954ea1d3046dbcf4333aa72aaad39f3f152ab2b3a2ed59dc1bfdbc773787acbba803d0201cda94c46c440afa65d844464271d2a2dcb7e409ff9c9c30a411ea245b8c2424110ac5191f2c594afe070d15b670dd08c238fd3b672b5bbed9bc7141c3b6e95b61bb78889da5182b33b0883e08339b927b4fd0ef118175f30d3e232be2fc5c92ef1eae2a30a21ba88a0477b8a0a89b903ea37327d4b41dc15ac604f4c057eff9a454748056d6b919f4756ee70de3878196b23441f9252252e5ee8bebe2519a11cb9967ff91ce3d43a9f3e3e39e82277f7bc39200d0e9d8178afdf2b479684b66ee8b2c6b6d258d172684d801780ede278d3c6bbce36875649bc181dcecd10a2ecc83bc920f0b97cf3f2b51a234b69f88e884f5c248fb1062aba73cb402765bf2005825f8379389178cafae7ad9723c0f9e3f63b375c2
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x33754777361852c5d9592c39c6f43193
> (5) Finished request
> Waking up in 4.7 seconds.
> (6) Received Access-Request Id 24 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 386
> (6) User-Name = "klaus.mustermann"
> (6) NAS-IP-Address = 10.100.2.39
> (6) NAS-Identifier = "8283c219e7f9"
> (6) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (6) NAS-Port-Type = Wireless-802.11
> (6) Service-Type = Framed-User
> (6) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (6) Connect-Info = "CONNECT 0Mbps 802.11b"
> (6) Acct-Session-Id = "690B866461ACEC60"
> (6) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (6) Mobility-Domain-Id = 46476
> (6) WLAN-Pairwise-Cipher = 1027076
> (6) WLAN-Group-Cipher = 1027076
> (6) WLAN-AKM-Suite = 1027075
> (6) Framed-MTU = 1400
> (6) EAP-Message =
> 0x026d008815800000007e16030300461000004241041bdfa74e961e11ce04aae11e59adff899c7e45c93c23a868913c8e6dbc6b61c8c93027484c43331a120609e34bb63d4a01335611c152662eda522aa015747d24140303000101160303002896671043239b41663014b73a88eb2b056a398cc8c31e8c6f1940273f2cc64b884907fe10b3c697de
> (6) State = 0x33754777361852c5d9592c39c6f43193
> (6) Message-Authenticator = 0x02f8f3ac8779506b6dc11ac581eb8a01
> (6) Restoring &session-state
> (6) &session-state:Framed-MTU = 994
> (6) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /(a)\./) {
> (6) if (&User-Name =~ /(a)\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 109 length 136
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x33754777361852c5
> (6) eap: Finished EAP session with state 0x33754777361852c5
> (6) eap: Previous EAP request found for state 0x33754777361852c5, released
> from the list
> (6) eap: Peer sent packet with method EAP TTLS (21)
> (6) eap: Calling submodule eap_ttls to process data
> (6) eap_ttls: Authenticate
> (6) eap_ttls: (TLS) EAP Peer says that the final record size will be 126
> bytes
> (6) eap_ttls: (TLS) EAP Got all data (126 bytes)
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
> (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key
> exchange
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher
> spec
> (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
> (6) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
> spec
> (6) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
> (6) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
> (6) eap_ttls: (TLS) Connection Established
> (6) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (6) eap_ttls: TLS-Session-Version = "TLS 1.2"
> (6) eap: Sending EAP Request (code 1) ID 110 length 61
> (6) eap: EAP session adding &reply:State = 0x33754777351b52c5
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) Challenge { ... } # empty sub-section is ignored
> (6) session-state: Saving cached attributes
> (6) Framed-MTU = 994
> (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (6) TLS-Session-Version = "TLS 1.2"
> (6) Sent Access-Challenge Id 24 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 119
> (6) EAP-Message =
> 0x016e003d1580000000331403030001011603030028c5e315035630988a3b83c13d63026f7f68b51fc4cae498e85bec63a7b3beba6177951acbd7c9e48e
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x33754777351b52c5d9592c39c6f43193
> (6) Finished request
> Waking up in 4.7 seconds.
> (7) Received Access-Request Id 25 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 321
> (7) User-Name = "klaus.mustermann"
> (7) NAS-IP-Address = 10.100.2.39
> (7) NAS-Identifier = "8283c219e7f9"
> (7) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (7) NAS-Port-Type = Wireless-802.11
> (7) Service-Type = Framed-User
> (7) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (7) Connect-Info = "CONNECT 0Mbps 802.11b"
> (7) Acct-Session-Id = "690B866461ACEC60"
> (7) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (7) Mobility-Domain-Id = 46476
> (7) WLAN-Pairwise-Cipher = 1027076
> (7) WLAN-Group-Cipher = 1027076
> (7) WLAN-AKM-Suite = 1027075
> (7) Framed-MTU = 1400
> (7) EAP-Message =
> 0x026e004715800000003d170303003896671043239b4167e00afbeca8b555b120c23769698d81a6b5a879ecc3c8fd3cd740dc135bdef5fcadd7fda6a166609e4d7957502348d9f3
> (7) State = 0x33754777351b52c5d9592c39c6f43193
> (7) Message-Authenticator = 0xa8b841519028def71e27cfef249be756
> (7) Restoring &session-state
> (7) &session-state:Framed-MTU = 994
> (7) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> (7) &session-state:TLS-Session-Version = "TLS 1.2"
> (7) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 110 length 71
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x33754777351b52c5
> (7) eap: Finished EAP session with state 0x33754777351b52c5
> (7) eap: Previous EAP request found for state 0x33754777351b52c5, released
> from the list
> (7) eap: Peer sent packet with method EAP TTLS (21)
> (7) eap: Calling submodule eap_ttls to process data
> (7) eap_ttls: Authenticate
> (7) eap_ttls: (TLS) EAP Peer says that the final record size will be 61
> bytes
> (7) eap_ttls: (TLS) EAP Got all data (61 bytes)
> (7) eap_ttls: Session established. Proceeding to decode tunneled
> attributes
> (7) eap_ttls: Got tunneled request
> (7) eap_ttls: EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
> (7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_ttls: Got tunneled identity of klaus.mustermann
> (7) eap_ttls: Setting default EAP type for tunneled EAP session
> (7) eap_ttls: Sending tunneled request
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = "klaus.mustermann"
> (7) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (7) server inner-tunnel {
> (7) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap: Peer sent packet with method EAP Identity (1)
> (7) eap: Calling submodule eap_gtc to process data
> (7) eap_gtc: EXPAND Password:
> (7) eap_gtc: --> Password:
> (7) eap: Sending EAP Request (code 1) ID 1 length 15
> (7) eap: EAP session adding &reply:State = 0xb4a2b867b4a3bebf
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) EAP-Message = 0x0101000f0650617373776f72643a20
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xb4a2b867b4a3bebfd5edaac839855c28
> (7) eap_ttls: Got tunneled Access-Challenge
> (7) eap: Sending EAP Request (code 1) ID 111 length 63
> (7) eap: EAP session adding &reply:State = 0x33754777341a52c5
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7) Challenge { ... } # empty sub-section is ignored
> (7) session-state: Saving cached attributes
> (7) Framed-MTU = 994
> (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (7) TLS-Session-Version = "TLS 1.2"
> (7) Sent Access-Challenge Id 25 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 121
> (7) EAP-Message =
> 0x016f003f1580000000351703030030c5e315035630988b4ad830befda4dba2a51fa8f9388f8da63a7ea11b76e432bbb988ecf99f49e2ebe5cd501621aec81b
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x33754777341a52c5d9592c39c6f43193
> (7) Finished request
> Waking up in 4.6 seconds.
> (8) Received Access-Request Id 26 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 317
> (8) User-Name = "klaus.mustermann"
> (8) NAS-IP-Address = 10.100.2.39
> (8) NAS-Identifier = "8283c219e7f9"
> (8) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (8) NAS-Port-Type = Wireless-802.11
> (8) Service-Type = Framed-User
> (8) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (8) Connect-Info = "CONNECT 0Mbps 802.11b"
> (8) Acct-Session-Id = "690B866461ACEC60"
> (8) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (8) Mobility-Domain-Id = 46476
> (8) WLAN-Pairwise-Cipher = 1027076
> (8) WLAN-Group-Cipher = 1027076
> (8) WLAN-AKM-Suite = 1027075
> (8) Framed-MTU = 1400
> (8) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (8) State = 0x33754777341a52c5d9592c39c6f43193
> (8) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (8) Restoring &session-state
> (8) &session-state:Framed-MTU = 994
> (8) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> (8) &session-state:TLS-Session-Version = "TLS 1.2"
> (8) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /(a)\./) {
> (8) if (&User-Name =~ /(a)\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) [digest] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (8) eap: Continuing tunnel setup
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Finished EAP session with state 0x33754777341a52c5
> (8) eap: Previous EAP request found for state 0x33754777341a52c5, released
> from the list
> (8) eap: Peer sent packet with method EAP TTLS (21)
> (8) eap: Calling submodule eap_ttls to process data
> (8) eap_ttls: Authenticate
> (8) eap_ttls: (TLS) EAP Peer says that the final record size will be 57
> bytes
> (8) eap_ttls: (TLS) EAP Got all data (57 bytes)
> (8) eap_ttls: Session established. Proceeding to decode tunneled
> attributes
> (8) eap_ttls: Got tunneled request
> (8) eap_ttls: EAP-Message = 0x0201001306736167616e382e53697a61626c65
> (8) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (8) eap_ttls: Sending tunneled request
> (8) Virtual server inner-tunnel received request
> (8) EAP-Message = 0x0201001306736167616e382e53697a61626c65
> (8) FreeRADIUS-Proxied-To = 127.0.0.1
> (8) User-Name = "klaus.mustermann"
> (8) State = 0xb4a2b867b4a3bebfd5edaac839855c28
> (8) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (8) server inner-tunnel {
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /(a)\./) {
> (8) if (&User-Name =~ /(a)\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) &Proxy-To-Realm := LOCAL
> (8) } # update control = noop
> (8) eap: Peer sent EAP Response (code 2) ID 1 length 19
> (8) eap: No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap: --> (uid=klaus.mustermann)
> (8) ldap: Performing search in "dc=pretendco,dc=de" with filter
> "(uid=klaus.mustermann)", scope "sub"
> (8) ldap: Waiting for search result...
> (8) ldap: User object found at DN "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
> (8) ldap: Processing user attributes
> (8) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (8) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> Need more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed, errno=11.
> rlm_ldap (ldap): Bind successful
> (8) [ldap] = ok
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) [pap] = noop
> (8) if (User-Password) {
> (8) if (User-Password) -> FALSE
> (8) } # authorize = updated
> (8) Found Auth-Type = eap
> (8) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Finished EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Previous EAP request found for state 0xb4a2b867b4a3bebf, released
> from the list
> (8) eap: Peer sent packet with method EAP GTC (6)
> (8) eap: Calling submodule eap_gtc to process data
> (8) eap_gtc: # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) eap_gtc: Auth-Type PAP {
> rlm_ldap (ldap): Reserved connection (1)
> (8) ldap: Login attempt by "klaus.mustermann"
> (8) ldap: Using user DN from request "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
> (8) ldap: Waiting for bind result...
> (8) ldap: Bind successful
> (8) ldap: Bind as user "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" was successful
> rlm_ldap (ldap): Released connection (1)
> Need more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
> used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed, errno=11.
> rlm_ldap (ldap): Bind successful
> (8) eap_gtc: [ldap] = ok
> (8) eap_gtc: } # Auth-Type PAP = ok
> (8) eap: Sending EAP Success (code 3) ID 1 length 4
> (8) eap: Freeing handler
> (8) [eap] = ok
> (8) } # authenticate = ok
> (8) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) post-auth {
> (8) if (0) {
> (8) if (0) -> FALSE
> (8) } # post-auth = noop
> (8) } # server inner-tunnel
> (8) Virtual server sending reply
> (8) EAP-Message = 0x03010004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) User-Name = "klaus.mustermann"
> (8) eap_ttls: Got tunneled Access-Accept
> (8) eap: Sending EAP Success (code 3) ID 111 length 4
> (8) eap: Freeing handler
> (8) [eap] = ok
> (8) } # authenticate = ok
> (8) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/default
> (8) post-auth {
> (8) if (session-state:User-Name && reply:User-Name &&
> request:User-Name && (reply:User-Name == request:User-Name)) {
> (8) if (session-state:User-Name && reply:User-Name &&
> request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
> (8) update {
> (8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
> (8) &reply::TLS-Session-Cipher-Suite +=
> &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
> (8) &reply::TLS-Session-Version +=
> &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
> (8) } # update = noop
> (8) [exec] = noop
> (8) policy remove_reply_message_if_eap {
> (8) if (&reply:EAP-Message && &reply:Reply-Message) {
> (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (8) else {
> (8) [noop] = noop
> (8) } # else = noop
> (8) } # policy remove_reply_message_if_eap = noop
> (8) } # post-auth = noop
> (8) Sent Access-Accept Id 26 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 184
> (8) MS-MPPE-Recv-Key =
> 0xeb472d316fdc874c9b4fab09804dffb9627d034a793910ca0f276473f2db3e62
> (8) MS-MPPE-Send-Key =
> 0x3cde6513ea1f92c64ee3d938a85980091ecccdeb288c640f958a8f0d4324af64
> (8) EAP-Message = 0x036f0004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) User-Name = "klaus.mustermann"
> (8) Framed-MTU += 994
> (8) Finished request
> Waking up in 1.1 seconds.
> (9) Received Access-Request Id 26 from 10.100.2.39:38737 to
> 10.100.1.65:1812 length 317
> (9) User-Name = "klaus.mustermann"
> (9) NAS-IP-Address = 10.100.2.39
> (9) NAS-Identifier = "8283c219e7f9"
> (9) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (9) NAS-Port-Type = Wireless-802.11
> (9) Service-Type = Framed-User
> (9) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (9) Connect-Info = "CONNECT 0Mbps 802.11b"
> (9) Acct-Session-Id = "690B866461ACEC60"
> (9) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (9) Mobility-Domain-Id = 46476
> (9) WLAN-Pairwise-Cipher = 1027076
> (9) WLAN-Group-Cipher = 1027076
> (9) WLAN-AKM-Suite = 1027075
> (9) Framed-MTU = 1400
> (9) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (9) State = 0x33754777341a52c5d9592c39c6f43193
> (9) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (9) session-state: No cached attributes
> (9) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (9) authorize {
> (9) policy filter_username {
> (9) if (&User-Name) {
> (9) if (&User-Name) -> TRUE
> (9) if (&User-Name) {
> (9) if (&User-Name =~ / /) {
> (9) if (&User-Name =~ / /) -> FALSE
> (9) if (&User-Name =~ /@[^@]*@/ ) {
> (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (9) if (&User-Name =~ /\.\./ ) {
> (9) if (&User-Name =~ /\.\./ ) -> FALSE
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (9) if (&User-Name =~ /\.$/) {
> (9) if (&User-Name =~ /\.$/) -> FALSE
> (9) if (&User-Name =~ /(a)\./) {
> (9) if (&User-Name =~ /(a)\./) -> FALSE
> (9) } # if (&User-Name) = notfound
> (9) } # policy filter_username = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) [digest] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (9) suffix: No such realm "NULL"
> (9) [suffix] = noop
> (9) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (9) eap: Continuing tunnel setup
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = eap
> (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (9) authenticate {
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed in handler
> (9) [eap] = invalid
> (9) } # authenticate = invalid
> (9) Failed to authenticate the user
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (9) Post-Auth-Type REJECT {
> (9) attr_filter.access_reject: EXPAND %{User-Name}
> (9) attr_filter.access_reject: --> klaus.mustermann
> (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (9) [attr_filter.access_reject] = updated
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed to get handler, probably already removed, not inserting
> EAP-Failure
> (9) [eap] = noop
> (9) policy remove_reply_message_if_eap {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (9) else {
> (9) [noop] = noop
> (9) } # else = noop
> (9) } # policy remove_reply_message_if_eap = noop
> (9) } # Post-Auth-Type REJECT = updated
> (9) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (10) Received Access-Request Id 26 from 10.100.2.39:45497 to
> 10.100.1.65:1812 length 317
> (10) User-Name = "klaus.mustermann"
> (10) NAS-IP-Address = 10.100.2.39
> (10) NAS-Identifier = "8283c219e7f9"
> (10) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (10) NAS-Port-Type = Wireless-802.11
> (10) Service-Type = Framed-User
> (10) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (10) Connect-Info = "CONNECT 0Mbps 802.11b"
> (10) Acct-Session-Id = "690B866461ACEC60"
> (10) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (10) Mobility-Domain-Id = 46476
> (10) WLAN-Pairwise-Cipher = 1027076
> (10) WLAN-Group-Cipher = 1027076
> (10) WLAN-AKM-Suite = 1027075
> (10) Framed-MTU = 1400
> (10) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (10) State = 0x33754777341a52c5d9592c39c6f43193
> (10) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (10) session-state: No cached attributes
> (10) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (10) authorize {
> (10) policy filter_username {
> (10) if (&User-Name) {
> (10) if (&User-Name) -> TRUE
> (10) if (&User-Name) {
> (10) if (&User-Name =~ / /) {
> (10) if (&User-Name =~ / /) -> FALSE
> (10) if (&User-Name =~ /@[^@]*@/ ) {
> (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (10) if (&User-Name =~ /\.\./ ) {
> (10) if (&User-Name =~ /\.\./ ) -> FALSE
> (10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (10) if (&User-Name =~ /\.$/) {
> (10) if (&User-Name =~ /\.$/) -> FALSE
> (10) if (&User-Name =~ /(a)\./) {
> (10) if (&User-Name =~ /(a)\./) -> FALSE
> (10) } # if (&User-Name) = notfound
> (10) } # policy filter_username = notfound
> (10) [preprocess] = ok
> (10) [chap] = noop
> (10) [mschap] = noop
> (10) [digest] = noop
> (10) suffix: Checking for suffix after "@"
> (10) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm
> NULL
> (10) suffix: No such realm "NULL"
> (10) [suffix] = noop
> (10) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (10) eap: Continuing tunnel setup
> (10) [eap] = ok
> (10) } # authorize = ok
> (10) Found Auth-Type = eap
> (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (10) authenticate {
> (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (10) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (10) eap: Failed in handler
> (10) [eap] = invalid
> (10) } # authenticate = invalid
> (10) Failed to authenticate the user
> (10) Using Post-Auth-Type Reject
> (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (10) Post-Auth-Type REJECT {
> (10) attr_filter.access_reject: EXPAND %{User-Name}
> (10) attr_filter.access_reject: --> klaus.mustermann
> (10) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (10) [attr_filter.access_reject] = updated
> (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (10) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (10) eap: Failed to get handler, probably already removed, not inserting
> EAP-Failure
> (10) [eap] = noop
> (10) policy remove_reply_message_if_eap {
> (10) if (&reply:EAP-Message && &reply:Reply-Message) {
> (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (10) else {
> (10) [noop] = noop
> (10) } # else = noop
> (10) } # policy remove_reply_message_if_eap = noop
> (10) } # Post-Auth-Type REJECT = updated
> (10) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.2 seconds.
> (9) Sending delayed response
> (9) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:38737
> length 20
> Waking up in 0.1 seconds.
> (0) Cleaning up request packet ID 18 with timestamp +35 due to
> cleanup_delay was reached
> Waking up in 0.1 seconds.
> (1) Cleaning up request packet ID 19 with timestamp +35 due to
> cleanup_delay was reached
> (2) Cleaning up request packet ID 20 with timestamp +35 due to
> cleanup_delay was reached
> (3) Cleaning up request packet ID 21 with timestamp +35 due to
> cleanup_delay was reached
> (4) Cleaning up request packet ID 22 with timestamp +35 due to
> cleanup_delay was reached
> (5) Cleaning up request packet ID 23 with timestamp +35 due to
> cleanup_delay was reached
> (6) Cleaning up request packet ID 24 with timestamp +35 due to
> cleanup_delay was reached
> (7) Cleaning up request packet ID 25 with timestamp +35 due to
> cleanup_delay was reached
> (10) Sending delayed response
> (10) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:45497
> length 20
>
> Any Idea what I am doing wrong here?
>
> Regards
>
>
> Henning
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 213, Issue 21
> *************************************************
>
--
Best regards,
Ashraf Al-Basti
2
1
Dears,
Good Day,
I am trying to activate eduroam SP using FreeRADIUS by following these instructions https://wiki.geant.org/display/H2eduroam/eduroam+SP, in centos 7 OS, I am new in FreeRADIUS actually.
I have finished the installation and eduroam configuration as mentioned above, I am trying to test the service locally, using “bob” user but I the test is fail,
Could anybody assist me or guide me to discovered the issue .
when I started the service by (systemctl restart radiusd)+ run radiusd -x I got
Failed binding to auth address * port 1812 bound to server eduroam: Address already in use
/etc/raddb/sites-enabled/eduroam[3]: Error binding to port for 0.0.0.0 port 1812
Then, when I test bob user I got as below
[root@localhost ~]# radtest bob password 127.0.0.1 100 testing123
Sent Access-Request Id 73 from 0.0.0.0:54411 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Reject Id 73 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
1. -: Expected Access-Accept got Access-Reject
When I stop the service and run radiusd -x I got ready to process request, then when I test bob user I got the below
[root@localhost ~]# radtest bob password 127.0.0.1 100 testing123
Sent Access-Request Id 8 from 0.0.0.0:48138 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "password"
Sent Access-Request Id 8 from 0.0.0.0:48138 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "password"
Sent Access-Request Id 8 from 0.0.0.0:48138 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "password"
(0) No reply from server for ID 8 socket 3
radiusd -X output is as below
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/f_ticks
including configuration file /etc/raddb/mods-enabled/eduroam_cui_log
including configuration file /etc/raddb/mods-enabled/sql
including configuration file /etc/raddb/mods-config/sql/main/sqlite/queries.conf
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/filter
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server eduroam.om {
ipaddr = 185.186.206.13
port = 1812
type = "auth+acct"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm LOCAL {
}
realm NULL {
nostrip
virtual_server = auth-reject
}
home_server_pool EDUROAM {
type = fail-over
home_server = eduroam.om
}
realm ~.+$ {
pool = EDUROAM
nostrip
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client OMREN-access-point-1 {
ipaddr = 192.168.X.X
netmask = 32
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "AP1"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client OMREN-access-point-2 {
ipaddr = 192.168.X.X
netmask = 32
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "AP2"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client eduroam.om {
ipaddr = 185.186.206.13
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "eduroam-main-server"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüà âæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÃÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loading module "f_ticks" from file /etc/raddb/mods-enabled/f_ticks
linelog f_ticks {
filename = "syslog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
}
# Loading module "cui_log" from file /etc/raddb/mods-enabled/eduroam_cui_log
linelog cui_log {
filename = "/var/log/radius/radius.log"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "auth_log.%{%{reply:Packet-Type}:-format}"
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_null"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = ""
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "f_ticks" from file /etc/raddb/mods-enabled/f_ticks
# Instantiating module "cui_log" from file /etc/raddb/mods-enabled/eduroam_cui_log
# Instantiating module "sql" from file /etc/raddb/mods-enabled/sql
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server eduroam { # from file /etc/raddb/sites-enabled/eduroam
# Loading authorize {...}
# Loading preacct {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server eduroam
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
Failed binding to auth address * port 1812 bound to server eduroam: Address already in use
/etc/raddb/sites-enabled/eduroam[3]: Error binding to port for 0.0.0.0 port 1812
Regards,
[cid:image001.png@01D924CC.ADF652B0]
[cid:image003.png@01D924CC.ADF652B0][cid:image004.png@01D924CC.ADF652B0] [cid:image005.png@01D924CC.ADF652B0]
Raiya Al Rashdi,
Applications Developer
Oman Research and Education Network - OMREN,
Ministry of Higher Education, Research and Innovation
P.O.Box 92, Innovation Park Muscat – Al Khoud 123,
Sultanate of Oman
T: +968 24442370
M: +968 98505517
E: raiya(a)omren.om <mailto:hilal.aljassasi@omren.om>
OMREN is the official national research and education network of the Sultanate of Oman under the Ministry of Higher Education, Research, and novation to contribute to the rise of an effective national innovation ecosystem and provide the research and education community in the Sultanate of Oman with a common network and state of the art infrastructure dedicated and adapted to their needs.
3
5
Hello,
I noticed a problem if I configure the file this way :
root@radius:/etc/freeradius/3.0# cat users
# user_zone1
$INCLUDE /etc/freeradius/3.0/users_1
# user_zone2
$INCLUDE /etc/freeradius/3.0/users_2
# Test
test Cleartext-Password := "::123456789@"
Reply-Message := "Hello, %{User-Name}"
#DEFAULLT Section
DEFAULT
Alc-Primary-Dns = 8.8.8.8,
Alc-Secondary-Dns = 192.168.100.100,
Framed-IP-Netmask = 255.255.255.0,
Alc-Default-Router = 192.168.100.1,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
All the DNS and default-router part is not transmitted... I have to reorganize the file in this way for it to work :
root@radius:/etc/freeradius/3.0# cat users
#DEFAULLT Section
DEFAULT
Alc-Primary-Dns = 8.8.8.8,
Alc-Secondary-Dns = 192.168.100.100,
Framed-IP-Netmask = 255.255.255.0,
Alc-Default-Router = 192.168.100.1,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
# user_zone1
$INCLUDE /etc/freeradius/3.0/users_1
# user_zone2
$INCLUDE /etc/freeradius/3.0/users_2
# Test
test Cleartext-Password := "::123456789@"
Reply-Message := "Hello, %{User-Name}"
Is this normal behavior (FreeRADIUS Version 3.0.21) ?
Thanks for the explanation.
2
1
Hello,
ezhangiso@ezhangiso-virtual-machine:/$ docker exec -it radius-test /bin/bash
root@4ff809b932fe:/# chgrp -h freerad /etc/freeradius/mods-available/sql
root@4ff809b932fe:/# chown -R freerad:freerad /etc/freeradius/mods-enabled/sql
root@4ff809b932fe:/# vi etc/freeradius/mods-available/sql
root@4ff809b932fe:/# vi /etc/freeradius/sites-available/default
root@4ff809b932fe:/# vi /etc/freeradius/sites-available/inner-tunnel
root@4ff809b932fe:/# vi radiusd.conf
root@4ff809b932fe:/# vi /etc/freeradius/radiusd.conf
root@4ff809b932fe:/# cat etc/freeradius/mods-available/sql
dialect = "mysql"
driver = "rlm_sql_mysql"
sqlite {
filename = "/tmp/freeradius.db"
busy_timeout = 200
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
}
mysql {
tls_required = no
tls_check_cert = no
tls_check_cert_cn = no
}
warnings = auto
}
postgresql {
send_application_name = yes
}
#
mongo {
appname = "freeradius"
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
server = "10.0.8.31"
port = 3306
login = "radius"
password = "radius"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
client_table = "nas"
group_attribute = "SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
root@4ff809b932fe:/# cat /etc/freeradius/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
correct_escapes = true
max_request_time = 30
cleanup_delay = 5
hostname_lookups = no
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
checkrad = ${sbindir}/checkrad
ENV {
}
security {
user = freerad
group = freerad
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
modules {
$INCLUDE mods-enabled/sql
$INCLUDE mods-enabled/
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/
root@4ff809b932fe:/# apt install mariadb-client
root@4ff809b932fe:/# mysql -h 10.0.8.31 -uradius -p radius
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [radius]> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
8 rows in set (0.00 sec)
MariaDB [radius]> exit
Bye
root@4ff809b932fe:/# exit
exit
ezhangiso@ezhangiso-virtual-machine:/$ docker commit radius-test radius-mariadb
sha256:1b5a68d2c3c3aaf70be72f8dcbfda27a7cf63e7ba448f412b73bd5f0d8aef63b
ezhangiso@ezhangiso-virtual-machine:/$ docker stop radius-test
radius-test
ezhangiso@ezhangiso-virtual-machine:/$ docker run --rm --name myradius -t -p1812-1813:1812-1813/udp radius-mariadb -X
FreeRADIUS Version 3.0.25
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/mods-enabled/sql
/etc/freeradius/mods-enabled/sql[365]: Reference "${dialect}" not found
Errors reading or parsing /etc/freeradius/radiusd.conf
ezhangiso@ezhangiso-virtual-machine:/$
Can anyone shed some light on this and point me in the right direction what
else should I do?
2
1
>That doesn't make sense. The resumption tickets are sent via TLS to the
client.
>The client has chosen to not do session resumption. It probably needs to
be configured to do that.
Ok, I'll try to look my switch config to see if I found parameters to store
sessions. Can you please indicate me the lines of logs in my previous
message, in which resumption ticket is sent, thank very much.
>Read the RFCs if you're wondering how TTLS works.
I have already read it, but I just wanted to know what is the best practice.
Florent VERCOURT
2
1
Hello everyone,
I’m working to set up a FreeRADIUS server in version 3.2 that is able to
perform fast-reauthentication of users by caching sessions.
I‘m using EAP-TTLS/PAP as authentication protocol, and my users are stored
in an LDAP.
I would like to perform fast re-authentication of users once they have been
authenticated and allowed on the network as it’s explained in this radius
documentation article (link below).
<https://networkradius.com/articles/2020/12/10/design-blueprint-for-universi
ties.html>
https://networkradius.com/articles/2020/12/10/design-blueprint-for-universit
ies.html
I configured the « eap » module by enabling the cache of session, but it
seems sessions are only stored locally and, the ticket of the user sessions
is not forward to the supplicant to perform the re-authentication later on,
without having to go through all EAP-TTLS steps.
When I try to regain access to the network after being authenticated once,
all the EAP-TTLS steps are performed.
So I would like to know if I misunderstood the cache section and the way it
works in the « eap » module, or if there is a way to re-authenticate users
in a defined period of time by using the cache after they disconnect.
Also, Is it a good practice to send the total Length of the message in each
packet, or is it not recommended?
I configured « mods-enabled/eap » as follows :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = ${max_requests}
tls-config tls-common {
private_key_password = << secret >>
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
# auto_chain = yes
# psk_identity = "test"
# psk_hexphrase = "036363823"
# psk_query = "%{sql:select hex(key) from psk_keys where keyid
= '%{TLS-PSK-Identity}'}"
# dh_file = ${certdir}/dh
# random_file = /dev/urandom
# fragment_size = 2048
include_length = yes
# check_crl = yes
# check_all_crl = yes
# ca_path_reload_interval = 3600
allow_expired_crl = no
reject_unknown_intermediate_ca = yes
cipher_list = "DEFAULT"
# sigalgs_list = ""
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.3"
ecdh_curve = ""
cache {
enable = yes
lifetime = 18 # hours
name = "EAP-test"
persist_dir = "${logdir}/tlscache"
store {
Tunnel-type,
Tunnel-medium-type,
Tunnel-Private-Group-Id
}
}
verify {
# skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = " <http://127.0.0.1/ocsp/>
http://127.0.0.1/ocsp/"
# use_nonce = yes
# timeout = 0
# softfail = no
}
# realm_dir = ${certdir}/realms/
}
ttls {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
# include_length = yes
}
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~
My server is running correctly, here the debug output:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~
FreeRADIUS Version 3.2.1
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/ldap_dauphine
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/totp
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/digest
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/rfc7542
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dauphine
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 4
max_requests = 87040
postauth_client_lost = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 300
reject_delay = 1.200000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p173-002 {
ipaddr = 10.100.0.50
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client edouard {
ipaddr = 10.100.0.0/24
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client micro-switch {
ipaddr = 10.100.12.139
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_ldap
# Loading module "ldap_dauphine" from file
/etc/raddb/mods-enabled/ldap_dauphine
ldap ldap_dauphine {
server = "ldap.dauphine.fr"
port = 389
identity = "uid=radius,ou=bindusers,dc=dauphine,dc=fr"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "ou=people,dc=dauphine,dc=fr"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
require_cert = "never"
}
}
Creating attribute ldap_dauphine-LDAP-Group
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_totp
# Loading module "totp" from file /etc/raddb/mods-enabled/totp
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 87040
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
instantiate {
}
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/coa
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "ldap_dauphine" from file
/etc/raddb/mods-enabled/ldap_dauphine
rlm_ldap: libldap vendor: OpenLDAP, version: 20459
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap_dauphine): Initialising connection pool
pool {
start = 5
min = 4
max = 46
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_dauphine): Opening additional connection (0), 1 of 46 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
rlm_ldap (ldap_dauphine): Opening additional connection (1), 1 of 45 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
rlm_ldap (ldap_dauphine): Opening additional connection (2), 1 of 44 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
rlm_ldap (ldap_dauphine): Opening additional connection (3), 1 of 43 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
rlm_ldap (ldap_dauphine): Opening additional connection (4), 1 of 42 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
allow_expired_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = yes
ecdh_curve = ""
tls_max_version = "1.3"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 18
name = "EAP-test"
max_entries = 255
persist_dir = "/var/log/radius/tlscache"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = " <http://127.0.0.1/ocsp/> http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 53058
Listening on proxy address :: port 55734
Ready to process requests
(0) Received Access-Request Id 116 from 10.100.0.16:1645 to 10.101.0.20:1812
length 257
(0) User-Name = "anonymous"
(0) Service-Type = Framed-User
(0) Cisco-AVPair = "service-type=Framed"
(0) Framed-MTU = 1500
(0) Called-Station-Id = "1C-1D-86-68-F0-05"
(0) Calling-Station-Id = "10-65-30-0F-CF-AD"
(0) EAP-Message = 0x0201000e01616e6f6e796d6f7573
(0) Message-Authenticator = 0x27170bf1dd6f1899c3a48f0953367396
(0) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(0) Cisco-AVPair = "method=dot1x"
(0) Framed-IP-Address = 10.111.0.176
(0) NAS-IP-Address = 10.100.0.16
(0) NAS-Port-Id = "GigabitEthernet0/5"
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50105
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(0) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0xfe02921efe00877b
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 1014
(0) Sent Access-Challenge Id 116 from 10.101.0.20:1812 to 10.100.0.16:1645
length 64
(0) EAP-Message = 0x010200061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xfe02921efe00877b6bacf72413ed26ad
(0) Finished request
Waking up in 3.9 seconds.
(1) Received Access-Request Id 117 from 10.100.0.16:1645 to 10.101.0.20:1812
length 524
(1) User-Name = "anonymous"
(1) Service-Type = Framed-User
(1) Cisco-AVPair = "service-type=Framed"
(1) Framed-MTU = 1500
(1) Called-Station-Id = "1C-1D-86-68-F0-05"
(1) Calling-Station-Id = "10-65-30-0F-CF-AD"
(1) EAP-Message =
0x020201051580000000fb16030100f6010000f20303dc99e42d66e577ee8d0af140d8e46d9f
bd48e63536874e0c314774ec014347f8200953178c2f5495c71a18fe2ad8eec676bf5e2d7044
5c63bd3d080835a5e946df002813021301c02cc02bc030c02fc024c023c028c027c00ac009c0
14c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303
020301000d001a00180804080508060401050102010403050302030202060106030023000000
0a00080006001d00170018003300260024001d00201bb4781d453e1b91b923da8a0c73f42f6c
6247d2477723266ac7c98181928a0c0031000000170000ff01000100002d00020101
(1) Message-Authenticator = 0x54b5e0c7cd28c4feae286e5b226d376c
(1) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(1) Cisco-AVPair = "method=dot1x"
(1) Framed-IP-Address = 10.111.0.176
(1) NAS-IP-Address = 10.100.0.16
(1) NAS-Port-Id = "GigabitEthernet0/5"
(1) NAS-Port-Type = Ethernet
(1) NAS-Port = 50105
(1) State = 0xfe02921efe00877b6bacf72413ed26ad
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 1014
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(1) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 261
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xfe02921efe00877b
(1) eap: Finished EAP session with state 0xfe02921efe00877b
(1) eap: Previous EAP request found for state 0xfe02921efe00877b, released
from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 251
bytes
(1) eap_ttls: (TLS) EAP Got all data (251 bytes)
(1) eap_ttls: (TLS) Handshake state - before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, ServerHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(1) eap_ttls: (TLS) send TLS 1.3 ChangeCipherSpec
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, EncryptedExtensions
(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write encrypted
extensions
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, Certificate
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, CertificateVerify
(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write server
certificate verify
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, Finished
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data
(1) eap_ttls: (TLS) Server : Need to read more data: TLSv1.3 early data
(1) eap_ttls: (TLS) In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 3 length 1024
(1) eap: EAP session adding &reply:State = 0xfe02921eff01877b
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 1014
(1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(1) Sent Access-Challenge Id 117 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090
(1) EAP-Message =
0x0103040015c000000bc9160303007a02000076030381b4a004b35335db2ff66ef5edd6ed4b
0688d9c0e4b6b25d1fa302772e2e70a7200953178c2f5495c71a18fe2ad8eec676bf5e2d7044
5c63bd3d080835a5e946df130200002e002b0002030400330024001d0020f318ac027b747f50
9768c85d7ebfbc626224cea3d101c5d59810fb7e8c7fa85f140303000101170303001785ca5e
cb5f681c5af67a7fc28a2fe530799654b00fbad617030309bb26eb9d4a9031efc383c91f348e
e4e7deccc759b1548cb9ecc402aa7cb28bf575845e8c778f9525b43b7cd39402e5dd4b927834
65dbbe6a004358cabbc564eb15bbfa5871bd052c486f5138a93aaf8e2e3e4a2c88ab777cd29c
5e15fa4a258b3f24acaba90931ab6fb035f9970bef74b4102569f5bfe7e2f458a6459abb5d35
a2251ba80f0d117c8f705b1ab369c351e7c0ee8342b9454f8f5d6dad9d2dad63734adf14c0d4
058d35368c6010c4cf9716fd1931c3ac6f3ece235eb1cd3d213ec253275e194b0d2f
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xfe02921eff01877b6bacf72413ed26ad
(1) Finished request
Waking up in 3.9 seconds.
(2) Received Access-Request Id 118 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267
(2) User-Name = "anonymous"
(2) Service-Type = Framed-User
(2) Cisco-AVPair = "service-type=Framed"
(2) Framed-MTU = 1500
(2) Called-Station-Id = "1C-1D-86-68-F0-05"
(2) Calling-Station-Id = "10-65-30-0F-CF-AD"
(2) EAP-Message = 0x020300061500
(2) Message-Authenticator = 0x3f9ce0a2d3b32ad8e5a8134f48355378
(2) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(2) Cisco-AVPair = "method=dot1x"
(2) Framed-IP-Address = 10.111.0.176
(2) NAS-IP-Address = 10.100.0.16
(2) NAS-Port-Id = "GigabitEthernet0/5"
(2) NAS-Port-Type = Ethernet
(2) NAS-Port = 50105
(2) State = 0xfe02921eff01877b6bacf72413ed26ad
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 1014
(2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(2) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xfe02921eff01877b
(2) eap: Finished EAP session with state 0xfe02921eff01877b
(2) eap: Previous EAP request found for state 0xfe02921eff01877b, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 4 length 1024
(2) eap: EAP session adding &reply:State = 0xfe02921efc06877b
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 1014
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(2) Sent Access-Challenge Id 118 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090
(2) EAP-Message =
0x0104040015c000000bc9f1f4cf437af91b16d0f14a5c21719a9941f3395ad50388ec984a29
ce4e144f5a3dd4bc07b977eadc2f10a7b1cd069f9d114704a6f1e618c66300a6ea8b6f82b06c
ac295225ddf9017c89f15555a5ec94e9299848d0194b29c5da68d837d7b216ba43eaa97be09c
774e2db93d5fe39afa11a3e0c131dc321ca3f802cf07085c067f5867ce2550d051171e4b8264
f9175382685ebe6f1d214b5772fe68eaf70a4a12f9f383afb826cfc71e3bbf79a7f9ce255bef
3c21983d5be1f1bc693c6848ef321c673d7343a1802ee3f83ae50da149d82e4ef7f575de1fe0
352dbae96a0051973f6a7a2a0a80c6bbab36bb123f4fcc5fea36f8bec44250a219f6c7dd0735
a29e011952a29d233ec78238801850eebab6662c239241c8908b0eff03836df40d9e2bad16be
5fe7d420490f2eb891dc413275ffa816aa7fe801f914463ae8000a38c5a7b42faa849ca6e8d9
71f715ee26f6193aa3ac30366599a17df457869a3a28df4d1eadea3c73a2fab17e2d
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xfe02921efc06877b6bacf72413ed26ad
(2) Finished request
Waking up in 3.9 seconds.
(3) Received Access-Request Id 119 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267
(3) User-Name = "anonymous"
(3) Service-Type = Framed-User
(3) Cisco-AVPair = "service-type=Framed"
(3) Framed-MTU = 1500
(3) Called-Station-Id = "1C-1D-86-68-F0-05"
(3) Calling-Station-Id = "10-65-30-0F-CF-AD"
(3) EAP-Message = 0x020400061500
(3) Message-Authenticator = 0x69f837d9849e72401c77e51a5f9d3053
(3) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(3) Cisco-AVPair = "method=dot1x"
(3) Framed-IP-Address = 10.111.0.176
(3) NAS-IP-Address = 10.100.0.16
(3) NAS-Port-Id = "GigabitEthernet0/5"
(3) NAS-Port-Type = Ethernet
(3) NAS-Port = 50105
(3) State = 0xfe02921efc06877b6bacf72413ed26ad
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 1014
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(3) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xfe02921efc06877b
(3) eap: Finished EAP session with state 0xfe02921efc06877b
(3) eap: Previous EAP request found for state 0xfe02921efc06877b, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 5 length 999
(3) eap: EAP session adding &reply:State = 0xfe02921efd07877b
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 1014
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(3) Sent Access-Challenge Id 119 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1063
(3) EAP-Message =
0x010503e7158000000bc9f5b05c15f0ae9d80fb7f6549d2607f8b5803a43a84d194ee02c4ff
dc1e216fae66ecd0d89074b891785d67a9bae09ce967fecfc613537288353725672f2e209d69
42d313fc34155e5a1361cbb00085efe5b876c96ac364462384d580ebe80c95e147f3e77ba66a
df5cfb428ce85b694743e7b2b22a99ab41751031bd9aa4f45d275ab0e4f375b15b8ad7f1209b
f76ef703dbf6d78f04a56f4b2d34f6b61c8004e349338537f7c910178b25cb6addcb065b82d5
e0da810945b8605bc494ac81bb11e7f155156167dcf0d0246fbedb680253cd7e47fdf723b745
662ee142b8bf74c428944ca83349109da7b79e9bb74095ddceb897378009e96e6b591e378505
d39c60ef91f4679e04d5829aa6ea68b9fb9505703848b0c11485de27079f0a1aa72e9f7b6b94
4746d799c2415d39a4191d2e77a5b4ecab793498b835320b6b1bca58f379d94647489eb3d485
3c4eaae4be67b427adaa4b7237bf1c671e8e4159b93a049b92862af259194eba680b
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xfe02921efd07877b6bacf72413ed26ad
(3) Finished request
Waking up in 3.9 seconds.
(4) Received Access-Request Id 120 from 10.100.0.16:1645 to 10.101.0.20:1812
length 421
(4) User-Name = "anonymous"
(4) Service-Type = Framed-User
(4) Cisco-AVPair = "service-type=Framed"
(4) Framed-MTU = 1500
(4) Called-Station-Id = "1C-1D-86-68-F0-05"
(4) Calling-Station-Id = "10-65-30-0F-CF-AD"
(4) EAP-Message =
0x020500a01580000000961403030001011703030045727b7c7d139d0382232c4013124229c0
8693d0974531dbcdd3d59d210afebe1097bfc7468da2024832126365069720b2095b8049e735
9005ed64d22f9734a04ad09224a78017030300416625c5d7d0c92d892ae205010a224bd2a610
1de65acd878a2736a836174366497e0d2acbfd4a28dfd93984adcd98dc20e1b02a7f88255e01
d3b6fa21ee31b5b70e
(4) Message-Authenticator = 0x068f3eb81cbe86211779105adf4e14fe
(4) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(4) Cisco-AVPair = "method=dot1x"
(4) Framed-IP-Address = 10.111.0.176
(4) NAS-IP-Address = 10.100.0.16
(4) NAS-Port-Id = "GigabitEthernet0/5"
(4) NAS-Port-Type = Ethernet
(4) NAS-Port = 50105
(4) State = 0xfe02921efd07877b6bacf72413ed26ad
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 1014
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(4) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 160
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xfe02921efd07877b
(4) eap: Finished EAP session with state 0xfe02921efd07877b
(4) eap: Previous EAP request found for state 0xfe02921efd07877b, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: (TLS) EAP Peer says that the final record size will be 150
bytes
(4) eap_ttls: (TLS) EAP Got all data (150 bytes)
(4) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data
(4) eap_ttls: (TLS) recv TLS 1.3 Handshake, Finished
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(4) eap_ttls: (TLS) Handshake state - SSLv3/TLS write session ticket
(4) eap_ttls: Serialising session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2, and
storing in cache
(4) eap_ttls: WARNING: (TLS) Wrote session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2 to
/var/log/radius/tlscache/8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d
40a3f89ecafb2.asn1 (141 bytes)
(4) eap_ttls: (TLS) send TLS 1.3 Handshake, NewSessionTicket
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write session ticket
(4) eap_ttls: (TLS) recv TLS 1.3 Handshake, NewSessionTicket
(4) eap_ttls: Session established. Proceeding to decode tunneled attributes
(4) eap_ttls: Got tunneled request
(4) eap_ttls: User-Name = "fvercourt"
(4) eap_ttls: User-Password = "xC#8z7p6DDB8?a67ctQ7"
(4) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(4) eap_ttls: Sending tunneled request
(4) Virtual server inner-tunnel received request
(4) User-Name = "<< user_name >>"
(4) User-Password = "<< secret >>"
(4) FreeRADIUS-Proxied-To = 127.0.0.1
(4) Service-Type = Framed-User
(4) Cisco-AVPair = "service-type=Framed"
(4) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(4) Cisco-AVPair = "method=dot1x"
(4) Framed-MTU = 1500
(4) Called-Station-Id = "1C-1D-86-68-F0-05"
(4) Calling-Station-Id = "10-65-30-0F-CF-AD"
(4) Framed-IP-Address = 10.111.0.176
(4) NAS-IP-Address = 10.100.0.16
(4) NAS-Port-Id = "GigabitEthernet0/5"
(4) NAS-Port-Type = Ethernet
(4) NAS-Port = 50105
(4) Event-Timestamp = "Jan 23 2023 15:48:30 CET"
(4) server inner-tunnel {
(4) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(4) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "<< user_name >>", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) update control {
(4) &Proxy-To-Realm := LOCAL
(4) } # update control = noop
(4) eap: No EAP-Message, not doing EAP
(4) [eap] = noop
(4) [files] = noop
rlm_ldap (ldap_dauphine): Reserved connection (0)
(4) ldap_dauphine: EXPAND
(|(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}}@dauphine.fr))
(4) ldap_dauphine: --> (|(supannAliasLogin="<< user_name >>") (mail="<<
user_name >>") (mail=<<@dauphine.fr))
(4) ldap_dauphine: Performing search in "ou=people,dc=dauphine,dc=fr" with
filter "(|(supannAliasLogin="<< user_name >>") (mail="<< user_name >>")
(mail="<< user_name >>"@dauphine.fr))", scope "sub"
(4) ldap_dauphine: Waiting for search result...
ber_get_next failed, errno=0.
rlm_ldap (ldap_dauphine): Reconnecting (0)
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
(4) ldap_dauphine: WARNING: Search failed: Can't contact LDAP server. Got
new socket, retrying...
(4) ldap_dauphine: Waiting for search result...
(4) ldap_dauphine: User object found at DN
"uid=00061572,ou=people,dc=dauphine,dc=fr"
(4) ldap_dauphine: Processing user attributes
(4) ldap_dauphine: control:Password-With-Header += '<< Password_HASH >>’
rlm_ldap (ldap_dauphine): Released connection (0)
rlm_ldap (ldap_dauphine): Closing connection (1) - Too many unused
connections.
(4) [ldap_dauphine] = updated
(4) [expiration] = noop
(4) [logintime] = noop
(4) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password
(4) pap: Removing &control:Password-With-Header
(4) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes
(4) [pap] = updated
(4) } # authorize = updated
(4) Found Auth-Type = PAP
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4) Auth-Type PAP {
(4) pap: Login attempt with password
(4) pap: Comparing with "known-good" SSHA-Password
(4) pap: User authenticated successfully
(4) [pap] = ok
(4) } # Auth-Type PAP = ok
(4) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(4) post-auth {
(4) if (0) {
(4) if (0) -> FALSE
(4) } # post-auth = noop
(4) Login OK: [<< user_name >>] (from client edouard port 50105 cli
10-65-30-0F-CF-AD via TLS tunnel)
(4) } # server inner-tunnel
(4) Virtual server sending reply
(4) eap_ttls: Got tunneled Access-Accept
(4) eap_ttls: (TLS) cache - Setting up attributes for session resumption
(4) eap_ttls: caching EAP-Type = TTLS
(4) eap_ttls: Saving session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2 in the disk
cache
(4) eap: Sending EAP Success (code 3) ID 5 length 4
(4) eap: Freeing handler
(4) [eap] = ok
(4) } # authenticate = ok
(4) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(4) post-auth {
(4) update reply {
(4) Tunnel-type = VLAN
(4) Tunnel-medium-type = IEEE-802
(4) Tunnel-Private-Group-Id = 333
(4) } # update reply = noop
(4) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(4) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(4) update {
(4) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
ServerHello'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3
ChangeCipherSpec'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
EncryptedExtensions'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Certificate'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
CertificateVerify'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Finished'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
Finished'
(4) &reply::TLS-Cache-Filename += &session-state:TLS-Cache-Filename[*]
->
'/var/log/radius/tlscache/8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76
d40a3f89ecafb2.asn1'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
NewSessionTicket'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
NewSessionTicket'
(4) } # update = noop
(4) [exec] = noop
(4) policy remove_reply_message_if_eap {
(4) if (&reply:EAP-Message && &reply:Reply-Message) {
(4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(4) else {
(4) [noop] = noop
(4) } # else = noop
(4) } # policy remove_reply_message_if_eap = noop
(4) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(4) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(4) } # post-auth = noop
(4) Login OK: [anonymous] (from client edouard port 50105 cli
10-65-30-0F-CF-AD)
(4) Sent Access-Accept Id 120 from 10.101.0.20:1812 to 10.100.0.16:1645
length 195
(4) MS-MPPE-Recv-Key =
0xe8f069d02ca53749e572b46431b26292c44bba7742a8dc2ee298bf2d0204bab3
(4) MS-MPPE-Send-Key =
0x3b4174e10b09e1b4bb95d18de1176dcec746aa5097fe8932cbfa6ea96149f368
(4) EAP-Message = 0x03050004
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) User-Name = "anonymous"
(4) Tunnel-Type = VLAN
(4) Tunnel-Medium-Type = IEEE-802
(4) Tunnel-Private-Group-Id = "333"
(4) Framed-MTU += 1014
(4) Finished request
Waking up in 2.0 seconds.
(5) Received Accounting-Request Id 77 from 10.100.0.16:1646 to
10.101.0.20:1813 length 229
(5) Framed-IP-Address = 10.111.0.176
(5) User-Name = "anonymous"
(5) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(5) Cisco-AVPair = "vlan-id=333"
(5) Cisco-AVPair = "method=dot1x"
(5) Called-Station-Id = "1C-1D-86-68-F0-05"
(5) Calling-Station-Id = "10-65-30-0F-CF-AD"
(5) NAS-IP-Address = 10.100.0.16
(5) NAS-Port-Id = "GigabitEthernet0/5"
(5) NAS-Port-Type = Ethernet
(5) NAS-Port = 50105
(5) Acct-Session-Id = "0000007E"
(5) Acct-Status-Type = Start
(5) Event-Timestamp = "Jan 23 2023 15:48:31 CET"
(5) Acct-Delay-Time = 0
(5) # Executing section preacct from file /etc/raddb/sites-enabled/default
(5) preacct {
(5) [preprocess] = ok
(5) policy acct_unique {
(5) update request {
(5) &Tmp-String-9 := "ai:"
(5) } # update request = noop
(5) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(5) EXPAND %{hex:&Class}
(5) -->
(5) EXPAND ^%{hex:&Tmp-String-9}
(5) --> ^61693a
(5) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(5) else {
(5) update request {
(5) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(5) --> 26336d4848cc85848291b9aff73b07c4
(5) &Acct-Unique-Session-Id := 26336d4848cc85848291b9aff73b07c4
(5) } # update request = noop
(5) } # else = noop
(5) update request {
(5) &Tmp-String-9 !* ANY
(5) } # update request = noop
(5) } # policy acct_unique = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) [files] = noop
(5) } # preacct = ok
(5) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(5) accounting {
(5) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(5) detail: --> /var/log/radius/radacct/10.100.0.16/detail-20230123
(5) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123
(5) detail: EXPAND %t
(5) detail: --> Mon Jan 23 15:48:31 2023
(5) [detail] = ok
(5) [unix] = ok
(5) [exec] = noop
(5) attr_filter.accounting_response: EXPAND %{User-Name}
(5) attr_filter.accounting_response: --> anonymous
(5) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(5) [attr_filter.accounting_response] = updated
(5) } # accounting = updated
(5) Sent Accounting-Response Id 77 from 10.101.0.20:1813 to 10.100.0.16:1646
length 20
(5) Finished request
(5) Cleaning up request packet ID 77 with timestamp +46 due to done
Waking up in 1.0 seconds.
(0) Cleaning up request packet ID 116 with timestamp +43 due to
cleanup_delay was reached
(1) Cleaning up request packet ID 117 with timestamp +43 due to
cleanup_delay was reached
(2) Cleaning up request packet ID 118 with timestamp +43 due to
cleanup_delay was reached
(3) Cleaning up request packet ID 119 with timestamp +43 due to
cleanup_delay was reached
Waking up in 1.8 seconds.
(4) Cleaning up request packet ID 120 with timestamp +45 due to
cleanup_delay was reached
Ready to process requests
(6) Received Accounting-Request Id 78 from 10.100.0.16:1646 to
10.101.0.20:1813 length 265
(6) Framed-IP-Address = 10.111.0.176
(6) User-Name = "anonymous"
(6) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(6) Cisco-AVPair = "vlan-id=333"
(6) Cisco-AVPair = "method=dot1x"
(6) Called-Station-Id = "1C-1D-86-68-F0-05"
(6) Calling-Station-Id = "10-65-30-0F-CF-AD"
(6) NAS-IP-Address = 10.100.0.16
(6) NAS-Port-Id = "GigabitEthernet0/5"
(6) NAS-Port-Type = Ethernet
(6) NAS-Port = 50105
(6) Acct-Session-Id = "0000007E"
(6) Acct-Terminate-Cause = Lost-Carrier
(6) Acct-Status-Type = Stop
(6) Event-Timestamp = "Jan 23 2023 15:51:31 CET"
(6) Acct-Session-Time = 180
(6) Acct-Input-Octets = 20194364
(6) Acct-Output-Octets = 1261011568
(6) Acct-Input-Packets = 184950
(6) Acct-Output-Packets = 899478
(6) Acct-Delay-Time = 0
(6) # Executing section preacct from file /etc/raddb/sites-enabled/default
(6) preacct {
(6) [preprocess] = ok
(6) policy acct_unique {
(6) update request {
(6) &Tmp-String-9 := "ai:"
(6) } # update request = noop
(6) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(6) EXPAND %{hex:&Class}
(6) -->
(6) EXPAND ^%{hex:&Tmp-String-9}
(6) --> ^61693a
(6) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(6) else {
(6) update request {
(6) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(6) --> 26336d4848cc85848291b9aff73b07c4
(6) &Acct-Unique-Session-Id := 26336d4848cc85848291b9aff73b07c4
(6) } # update request = noop
(6) } # else = noop
(6) update request {
(6) &Tmp-String-9 !* ANY
(6) } # update request = noop
(6) } # policy acct_unique = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) [files] = noop
(6) } # preacct = ok
(6) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(6) accounting {
(6) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(6) detail: --> /var/log/radius/radacct/10.100.0.16/detail-20230123
(6) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123
(6) detail: EXPAND %t
(6) detail: --> Mon Jan 23 15:51:31 2023
(6) [detail] = ok
(6) [unix] = ok
(6) [exec] = noop
(6) attr_filter.accounting_response: EXPAND %{User-Name}
(6) attr_filter.accounting_response: --> anonymous
(6) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(6) [attr_filter.accounting_response] = updated
(6) } # accounting = updated
(6) Sent Accounting-Response Id 78 from 10.101.0.20:1813 to 10.100.0.16:1646
length 20
(6) Finished request
(6) Cleaning up request packet ID 78 with timestamp +226 due to done
Ready to process requests
(7) Received Access-Request Id 121 from 10.100.0.16:1645 to 10.101.0.20:1812
length 257
(7) User-Name = "anonymous"
(7) Service-Type = Framed-User
(7) Cisco-AVPair = "service-type=Framed"
(7) Framed-MTU = 1500
(7) Called-Station-Id = "1C-1D-86-68-F0-05"
(7) Calling-Station-Id = "10-65-30-0F-CF-AD"
(7) EAP-Message = 0x0201000e01616e6f6e796d6f7573
(7) Message-Authenticator = 0x95fbe1a2b99598e655d08d4d335dc5bd
(7) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(7) Cisco-AVPair = "method=dot1x"
(7) Framed-IP-Address = 10.111.0.176
(7) NAS-IP-Address = 10.100.0.16
(7) NAS-Port-Id = "GigabitEthernet0/5"
(7) NAS-Port-Type = Ethernet
(7) NAS-Port = 50105
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(7) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 14
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: (TLS) Initiating new session
(7) eap: Sending EAP Request (code 1) ID 2 length 6
(7) eap: EAP session adding &reply:State = 0xbb455463bb474125
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Framed-MTU = 1014
(7) Sent Access-Challenge Id 121 from 10.101.0.20:1812 to 10.100.0.16:1645
length 64
(7) EAP-Message = 0x010200061520
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xbb455463bb4741259c77a610d5caea1f
(7) Finished request
Waking up in 3.9 seconds.
(8) Received Access-Request Id 122 from 10.100.0.16:1645 to 10.101.0.20:1812
length 524
(8) User-Name = "anonymous"
(8) Service-Type = Framed-User
(8) Cisco-AVPair = "service-type=Framed"
(8) Framed-MTU = 1500
(8) Called-Station-Id = "1C-1D-86-68-F0-05"
(8) Calling-Station-Id = "10-65-30-0F-CF-AD"
(8) EAP-Message =
0x020201051580000000fb16030100f6010000f20303bc7cb74fc4e656b719b2b4aea42da3dc
ab905197e53228b91170245440171b25202eca8734fde773de82eb9ce9b5a54084c899da401f
baecdf67e065ff118c5026002813021301c02cc02bc030c02fc024c023c028c027c00ac009c0
14c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303
020301000d001a00180804080508060401050102010403050302030202060106030023000000
0a00080006001d00170018003300260024001d002045478a7ec1699508b4546bde4c1692e625
2630658b936ae3289d11ba3ce90d380031000000170000ff01000100002d00020101
(8) Message-Authenticator = 0xe1a588f3c4720ed8de29e1e948d11116
(8) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(8) Cisco-AVPair = "method=dot1x"
(8) Framed-IP-Address = 10.111.0.176
(8) NAS-IP-Address = 10.100.0.16
(8) NAS-Port-Id = "GigabitEthernet0/5"
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50105
(8) State = 0xbb455463bb4741259c77a610d5caea1f
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 1014
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(8) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 2 length 261
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xbb455463bb474125
(8) eap: Finished EAP session with state 0xbb455463bb474125
(8) eap: Previous EAP request found for state 0xbb455463bb474125, released
from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: (TLS) EAP Peer says that the final record size will be 251
bytes
(8) eap_ttls: (TLS) EAP Got all data (251 bytes)
(8) eap_ttls: (TLS) Handshake state - before SSL initialization
(8) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(8) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(8) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, ServerHello
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(8) eap_ttls: (TLS) send TLS 1.3 ChangeCipherSpec
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, EncryptedExtensions
(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write encrypted
extensions
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, Certificate
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, CertificateVerify
(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write server
certificate verify
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, Finished
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data
(8) eap_ttls: (TLS) Server : Need to read more data: TLSv1.3 early data
(8) eap_ttls: (TLS) In Handshake Phase
(8) eap: Sending EAP Request (code 1) ID 3 length 1024
(8) eap: EAP session adding &reply:State = 0xbb455463ba464125
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) Framed-MTU = 1014
(8) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(8) Sent Access-Challenge Id 122 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090
(8) EAP-Message =
0x0103040015c000000bc9160303007a020000760303770024854f0856f5a9aa4433bd168a8c
1663b8864fab363383e1f0c48b01e4c5202eca8734fde773de82eb9ce9b5a54084c899da401f
baecdf67e065ff118c5026130200002e002b0002030400330024001d0020eb1d7c9a661dbb80
87e6e503dfec301a45369a25fa9e9629450e499e45c4c83714030300010117030300175e2aa3
5daab2e2c1e777265f7c05aaf59a9952866a99f317030309bbfd1f007754fa0dd33e6f75f2a6
5b42c25bec9b25dd1385f3a3751f06bac475df736093e7dbd5e54646bc9172c7a865d05a646b
6a0d973b82988ad50faf2223fdb02451847eef9ac19930e0928e8d3dd7573d7d7396f914d0f6
df7253e91a634fd678e75694d26b0322e162d7c496eae3cb1cee84e9af371b2b682666ef8f46
f3667c806a8b470d8e6988a41f9df82a3740a325d9d7f7c7d49a8d4eeb15c3dbe8d799dfc39f
588fdc75380c1bd5657c77c0610440293c69e81f37a27ca086579651f458ab6eb3de
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbb455463ba4641259c77a610d5caea1f
(8) Finished request
Waking up in 3.9 seconds.
(9) Received Access-Request Id 123 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267
(9) User-Name = "anonymous"
(9) Service-Type = Framed-User
(9) Cisco-AVPair = "service-type=Framed"
(9) Framed-MTU = 1500
(9) Called-Station-Id = "1C-1D-86-68-F0-05"
(9) Calling-Station-Id = "10-65-30-0F-CF-AD"
(9) EAP-Message = 0x020300061500
(9) Message-Authenticator = 0x2230b850fae1f735dff59252f552a475
(9) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(9) Cisco-AVPair = "method=dot1x"
(9) Framed-IP-Address = 10.111.0.176
(9) NAS-IP-Address = 10.100.0.16
(9) NAS-Port-Id = "GigabitEthernet0/5"
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50105
(9) State = 0xbb455463ba4641259c77a610d5caea1f
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 1014
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(9) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 3 length 6
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xbb455463ba464125
(9) eap: Finished EAP session with state 0xbb455463ba464125
(9) eap: Previous EAP request found for state 0xbb455463ba464125, released
from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: (TLS) Peer ACKed our handshake fragment
(9) eap: Sending EAP Request (code 1) ID 4 length 1024
(9) eap: EAP session adding &reply:State = 0xbb455463b9414125
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9) Framed-MTU = 1014
(9) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(9) Sent Access-Challenge Id 123 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090
(9) EAP-Message =
0x0104040015c000000bc95c6adce2df0918de28872f44b0532fc184381223951f6a6203a1f9
1e2282872f2ca960a9866f1e84e8a30448781f7ce81fc0a4f3786e6e58161ad9b35f33bd2cef
6cf972c7458b0dae8ef799b2596063c40f67d54a62f8dc0ca06649343a758b17e9e77044f57f
fd239786df3da73c6cab18965541976d7fa1653efeb62c5048bcc0de713371ed2528ebb50726
f0ed6dfb32c53a898d2f2d0d315210e4ed8dd33d3d69cbd223d95cbc5f86dddf78f1ac963f50
2f2a910e7922a444c8a58e125b4eaf95e9b3075122cfe83a0e088176d072dd9fbaec52ad93da
3e90725c2835a74c4dd5a649f180526e16c22b7890f498b7112439af08e3e0e36c1d431ff635
5c12d6426de65021aca7dffe91316af2e526b6e2da8b881f9daf49f2bc66d370d9a909b36a0c
610f8ea9a995e0380ef9fc5c2f208ea20079e2c5ef1adef8b7fc55e68ff6296572a736248a2f
ddb9c4bc3cc343f6bfb33321cae0b2fcd0c4dfdba8392eefd789782343155bb333c9
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xbb455463b94141259c77a610d5caea1f
(9) Finished request
Waking up in 3.9 seconds.
(10) Received Access-Request Id 124 from 10.100.0.16:1645 to
10.101.0.20:1812 length 267
(10) User-Name = "anonymous"
(10) Service-Type = Framed-User
(10) Cisco-AVPair = "service-type=Framed"
(10) Framed-MTU = 1500
(10) Called-Station-Id = "1C-1D-86-68-F0-05"
(10) Calling-Station-Id = "10-65-30-0F-CF-AD"
(10) EAP-Message = 0x020400061500
(10) Message-Authenticator = 0xcf01c3ce8e8c77c72ffbd3cb7f4df406
(10) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(10) Cisco-AVPair = "method=dot1x"
(10) Framed-IP-Address = 10.111.0.176
(10) NAS-IP-Address = 10.100.0.16
(10) NAS-Port-Id = "GigabitEthernet0/5"
(10) NAS-Port-Type = Ethernet
(10) NAS-Port = 50105
(10) State = 0xbb455463b94141259c77a610d5caea1f
(10) Restoring &session-state
(10) &session-state:Framed-MTU = 1014
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(10) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 4 length 6
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xbb455463b9414125
(10) eap: Finished EAP session with state 0xbb455463b9414125
(10) eap: Previous EAP request found for state 0xbb455463b9414125, released
from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: (TLS) Peer ACKed our handshake fragment
(10) eap: Sending EAP Request (code 1) ID 5 length 999
(10) eap: EAP session adding &reply:State = 0xbb455463b8404125
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) session-state: Saving cached attributes
(10) Framed-MTU = 1014
(10) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(10) Sent Access-Challenge Id 124 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1063
(10) EAP-Message =
0x010503e7158000000bc9d9ab09bcb961adae0a3f7517ba8cf219156a8645871001f01b9a48
1a98d7386ebede08d1235a47d1c068dee101bd2c8e568fb55e4f110b1ce27fd37b16cecc3944
274430f835717ae26145c0f6d748240d91650e9fac6ecd002cc723efda237b47b0ee041ec63a
686b92e664de819d2b9e5439f4f9de7a2cc4eda2057c7447dad43fc1aaad003b665e9a463bdd
07ca61b3edae4139d7f80977c247a45697ca33aae4c8ea6d03e021804be9eeed4cc433334fd6
25c62a5e7859f52fecc302ac83a6058bac46d982e98f1d0773a26be0cbe62271b45f50c9353d
a5d6c1fb28ee5aa127845a83030875fd6028e63194c03640150d5388df8887ca0f87b1311b02
243a67abc28794570e167eff0e4bce726ce8c373cb52a4fc9df5d65649cd1c9eba97adf15ac8
d5d27608ccab68ed4181e085f7c53c373395f6f707807f46effe7b929d31a5b696fbe78ab29e
e9de654a8c9b895a464fe35cddaba5607efbb4eae4ee6cd03f0534307ab9fbbfae14
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xbb455463b84041259c77a610d5caea1f
(10) Finished request
Waking up in 3.9 seconds.
(11) Received Access-Request Id 125 from 10.100.0.16:1645 to
10.101.0.20:1812 length 421
(11) User-Name = "anonymous"
(11) Service-Type = Framed-User
(11) Cisco-AVPair = "service-type=Framed"
(11) Framed-MTU = 1500
(11) Called-Station-Id = "1C-1D-86-68-F0-05"
(11) Calling-Station-Id = "10-65-30-0F-CF-AD"
(11) EAP-Message =
0x020500a0158000000096140303000101170303004518b03cdd7a3d877bd60d15b6c2d39bab
0896169fa3a2785f9e9c7d9ce2bdf71a87f5a05131f4e1d69945506abd38566012c910e16c52
13ad8f23f8a05a0ad3f3e8f7f93604170303004108be289a7c3651f4ccd6edf31fc1cc525c81
7e1950bf1645734a55231d01342bfb85f7c5a84cbdec624146ace4253f22f1605faba5d4ba6c
154c38ff03b80de5a2
(11) Message-Authenticator = 0xe7411a65948c81a8068f05ec25501b56
(11) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(11) Cisco-AVPair = "method=dot1x"
(11) Framed-IP-Address = 10.111.0.176
(11) NAS-IP-Address = 10.100.0.16
(11) NAS-Port-Id = "GigabitEthernet0/5"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50105
(11) State = 0xbb455463b84041259c77a610d5caea1f
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 1014
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(11) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 5 length 160
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0xbb455463b8404125
(11) eap: Finished EAP session with state 0xbb455463b8404125
(11) eap: Previous EAP request found for state 0xbb455463b8404125, released
from the list
(11) eap: Peer sent packet with method EAP TTLS (21)
(11) eap: Calling submodule eap_ttls to process data
(11) eap_ttls: Authenticate
(11) eap_ttls: (TLS) EAP Peer says that the final record size will be 150
bytes
(11) eap_ttls: (TLS) EAP Got all data (150 bytes)
(11) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data
(11) eap_ttls: (TLS) recv TLS 1.3 Handshake, Finished
(11) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(11) eap_ttls: (TLS) Handshake state - SSLv3/TLS write session ticket
(11) eap_ttls: Serialising session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911, and
storing in cache
(11) eap_ttls: WARNING: (TLS) Wrote session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911 to
/var/log/radius/tlscache/630d327a8dd0ab555038688964549f6090d80b50941ec0460f3
0dc622db74911.asn1 (140 bytes)
(11) eap_ttls: (TLS) send TLS 1.3 Handshake, NewSessionTicket
(11) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write session ticket
(11) eap_ttls: (TLS) recv TLS 1.3 Handshake, NewSessionTicket
(11) eap_ttls: Session established. Proceeding to decode tunneled
attributes
(11) eap_ttls: Got tunneled request
(11) eap_ttls: User-Name = "fvercourt"
(11) eap_ttls: User-Password = "xC#8z7p6DDB8?a67ctQ7"
(11) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(11) eap_ttls: Sending tunneled request
(11) Virtual server inner-tunnel received request
(11) User-Name = "<< user_name >>"
(11) User-Password = "<< secret >>"
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) Service-Type = Framed-User
(11) Cisco-AVPair = "service-type=Framed"
(11) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(11) Cisco-AVPair = "method=dot1x"
(11) Framed-MTU = 1500
(11) Called-Station-Id = "1C-1D-86-68-F0-05"
(11) Calling-Station-Id = "10-65-30-0F-CF-AD"
(11) Framed-IP-Address = 10.111.0.176
(11) NAS-IP-Address = 10.100.0.16
(11) NAS-Port-Id = "GigabitEthernet0/5"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50105
(11) Event-Timestamp = "Jan 23 2023 15:52:03 CET"
(11) server inner-tunnel {
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(11) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "<< user_name >>", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) update control {
(11) &Proxy-To-Realm := LOCAL
(11) } # update control = noop
(11) eap: No EAP-Message, not doing EAP
(11) [eap] = noop
(11) [files] = noop
rlm_ldap (ldap_dauphine): Reserved connection (2)
(11) ldap_dauphine: EXPAND
(|(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}}@dauphine.fr))
(11) ldap_dauphine: --> (|(supannAliasLogin="<< user_name >>") (mail="<<
user_name >>") (mail="<< user_name >>"@dauphine.fr))
(11) ldap_dauphine: Performing search in "ou=people,dc=dauphine,dc=fr" with
filter "(|(supannAliasLogin="<< user_name >>") (mail="<< user_name >>")
(mail="<< user_name >>"@dauphine.fr))", scope "sub"
(11) ldap_dauphine: Waiting for search result...
rlm_ldap (ldap_dauphine): Reconnecting (2)
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
(11) ldap_dauphine: WARNING: Search failed: Can't contact LDAP server. Got
new socket, retrying...
(11) ldap_dauphine: Waiting for search result...
(11) ldap_dauphine: User object found at DN
"uid=00061572,ou=people,dc=dauphine,dc=fr"
(11) ldap_dauphine: Processing user attributes
(11) ldap_dauphine: control:Password-With-Header += '<< passord_HASH >>’
rlm_ldap (ldap_dauphine): Released connection (2)
rlm_ldap (ldap_dauphine): You probably need to lower "min"
rlm_ldap (ldap_dauphine): Closing expired connection (4) - Hit idle_timeout
limit
rlm_ldap (ldap_dauphine): You probably need to lower "min"
rlm_ldap (ldap_dauphine): Closing expired connection (3) - Hit idle_timeout
limit
rlm_ldap (ldap_dauphine): You probably need to lower "min"
rlm_ldap (ldap_dauphine): Closing expired connection (0) - Hit idle_timeout
limit
(11) [ldap_dauphine] = updated
(11) [expiration] = noop
(11) [logintime] = noop
(11) pap: Converted: &control:Password-With-Header ->
&control:SSHA1-Password
(11) pap: Removing &control:Password-With-Header
(11) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes
(11) [pap] = updated
(11) } # authorize = updated
(11) Found Auth-Type = PAP
(11) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(11) Auth-Type PAP {
(11) pap: Login attempt with password
(11) pap: Comparing with "known-good" SSHA-Password
(11) pap: User authenticated successfully
(11) [pap] = ok
(11) } # Auth-Type PAP = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(11) post-auth {
(11) if (0) {
(11) if (0) -> FALSE
(11) } # post-auth = noop
(11) Login OK: ["<< user_name >>"] (from client edouard port 50105 cli
10-65-30-0F-CF-AD via TLS tunnel)
(11) } # server inner-tunnel
(11) Virtual server sending reply
(11) eap_ttls: Got tunneled Access-Accept
(11) eap_ttls: (TLS) cache - Setting up attributes for session resumption
(11) eap_ttls: caching EAP-Type = TTLS
(11) eap_ttls: Saving session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911 in the disk
cache
(11) eap: Sending EAP Success (code 3) ID 5 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(11) post-auth {
(11) update reply {
(11) Tunnel-type = VLAN
(11) Tunnel-medium-type = IEEE-802
(11) Tunnel-Private-Group-Id = 333
(11) } # update reply = noop
(11) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(11) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(11) update {
(11) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
ServerHello'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3
ChangeCipherSpec'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
EncryptedExtensions'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Certificate'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
CertificateVerify'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Finished'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
Finished'
(11) &reply::TLS-Cache-Filename +=
&session-state:TLS-Cache-Filename[*] ->
'/var/log/radius/tlscache/630d327a8dd0ab555038688964549f6090d80b50941ec0460f
30dc622db74911.asn1'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
NewSessionTicket'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
NewSessionTicket'
(11) } # update = noop
(11) [exec] = noop
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(11) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(11) } # post-auth = noop
(11) Login OK: [anonymous] (from client edouard port 50105 cli
10-65-30-0F-CF-AD)
(11) Sent Access-Accept Id 125 from 10.101.0.20:1812 to 10.100.0.16:1645
length 195
(11) MS-MPPE-Recv-Key =
0x971459cad430f53406113b465e8c9823c41fc43a70860e1a4e13d42ebb1bb5df
(11) MS-MPPE-Send-Key =
0x689cf83adf94820be1e34f1507c3856aa88dd9f210d177af62a82344aea19fc9
(11) EAP-Message = 0x03050004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "anonymous"
(11) Tunnel-Type = VLAN
(11) Tunnel-Medium-Type = IEEE-802
(11) Tunnel-Private-Group-Id = "333"
(11) Framed-MTU += 1014
(11) Finished request
Waking up in 3.9 seconds.
(12) Received Accounting-Request Id 79 from 10.100.0.16:1646 to
10.101.0.20:1813 length 229
(12) Framed-IP-Address = 10.111.0.176
(12) User-Name = "anonymous"
(12) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(12) Cisco-AVPair = "vlan-id=333"
(12) Cisco-AVPair = "method=dot1x"
(12) Called-Station-Id = "1C-1D-86-68-F0-05"
(12) Calling-Station-Id = "10-65-30-0F-CF-AD"
(12) NAS-IP-Address = 10.100.0.16
(12) NAS-Port-Id = "GigabitEthernet0/5"
(12) NAS-Port-Type = Ethernet
(12) NAS-Port = 50105
(12) Acct-Session-Id = "0000007F"
(12) Acct-Status-Type = Start
(12) Event-Timestamp = "Jan 23 2023 15:52:04 CET"
(12) Acct-Delay-Time = 0
(12) # Executing section preacct from file /etc/raddb/sites-enabled/default
(12) preacct {
(12) [preprocess] = ok
(12) policy acct_unique {
(12) update request {
(12) &Tmp-String-9 := "ai:"
(12) } # update request = noop
(12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(12) EXPAND %{hex:&Class}
(12) -->
(12) EXPAND ^%{hex:&Tmp-String-9}
(12) --> ^61693a
(12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(12) else {
(12) update request {
(12) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(12) --> 7fa8680a9de8af271866a0b2a998c629
(12) &Acct-Unique-Session-Id := 7fa8680a9de8af271866a0b2a998c629
(12) } # update request = noop
(12) } # else = noop
(12) update request {
(12) &Tmp-String-9 !* ANY
(12) } # update request = noop
(12) } # policy acct_unique = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) [files] = noop
(12) } # preacct = ok
(12) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(12) accounting {
(12) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(12) detail: --> /var/log/radius/radacct/10.100.0.16/detail-20230123
(12) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123
(12) detail: EXPAND %t
(12) detail: --> Mon Jan 23 15:52:04 2023
(12) [detail] = ok
(12) [unix] = ok
(12) [exec] = noop
(12) attr_filter.accounting_response: EXPAND %{User-Name}
(12) attr_filter.accounting_response: --> anonymous
(12) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(12) [attr_filter.accounting_response] = updated
(12) } # accounting = updated
(12) Sent Accounting-Response Id 79 from 10.101.0.20:1813 to
10.100.0.16:1646 length 20
(12) Finished request
(12) Cleaning up request packet ID 79 with timestamp +259 due to done
Waking up in 2.8 seconds.
(7) Cleaning up request packet ID 121 with timestamp +258 due to
cleanup_delay was reached
(8) Cleaning up request packet ID 122 with timestamp +258 due to
cleanup_delay was reached
(9) Cleaning up request packet ID 123 with timestamp +258 due to
cleanup_delay was reached
(10) Cleaning up request packet ID 124 with timestamp +258 due to
cleanup_delay was reached
(11) Cleaning up request packet ID 125 with timestamp +258 due to
cleanup_delay was reached
Thank you all for your help and advice,
Florent VERCOURT
3
2
Hello Support team,
I recently download the FR packages from your CentOS 7 repository, and I noticed that the 3.0.26 server was built with OpenSSL 1.0.2k (see below). Should the server be built with OpenSSL 1.1.1 to support TLS 1.3? Please excuse my ignorance if I've asked a stupid question.
Thanks,
Chris Howley
Mon Jan 23 13:50:17 2023 : Debug: Server was built with:
Mon Jan 23 13:50:17 2023 : Debug: accounting : yes
Mon Jan 23 13:50:17 2023 : Debug: authentication : yes
Mon Jan 23 13:50:17 2023 : Debug: ascend-binary-attributes : yes
Mon Jan 23 13:50:17 2023 : Debug: coa : yes
Mon Jan 23 13:50:17 2023 : Debug: control-socket : yes
Mon Jan 23 13:50:17 2023 : Debug: detail : yes
Mon Jan 23 13:50:17 2023 : Debug: dhcp : yes
Mon Jan 23 13:50:17 2023 : Debug: dynamic-clients : yes
Mon Jan 23 13:50:17 2023 : Debug: osfc2 : no
Mon Jan 23 13:50:17 2023 : Debug: proxy : yes
Mon Jan 23 13:50:17 2023 : Debug: regex-pcre : yes
Mon Jan 23 13:50:17 2023 : Debug: regex-posix : no
Mon Jan 23 13:50:17 2023 : Debug: regex-posix-extended : no
Mon Jan 23 13:50:17 2023 : Debug: session-management : yes
Mon Jan 23 13:50:17 2023 : Debug: stats : yes
Mon Jan 23 13:50:17 2023 : Debug: systemd : yes
Mon Jan 23 13:50:17 2023 : Debug: tcp : yes
Mon Jan 23 13:50:17 2023 : Debug: threads : yes
Mon Jan 23 13:50:17 2023 : Debug: tls : yes
Mon Jan 23 13:50:17 2023 : Debug: unlang : yes
Mon Jan 23 13:50:17 2023 : Debug: vmps : yes
Mon Jan 23 13:50:17 2023 : Debug: developer : no
Mon Jan 23 13:50:17 2023 : Debug: Server core libs:
Mon Jan 23 13:50:17 2023 : Debug: freeradius-server : 3.0.26
Mon Jan 23 13:50:17 2023 : Debug: talloc : 2.1.*
Mon Jan 23 13:50:17 2023 : Debug: ssl : 1.0.2k release
Mon Jan 23 13:50:17 2023 : Debug: pcre : 8.32 2012-11-30
Mon Jan 23 13:50:17 2023 : Debug: Endianness:
Mon Jan 23 13:50:17 2023 : Debug: little
Mon Jan 23 13:50:17 2023 : Debug: Compilation flags:
Mon Jan 23 13:50:17 2023 : Debug: cppflags :
Mon Jan 23 13:50:17 2023 : Debug: cflags : -I. -Isrc -include src/freeradius-devel/autoconf.h -include src/freeradius-devel/build.h -include src/freeradius-devel/featur
es.h -include src/freeradius-devel/radpaths.h -fno-strict-aliasing -Wno-date-time -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=s
sp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
Mon Jan 23 13:50:17 2023 : Debug: ldflags : -Wl,--build-id
Mon Jan 23 13:50:17 2023 : Debug: libs : -lcrypto -lssl -ltalloc -lpcre -lnsl -lresolv -ldl -lpthread -lreadline
Mon Jan 23 13:50:17 2023 : Debug:
Mon Jan 23 13:50:17 2023 : Info: FreeRADIUS Version 3.0.26
2
1
1
0