Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 10 participants
- 27046 discussions
Hi,
I'm trying to get Freeradius statistics but I can see that the Queue
statistics are always 0.
I tried to add some delay between the Freeradius server and the back-end to
force the server to queue the packets and I can see in the log files that
the queue is full and can't handle more requests, but still, the statistics
show 0 queues, what could be the problem? Freeardius version 3.2.1-1
Mon Jan 23 01:36:19 2023 : Error: !!! ERROR !!! Failed inserting request
586295 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586296 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586297 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586298 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586299 into the queue
Mon Jan 23 01:36:20 2023 : Error: 1 requests have been waiting in the
processing queue for 7 seconds. Check that all databases are running
properly!
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586321 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586322 into the queue
Mon Jan 23 01:36:25 2023 : Error: Received conflicting packet from client
vMX1 port 40710 - ID: 33 due to unfinished request in module
<queue>. Giving up on old request.
[root@localhost dropwatch]# echo "Message-Authenticator =
0x00,FreeRADIUS-Statistics-Type = 19" | radclient -x localhost:18121 status
adminsecret
Sent Status-Server Id 101 from 0.0.0.0:45296 to 127.0.0.1:18121 length 50
Message-Authenticator = 0x00
FreeRADIUS-Statistics-Type = 19
Received Access-Accept Id 101 from 127.0.0.1:18121 to 127.0.0.1:45296 length
356
FreeRADIUS-Total-Access-Requests = 7
FreeRADIUS-Total-Access-Accepts = 0
FreeRADIUS-Total-Access-Rejects = 0
FreeRADIUS-Total-Access-Challenges = 0
FreeRADIUS-Total-Auth-Responses = 0
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Auth-Unknown-Types = 0
FreeRADIUS-Total-Auth-Conflicts = 0
FreeRADIUS-Total-Accounting-Requests = 655923
FreeRADIUS-Total-Accounting-Responses = 583903
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
FreeRADIUS-Total-Acct-Malformed-Requests = 0
FreeRADIUS-Total-Acct-Invalid-Requests = 0
FreeRADIUS-Total-Acct-Dropped-Requests = 27543
FreeRADIUS-Total-Acct-Unknown-Types = 0
FreeRADIUS-Total-Acct-Conflicts = 343
FreeRADIUS-Stats-Start-Time = "Jan 23 2023 01:16:33 EST"
FreeRADIUS-Stats-HUP-Time = "Jan 23 2023 01:16:33 EST"
FreeRADIUS-Queue-Len-Internal = 0
FreeRADIUS-Queue-Len-Proxy = 0
FreeRADIUS-Queue-Len-Auth = 0
* FreeRADIUS-Queue-Len-Acct = 0*
FreeRADIUS-Queue-Len-Detail = 0
FreeRADIUS-Queue-PPS-In = 0
FreeRADIUS-Queue-PPS-Out = 0
--
Best regards,
Ashraf Al-Basti
2
1
I was pondering rewriting my rlm_attr_filter sets as unlang policy.
If there is an elegant way in unlang to remove all attributes from a list except the ones you want, I'm having trouble finding it.
In unlang you seem to need to know the name of an attribute to do anything to it.
If there was a temporary list, one could maybe (not sure if !* ANY works on lists):
update {
&tmp: !* ANY
&tmp: += &reply:
&reply: !* ANY
}
update reply {
# add the ones you want back in from &tmp:, perhaps with alterations
}
... but so far I only have found the Tmp-* attributes, no temporary list.
Maybe this is just one of the cases where we still need rlm_attr_filter?
Or maybe someone with more unlang-foo than me knows a magic incantation?
2
1
Hi list,
I updated freeradius on an Devuan machine from 3.0.17 to 3.2.1.
Formerly I checked the client certificate in the virtual server
check-eap-tls with the following unlang construct to extract the real
User-Name from the certificate:
...
if ((&TLS-Client-Cert-Subject-Alt-Name-Email) &&
(&TLS-Client-Cert-Subject-Alt-Name-Email =~ /@/)) {
update request {
&User-Name :=
&TLS-Client-Cert-Subject-Alt-Name-Email
}
} elsif (&TLS-Client-Cert-Common-Name) {
update request {
&User-Name := &TLS-Client-Cert-Common-Name
}
} else {
reject
}
...
In the client certificate file there is also the root ca certificate,
and in the former version the second certificate was the client
certificate and the code evaluates correct without thoroughly thinking
about. Now, the attributes like TLS-Client-Cert-Serial evaluate to the
first certificate ie the root ca certificate and the above unlang code
return the false User-Name.
I want to improve the code and need some hints.
I want to iterate over eg &TLS-Client-Cert-Serial[*],
search the cert with
&TLS-Client-Cert-X509v3-Basic-Constraints[i] =~ /CA:FALSE/,
and then extract the User-Name from
&TLS-Client-Cert-Subject-Alt-Name-Email[i] or
&TLS-Client-Cert-Common-Name[i]
How can I get the correct index i from eg foreach
&TLS-Client-Cert-Serial to reference to the
&TLS-Client-Cert-Subject-Alt-Name-Email[i], for example.
A quick fix was to use [n] and choose the last certificate in the file,
but this is not clean.
--
stefan hartmann
3
3
Hi,
I have a freeradius server running v3.0.16 which is performing WPA2 Enterprise Authentication and VLAN assignment for a multi-tenant WiFi system.
The latest windows 11 update appears to have forced the use of TLS1.3 and clients will no longer authenticate without a registry change back to TLS1.2.
I don't have in-depth knowledge of Freeradius; I can install, configure and work with config files and debugs, so was just asking for a little advice on the best way for me to enable TLS1.3?
Do I need to upgrade? Will there be any configuration changes required? Obviously we still need to support lower TLS versions as well.
Internet searches have given me conflicting information, and I can't find when TLS 1.3 support started.
Thanks
Paul Bone
Network Consultant/Engineer
4
9
17 Jan '23
Hello,
I am trying to configure the above. Here is what I have done so far.
1) Cisco WLC was configured
2) freeradius 3.0 was installed on a Debian machine
a) Cisco WLC IPv4 address was added as a client to freeradius
/etc/freeradius/3.0/clients.conf
b) A few local users were added to users file
/etc/freeradius/3.0/users
3) whenever I try to use the below command on WLC
test aaa group radius joe.doe pa44w0rd new-code
I am successfully authenticated. However this is going as PAP.
4) any request from the wifi client is not going through cause it is
PEAP-MSCHAP
Currently 'freeradius -X' gives me the following
(39) Cisco-AVPair = "vlan-id=101"
(39) NAS-IP-Address = 172.16.100.10
(39) NAS-Port-Id = "capwap_90000004"
(39) NAS-Port-Type = Wireless-802.11
(39) NAS-Port = 5
(39) State = 0x8afb70f28ffc69b5cf854ba7abc363a9
(39) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(39) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(39) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(39) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(39) Airespace-Wlan-Id = 4
(39) NAS-Identifier = "WLC9120-NEFO"
(39) WLAN-Group-Cipher = 1027076
(39) WLAN-Pairwise-Cipher = 1027076
(39) WLAN-AKM-Suite = 1027075
(39) WLAN-Group-Mgmt-Cipher = 1027078
(39) session-state: No cached attributes
(39) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(39) authorize {
(39) policy filter_username {
(39) if (&User-Name) {
(39) if (&User-Name) -> TRUE
(39) if (&User-Name) {
(39) if (&User-Name =~ / /) {
(39) if (&User-Name =~ / /) -> FALSE
(39) if (&User-Name =~ /@[^@]*@/ ) {
(39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(39) if (&User-Name =~ /\.\./ ) {
(39) if (&User-Name =~ /\.\./ ) -> FALSE
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(39) if (&User-Name =~ /\.$/) {
(39) if (&User-Name =~ /\.$/) -> FALSE
(39) if (&User-Name =~ /(a)\./) {
(39) if (&User-Name =~ /(a)\./) -> FALSE
(39) } # if (&User-Name) = notfound
(39) } # policy filter_username = notfound
(39) [preprocess] = ok
(39) [chap] = noop
(39) [mschap] = noop
(39) [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(39) suffix: No such realm "NULL"
(39) [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 7 length 51
(39) eap: Continuing tunnel setup
(39) [eap] = ok
(39) } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) authenticate {
(39) eap: Expiring EAP session with state 0x8afb70f28ffc69b5
(39) eap: Finished EAP session with state 0x8afb70f28ffc69b5
(39) eap: Previous EAP request found for state 0x8afb70f28ffc69b5, released
from the list
(39) eap: Peer sent packet with method EAP PEAP (25)
(39) eap: Calling submodule eap_peap to process data
(39) eap_peap: Continuing EAP-TLS
(39) eap_peap: [eaptls verify] = ok
(39) eap_peap: Done initial handshake
(39) eap_peap: [eaptls process] = ok
(39) eap_peap: Session established. Decoding tunneled attributes
(39) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(39) eap_peap: Identity - joe.doe
(39) eap_peap: Got inner identity 'joe.doe'
(39) eap_peap: Setting default EAP type for tunneled EAP session
(39) eap_peap: Got tunneled request
(39) eap_peap: EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) eap_peap: Setting User-Name to joe.doe
(39) eap_peap: Sending tunneled request to inner-tunnel
(39) eap_peap: EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(39) eap_peap: User-Name = "joe.doe"
(39) Virtual server inner-tunnel received request
(39) EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) FreeRADIUS-Proxied-To = 127.0.0.1
(39) User-Name = "joe.doe"
(39) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(39) server inner-tunnel {
(39) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(39) authorize {
(39) policy filter_username {
(39) if (&User-Name) {
(39) if (&User-Name) -> TRUE
(39) if (&User-Name) {
(39) if (&User-Name =~ / /) {
(39) if (&User-Name =~ / /) -> FALSE
(39) if (&User-Name =~ /@[^@]*@/ ) {
(39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(39) if (&User-Name =~ /\.\./ ) {
(39) if (&User-Name =~ /\.\./ ) -> FALSE
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(39) if (&User-Name =~ /\.$/) {
(39) if (&User-Name =~ /\.$/) -> FALSE
(39) if (&User-Name =~ /(a)\./) {
(39) if (&User-Name =~ /(a)\./) -> FALSE
(39) } # if (&User-Name) = notfound
(39) } # policy filter_username = notfound
(39) [chap] = noop
(39) [mschap] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(39) suffix: No such realm "NULL"
(39) [suffix] = noop
(39) update control {
(39) &Proxy-To-Realm := LOCAL
(39) } # update control = noop
(39) eap: Peer sent EAP Response (code 2) ID 7 length 20
(39) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(39) [eap] = ok
(39) } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(39) authenticate {
(39) eap: Peer sent packet with method EAP Identity (1)
(39) eap: Calling submodule eap_mschapv2 to process data
(39) eap_mschapv2: Issuing Challenge
(39) eap: Sending EAP Request (code 1) ID 8 length 43
(39) eap: EAP session adding &reply:State = 0xa779f0bba771eab5
(39) [eap] = handled
(39) } # authenticate = handled
(39) } # server inner-tunnel
(39) Virtual server sending reply
(39) EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) Message-Authenticator = 0x00000000000000000000000000000000
(39) State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled reply code 11
(39) eap_peap: EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(39) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled reply RADIUS code 11
(39) eap_peap: EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(39) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled Access-Challenge
(39) eap: Sending EAP Request (code 1) ID 8 length 74
(39) eap: EAP session adding &reply:State = 0x8afb70f28cf369b5
(39) [eap] = handled
(39) } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) Challenge { ... } # empty sub-section is ignored
(39) Sent Access-Challenge Id 249 from 10.222.34.11:1812 to
172.16.100.10:65092 length 0
(39) EAP-Message =
0x0108004a1900170303003fcc5b8334628ab37aa89b123da75ca7c75fd530ecc021320acc07bdc59b19d161f36ee6151578b5fa7487e0d86eb2dee898bde53e74baca61f9c67ccd045dc0
(39) Message-Authenticator = 0x00000000000000000000000000000000
(39) State = 0x8afb70f28cf369b5cf854ba7abc363a9
(39) Finished request
Waking up in 4.9 seconds.
(38) Cleaning up request packet ID 248 with timestamp +985
(40) Received Access-Request Id 248 from 172.16.100.10:65092 to
10.222.34.11:1812 length 538
(40) User-Name = "joe.doe"
(40) Service-Type = Framed-User
(40) Cisco-AVPair = "service-type=Framed"
(40) Framed-MTU = 1485
(40) EAP-Message =
0x020800691900170303005e89bf7fdf3bb86e3e467aef6b8988848fce28ba903c8c18014db6390e35aea1dfefd7abf64b8bc29c5f574a83dc3a850169b6de84430922b3617bbd5bef2f8ab879603c7c43c1940ed4e61b724f2bfde0d24c7f7c8fc3eb9c05f74ce8cccd
(40) Message-Authenticator = 0x928deedf5800d89e75d47b6c4ff5f004
(40) Cisco-AVPair = "audit-session-id=0A6410AC00001FAE74DE0A43"
(40) Cisco-AVPair = "method=dot1x"
(40) Cisco-AVPair = "client-iif-id=2852134698"
(40) Cisco-AVPair = "vlan-id=101"
(40) NAS-IP-Address = 172.16.100.10
(40) NAS-Port-Id = "capwap_90000004"
(40) NAS-Port-Type = Wireless-802.11
(40) NAS-Port = 5
(40) State = 0x8afb70f28cf369b5cf854ba7abc363a9
(40) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(40) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(40) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(40) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(40) Airespace-Wlan-Id = 4
(40) NAS-Identifier = "WLC9120-NEFO"
(40) WLAN-Group-Cipher = 1027076
(40) WLAN-Pairwise-Cipher = 1027076
(40) WLAN-AKM-Suite = 1027075
(40) WLAN-Group-Mgmt-Cipher = 1027078
(40) session-state: No cached attributes
(40) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /(a)\./) {
(40) if (&User-Name =~ /(a)\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [preprocess] = ok
(40) [chap] = noop
(40) [mschap] = noop
(40) [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 8 length 105
(40) eap: Continuing tunnel setup
(40) [eap] = ok
(40) } # authorize = ok
(40) Found Auth-Type = eap
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) authenticate {
(40) eap: Expiring EAP session with state 0xa779f0bba771eab5
(40) eap: Finished EAP session with state 0x8afb70f28cf369b5
(40) eap: Previous EAP request found for state 0x8afb70f28cf369b5, released
from the list
(40) eap: Peer sent packet with method EAP PEAP (25)
(40) eap: Calling submodule eap_peap to process data
(40) eap_peap: Continuing EAP-TLS
(40) eap_peap: [eaptls verify] = ok
(40) eap_peap: Done initial handshake
(40) eap_peap: [eaptls process] = ok
(40) eap_peap: Session established. Decoding tunneled attributes
(40) eap_peap: PEAP state phase2
(40) eap_peap: EAP method MSCHAPv2 (26)
(40) eap_peap: Got tunneled request
(40) eap_peap: EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) eap_peap: Setting User-Name to joe.doe
(40) eap_peap: Sending tunneled request to inner-tunnel
(40) eap_peap: EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(40) eap_peap: User-Name = "joe.doe"
(40) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(40) Virtual server inner-tunnel received request
(40) EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) FreeRADIUS-Proxied-To = 127.0.0.1
(40) User-Name = "joe.doe"
(40) State = 0xa779f0bba771eab5fa1472a70f642a70
(40) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(40) server inner-tunnel {
(40) session-state: No cached attributes
(40) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /(a)\./) {
(40) if (&User-Name =~ /(a)\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [chap] = noop
(40) [mschap] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) update control {
(40) &Proxy-To-Realm := LOCAL
(40) } # update control = noop
(40) eap: Peer sent EAP Response (code 2) ID 8 length 74
(40) eap: No EAP Start, assuming it's an on-going EAP conversation
(40) [eap] = updated
(40) files: users: Matched entry joe.doe at line 91
(40) [files] = ok
rlm_ldap (ldap): Reserved connection (17)
(40) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(40) ldap: --> (uid=joe.doe)
(40) ldap: Performing search in "dc=netformers,dc=local" with filter
"(uid=joe.doe)", scope "sub"
(40) ldap: Waiting for search result...
(40) ldap: User object found at DN "uid=joe.doe,dc=netformers,dc=local"
(40) ldap: Processing user attributes
rlm_ldap (ldap): Released connection (17)
(40) [ldap] = ok
(40) [expiration] = noop
(40) [logintime] = noop
(40) pap: WARNING: Auth-Type already set. Not setting to PAP
(40) [pap] = noop
(40) } # authorize = updated
(40) Found Auth-Type = eap
(40) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) authenticate {
(40) eap: Expiring EAP session with state 0xa779f0bba771eab5
(40) eap: Finished EAP session with state 0xa779f0bba771eab5
(40) eap: Previous EAP request found for state 0xa779f0bba771eab5, released
from the list
(40) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(40) eap: Calling submodule eap_mschapv2 to process data
(40) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) eap_mschapv2: authenticate {
(40) mschap: Found Cleartext-Password, hashing to create NT-Password
(40) mschap: Found Cleartext-Password, hashing to create LM-Password
(40) mschap: Creating challenge hash with username: joe.doe
(40) mschap: Client is using MS-CHAPv2
(40) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(40) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(40) mschap: --> --username=joe.doe
(40) mschap: Creating challenge hash with username: joe.doe
(40) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(40) mschap: --> --challenge=ab5d475d8e18b55f
(40) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(40) mschap: -->
--nt-response=e4fff9f3543da30667451659b4a7598166306e0f8b66215c
(40) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(40) mschap: External script failed
(40) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(40) mschap: ERROR: MS-CHAP2-Response is incorrect
(40) [mschap] = reject
(40) } # authenticate = reject
(40) eap: Sending EAP Failure (code 4) ID 8 length 4
(40) eap: Freeing handler
(40) [eap] = reject
(40) } # authenticate = reject
(40) Failed to authenticate the user
(40) Using Post-Auth-Type Reject
(40) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) Post-Auth-Type REJECT {
(40) attr_filter.access_reject: EXPAND %{User-Name}
(40) attr_filter.access_reject: --> joe.doe
(40) attr_filter.access_reject: Matched entry DEFAULT at line 11
(40) [attr_filter.access_reject] = updated
(40) update outer.session-state {
(40) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: Program returned code (1) and output \'The attempted logon is
invalid. This is either due to a bad username or authentication
information. (0xc000006d)\''
(40) } # update outer.session-state = noop
(40) } # Post-Auth-Type REJECT = updated
(40) } # server inner-tunnel
(40) Virtual server sending reply
(40) MS-CHAP-Error = "\010E=691 R=1 C=1985ba6f4d3735081b98c08700af1b01
V=3 M=Authentication rejected"
(40) EAP-Message = 0x04080004
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Got tunneled reply code 3
(40) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected"
(40) eap_peap: EAP-Message = 0x04080004
(40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Got tunneled reply RADIUS code 3
(40) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected"
(40) eap_peap: EAP-Message = 0x04080004
(40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Tunneled authentication was rejected
(40) eap_peap: FAILURE
(40) eap: Sending EAP Request (code 1) ID 9 length 46
(40) eap: EAP session adding &reply:State = 0x8afb70f28df269b5
(40) [eap] = handled
(40) } # authenticate = handled
(40) Using Post-Auth-Type Challenge
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) Challenge { ... } # empty sub-section is ignored
(40) session-state: Saving cached attributes
(40) Module-Failure-Message := "mschap: Program returned code (1) and
output 'The attempted logon is invalid. This is either due to a bad
username or authentication information. (0xc000006d)'"
(40) Sent Access-Challenge Id 248 from 10.222.34.11:1812 to
172.16.100.10:65092 length 0
(40) EAP-Message =
0x0109002e19001703030023cc5b8334628ab37bb472f1e4b99ece77d59027ce510b3ac1d5025c03cc60b794d73259
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) State = 0x8afb70f28df269b5cf854ba7abc363a9
(40) Finished request
Waking up in 4.9 seconds.
(39) Cleaning up request packet ID 249 with timestamp +985
(41) Received Access-Request Id 249 from 172.16.100.10:65092 to
10.222.34.11:1812 length 479
(41) User-Name = "joe.doe"
(41) Service-Type = Framed-User
(41) Cisco-AVPair = "service-type=Framed"
(41) Framed-MTU = 1485
(41) EAP-Message =
0x0209002e1900170303002389bf7fdf3bb86e3fb7a4f82750437b28a44f01b7420ad299cf3bc0490d9e73ab33590b
(41) Message-Authenticator = 0xa8d0b6155902a4394dfc46e21888f099
(41) Cisco-AVPair = "audit-session-id=0A6410AC00001FAE74DE0A43"
(41) Cisco-AVPair = "method=dot1x"
(41) Cisco-AVPair = "client-iif-id=2852134698"
(41) Cisco-AVPair = "vlan-id=101"
(41) NAS-IP-Address = 172.16.100.10
(41) NAS-Port-Id = "capwap_90000004"
(41) NAS-Port-Type = Wireless-802.11
(41) NAS-Port = 5
(41) State = 0x8afb70f28df269b5cf854ba7abc363a9
(41) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(41) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(41) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(41) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(41) Airespace-Wlan-Id = 4
(41) NAS-Identifier = "WLC9120-NEFO"
(41) WLAN-Group-Cipher = 1027076
(41) WLAN-Pairwise-Cipher = 1027076
(41) WLAN-AKM-Suite = 1027075
(41) WLAN-Group-Mgmt-Cipher = 1027078
(41) Restoring &session-state
(41) &session-state:Module-Failure-Message := "mschap: Program returned
code (1) and output 'The attempted logon is invalid. This is either due to
a bad username or authentication information. (0xc000006d)'"
(41) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(41) authorize {
(41) policy filter_username {
(41) if (&User-Name) {
(41) if (&User-Name) -> TRUE
(41) if (&User-Name) {
(41) if (&User-Name =~ / /) {
(41) if (&User-Name =~ / /) -> FALSE
(41) if (&User-Name =~ /@[^@]*@/ ) {
(41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(41) if (&User-Name =~ /\.\./ ) {
(41) if (&User-Name =~ /\.\./ ) -> FALSE
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(41) if (&User-Name =~ /\.$/) {
(41) if (&User-Name =~ /\.$/) -> FALSE
(41) if (&User-Name =~ /(a)\./) {
(41) if (&User-Name =~ /(a)\./) -> FALSE
(41) } # if (&User-Name) = notfound
(41) } # policy filter_username = notfound
(41) [preprocess] = ok
(41) [chap] = noop
(41) [mschap] = noop
(41) [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(41) suffix: No such realm "NULL"
(41) [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 9 length 46
(41) eap: Continuing tunnel setup
(41) [eap] = ok
(41) } # authorize = ok
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) authenticate {
(41) eap: Expiring EAP session with state 0x8afb70f28df269b5
(41) eap: Finished EAP session with state 0x8afb70f28df269b5
(41) eap: Previous EAP request found for state 0x8afb70f28df269b5, released
from the list
(41) eap: Peer sent packet with method EAP PEAP (25)
(41) eap: Calling submodule eap_peap to process data
(41) eap_peap: Continuing EAP-TLS
(41) eap_peap: [eaptls verify] = ok
(41) eap_peap: Done initial handshake
(41) eap_peap: [eaptls process] = ok
(41) eap_peap: Session established. Decoding tunneled attributes
(41) eap_peap: PEAP state send tlv failure
(41) eap_peap: Received EAP-TLV response
(41) eap_peap: ERROR: The users session was previously rejected:
returning reject (again.)
(41) eap_peap: This means you need to read the PREVIOUS messages in the
debug output
(41) eap_peap: to find out the reason why the user was rejected
(41) eap_peap: Look for "reject" or "fail". Those earlier messages will
tell you
(41) eap_peap: what went wrong, and how to fix the problem
(41) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(41) eap: Sending EAP Failure (code 4) ID 9 length 4
(41) eap: Failed in EAP select
(41) [eap] = invalid
(41) } # authenticate = invalid
(41) Failed to authenticate the user
(41) Using Post-Auth-Type Reject
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) Post-Auth-Type REJECT {
(41) attr_filter.access_reject: EXPAND %{User-Name}
(41) attr_filter.access_reject: --> joe.doe
(41) attr_filter.access_reject: Matched entry DEFAULT at line 11
(41) [attr_filter.access_reject] = updated
(41) [eap] = noop
(41) policy remove_reply_message_if_eap {
(41) if (&reply:EAP-Message && &reply:Reply-Message) {
(41) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(41) else {
(41) [noop] = noop
(41) } # else = noop
(41) } # policy remove_reply_message_if_eap = noop
(41) } # Post-Auth-Type REJECT = updated
(41) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(41) Sending delayed response
(41) Sent Access-Reject Id 249 from 10.222.34.11:1812 to 172.16.100.10:65092
length 44
(41) EAP-Message = 0x04090004
(41) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Can anyone shed some light on this and point me in the right direction what
else should I do?
All the examples I am able to find on the internet are using AD/samba as
database for freeradius which is not the case here.
2
2
AD-integration working well - questions about risk/exposure and related mechanisms
by Dag B 16 Jan '23
by Dag B 16 Jan '23
16 Jan '23
So, after some fiddling, I can now authenticate users of our network
gear (network admins) with AD, via freeradius. Thank you to any and all
who have made that possible. It is truly appreciated.
Arriving here, I just wanted to ask if there is any document discussing
any additional risk or exposure for the AD-accounts by doing this.
Note: I am not trying to imply there is one, nor am I trying to sell
five feathers as whole chicken in a bag or however that analogy goes. I
am merely acknowledging my relative ignorance w.r.t. how AD and RADIUS
works and what security mechanisms it has in place for preventing abuse.
From the top of my head:
- Can someone use freeradius for unlimited tries at guessing an AD password?
- If the radius secret becomes known to a bad actor, could they set up a
'farm' of radius clients in the defined client address spaces to bypass
rate limits?
- And likewise, could they instrument their radius client to reveal more
information than we intend to?
- Is there a better way to define clients than defining static hosts or
networks in clients.conf? (We have an IPAM with an API. Could we employ
this to only permit radius requests from known (expected) radius clients?)
And I am certain there are more questions I should be asking. Conscious
Incompetence and all that jazz....
Thanks,
Dag B
2
1
Greetings FR-users,
I am attempting to fold the functionality of a 2.0 FR system into an
existing 3.0 system.
I've configured the 2.0 system to proxy to the 3.0 system and this works -
call this scenario A:
UPS (client)
|
v
FR 2.0
|
v
FR 3.0
works!!
However if I attempt to auth directly from the UPS to the 3.0 system, it
does not work - call this scenario B:
UPS (client)
|
v
FR 3.0
no works. :(
Here are the debug logs for scenario A (working):
2.0 system:
rad_recv: Access-Request packet from host 100.73.8.85 port 44482, id=41,
length=113
User-Name = "foo"
User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
NAS-IP-Address = 100.73.8.85
NAS-Identifier = "apcE89163.d.umn.edu"
NAS-Port = 0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "foo", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "foo"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user foo to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 230 to 10.212.109.12 port 1812
User-Name = "foo"
User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
NAS-IP-Address = 100.73.8.85
NAS-Identifier = "apcE89163.d.umn.edu"
NAS-Port = 0
Proxy-State = 0x3431
Proxying request 0 to home server 10.212.109.12 port 1812
Sending Access-Request of id 230 to 10.212.109.12 port 1812
User-Name = "foo"
User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
NAS-IP-Address = 100.73.8.85
NAS-Identifier = "apcE89163.d.umn.edu"
NAS-Port = 0
Proxy-State = 0x3431
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.212.109.12 port 1812, id=230,
length=30
Proxy-State = 0x3431
Service-Type = Administrative-User
# Executing section post-proxy from file
/etc/freeradius/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [foo] (from client apc-UPS-network-1 port 0)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 41 to 100.73.8.85 port 44482
Service-Type = Administrative-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 41 with timestamp +10
3.0 system:
(0) Received Access-Request Id 230 from 10.212.109.94:1814 to
10.212.109.12:1812 length 117
(0) User-Name = "foo"
(0) User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
(0) NAS-IP-Address = 100.73.8.85
(0) NAS-Identifier = "apcE89163.d.umn.edu"
(0) NAS-Port = 0
(0) Proxy-State = 0x3431
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "foo", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0) [pap] = noop
(0) if ("%{client:group}" == 'two-factor-authentication-group') {
(0) EXPAND %{client:group}
(0) --> default-authentication-group
(0) if ("%{client:group}" == 'two-factor-authentication-group') ->
FALSE
(0) else {
(0) update control {
(0) Proxy-To-Realm := 'default-authentication-realm'
(0) } # update control = noop
(0) } # else = noop
(0) } # authorize = ok
(0) Starting proxy to home server 10.84.192.196 port 1812
(0) server default {
(0) }
(0) Proxying request to home server 10.84.192.196 port 1812 timeout
60.000000
(0) Sent Access-Request Id 13 from 0.0.0.0:42276 to 10.84.192.196:1812
length 146
(0) User-Name = "foo"
(0) User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
(0) NAS-IP-Address = 100.73.8.85
(0) NAS-Identifier = "apcE89163.d.umn.edu"
(0) NAS-Port = 0
(0) Proxy-State = 0x3431
(0) Event-Timestamp = "Jan 12 2023 16:33:29 CST"
(0) Message-Authenticator := 0x00
(0) Proxy-State = 0x323330
Waking up in 0.3 seconds.
(0) Marking home server 10.84.192.196 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 13 from 10.84.192.196:1812 to
10.212.109.12:42276 length 29
(0) Proxy-State = 0x3431
(0) Proxy-State = 0x323330
(0) server default {
(0) # Executing section post-proxy from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-proxy {
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) }
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) update reply {
(0) Service-Type = Administrative-User
(0) } # update reply = noop
(0) } # post-auth = noop
(0) Login OK: [foo] (from client radius-netgear.d.umn.edu_10.212.109.94
port 0)
(0) Sent Access-Accept Id 230 from 10.212.109.12:1812 to 10.212.109.94:1814
length 0
(0) Proxy-State = 0x3431
(0) Service-Type = Administrative-User
(0) Finished request
and the scenario B (not working) debug:
(0) Received Access-Request Id 45 from 100.73.8.85:55435 to
10.212.109.12:1812 length 113
(0) User-Name = "foo"
(0) User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
(0) NAS-IP-Address = 100.73.8.85
(0) NAS-Identifier = "apcE89163.d.umn.edu"
(0) NAS-Port = 0
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "foo", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0) [pap] = noop
(0) if ("%{client:group}" == 'two-factor-authentication-group') {
(0) EXPAND %{client:group}
(0) -->
(0) if ("%{client:group}" == 'two-factor-authentication-group') ->
FALSE
(0) else {
(0) update control {
(0) Proxy-To-Realm := 'default-authentication-realm'
(0) } # update control = noop
(0) } # else = noop
(0) } # authorize = ok
(0) Starting proxy to home server 10.84.192.196 port 1812
(0) server default {
(0) }
(0) Proxying request to home server 10.84.192.196 port 1812 timeout
60.000000
(0) Sent Access-Request Id 206 from 0.0.0.0:57643 to 10.84.192.196:1812
length 141
(0) User-Name = "foo"
(0) User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
(0) NAS-IP-Address = 100.73.8.85
(0) NAS-Identifier = "apcE89163.d.umn.edu"
(0) NAS-Port = 0
(0) Event-Timestamp = "Jan 12 2023 16:36:29 CST"
(0) Message-Authenticator := 0x00
(0) Proxy-State = 0x3435
Waking up in 0.3 seconds.
(0) Marking home server 10.84.192.196 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 206 from 10.84.192.196:1812 to
10.212.109.12:57643 length 24
(0) Proxy-State = 0x3435
(0) server default {
(0) # Executing section post-proxy from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-proxy {
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) }
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) update reply {
(0) Service-Type = Administrative-User
(0) } # update reply = noop
(0) } # post-auth = noop
(0) Login OK: [foo] (from client 100.73.8.0/23_100.73.8.0/23 port 0)
(0) Sent Access-Accept Id 45 from 10.212.109.12:1812 to 100.73.8.85:55435
length 0
(0) Service-Type = Administrative-User
(0) Finished request
Both scenarios send Access-Accept and the Service-Type back to the client.
I'm not sure if there is more to look at between the 2.0 and 3.0 systems.
It is difficult to do any debugging on the UPS, so I was hoping to figure
out the issue on the FR systems.
I've performed a diff of the scenario A and B 3.0 debug outputs and I don't
see anything significant in the difference.
I have removed the Service-Type from the configurations and I still get a
success authentication, I am just entered into a non-administrative role on
the UPS.
Does anyone have any ideas for further debugging?
Thanks for any pointers or help!
-m
3
5
I have setup my Unifi network to connect to a Raspberry Pi 2 hosting
FreeRadius 3.2.0 with MAC authentication. That all seems to work now,
however I've run into an issue where it seems the FreeRadius service
needs to be restarted fairly frequently, at least multiple times a
day. From what I can tell, the Pi is fine and there's plenty of
storage and resources. Restarting the service allows anything that was
having issues to connect, such as if it's been disconnected for a bit
(e.g., my phone when I go out and come back) but even devices that
don't leave the house and stay on sometimes lose connection until a
service restart. I know I could probably setup a cron job that
restarts the service every 30 minutes or so, but I wanted to check if
people had ideas on how to fix it. Here's my freeradius -X output with
one example of a device connecting successfully.
FreeRADIUS Version 3.2.0
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/filter
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client unifi {
ipaddr = 24.34.239.95
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dmwan"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client unifi {
ipaddr = 192.168.1.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dmlan"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client unifi_1_ap {
ipaddr = 192.168.1.46
require_message_authenticator = no
secret = <<< secret >>>
shortname = "1ap"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client unifi_2_ap {
ipaddr = 192.168.1.230
require_message_authenticator = no
secret = <<< secret >>>
shortname = "2ap"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
instantiate {
}
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 56081
Listening on proxy address :: port 34301
Ready to process requests
(0) Received Access-Request Id 71 from 192.168.1.1:47441 to
192.168.1.25:1812 length 187
(0) User-Name = "58:24:29:57:e1:f1"
(0) User-Password = "58:24:29:57:e1:f1"
(0) NAS-IP-Address = 192.168.1.1
(0) NAS-Identifier = "68d79a41138e"
(0) Called-Station-Id = "68-D7-9A-41-13-8E:Chomper"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "58-24-29-57-E1-F1"
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) Message-Authenticator = 0x4fedc4ffc0daa97f3ae1029e31881b94
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) update request {
(0) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 58-24-29-57-e1-f1
(0) &Calling-Station-Id := 58-24-29-57-e1-f1
(0) } # update request = noop
(0) [updated] = updated
(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_calling_station_id = updated
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "58:24:29:57:e1:f1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry 58:24:29:57:e1:f1 at line 68
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(0) } # post-auth = noop
(0) Sent Access-Accept Id 71 from 192.168.1.25:1812 to
192.168.1.1:47441 length 35
(0) Tunnel-Type = VLAN
(0) Tunnel-Medium-Type = IEEE-802
(0) Tunnel-Private-Group-Id = "1"
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Accounting-Request Id 72 from 192.168.1.1:58228 to
192.168.1.25:1813 length 206
(1) Acct-Status-Type = Start
(1) Acct-Authentic = Local
(1) User-Name = "58:24:29:57:e1:f1"
(1) NAS-IP-Address = 192.168.1.1
(1) Framed-IP-Address = 192.168.1.209
(1) NAS-Identifier = "68d79a41138e"
(1) Called-Station-Id = "68-D7-9A-41-13-8E:Chomper"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "58-24-29-57-E1-F1"
(1) Connect-Info = "CONNECT 0Mbps 802.11a"
(1) Acct-Session-Id = "5DFBEAF391253B0C"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027074
(1) Event-Timestamp = "Jan 12 2023 14:36:24 EST"
(1) Acct-Delay-Time = 0
(1) # Executing section preacct from file
/etc/freeradius/3.0/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) policy acct_unique {
(1) update request {
(1) &Tmp-String-9 := "ai:"
(1) } # update request = noop
(1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(1) EXPAND %{hex:&Class}
(1) -->
(1) EXPAND ^%{hex:&Tmp-String-9}
(1) --> ^61693a
(1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(1) else {
(1) update request {
(1) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> 8ad2d8c86863f64eeaaea4c131b46e1f
(1) &Acct-Unique-Session-Id := 8ad2d8c86863f64eeaaea4c131b46e1f
(1) } # update request = noop
(1) } # else = noop
(1) update request {
(1) &Tmp-String-9 !* ANY
(1) } # update request = noop
(1) } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "58:24:29:57:e1:f1", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
(1) } # preacct = ok
(1) # Executing section accounting from file
/etc/freeradius/3.0/sites-enabled/default
(1) accounting {
(1) detail: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail: --> /var/log/freeradius/radacct/192.168.1.1/detail-20230112
(1) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.1.1/detail-20230112
(1) detail: EXPAND %t
(1) detail: --> Thu Jan 12 14:36:24 2023
(1) [detail] = ok
(1) [unix] = ok
(1) [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response: --> 58:24:29:57:e1:f1
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) } # accounting = updated
(1) Sent Accounting-Response Id 72 from 192.168.1.25:1813 to
192.168.1.1:58228 length 20
(1) Finished request
(1) Cleaning up request packet ID 72 with timestamp +8 due to done
2
2
Freeradius keep statistics (number of request/reply/acct and etc) for each
NAS. But is it possible to separate stats for some subscribers from same
NAS by assign them another client-ip-address ?
I tried to update Client-IP-Address attribute, but this does not help.
1
0
Hi Marco,
Thank you for your response. From your response I understand, even if my AD Domain is running on MS (Microsoft), I can join the RHEL to AD domain using 'winbind daemon', which I did.
After joining the RHEL 8 Server to domain, 'winbind' is still not working, it's giving the below error.
[root(a)localhost.domain.com]# wbinfo -a FreeRADIUSdev2
Enter FreeRADIUSdev2's password:
plaintext password authentication failed
Could not authenticate user FreeRADIUSdev2 with plaintext password
Enter FreeRADIUSdev2's password:
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind separator!
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind netbios name!
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Failed to get domain from winbindd
Could not authenticate user FreeRADIUSdev2 with challenge/response
Regards
Raman Singh
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: FreeRadius Integration with Microsoft Active Directory
(Marco Gaiarin)
----------------------------------------------------------------------
Message: 1
Date: Sun, 8 Jan 2023 18:09:08 +0100
From: Marco Gaiarin <gaio(a)lilliput.linux.it>
To: "Singh, Ramanpreet via Freeradius-Users"
<freeradius-users(a)lists.freeradius.org>
Cc: freeradius-users(a)lists.freeradius.org
Subject: Re: FreeRadius Integration with Microsoft Active Directory
Message-ID: <iu9r8j-qi55.ln1(a)hermione.lilliput.linux.it>
Mandi! Singh, Ramanpreet via Freeradius-Users
In chel di` si favelave...
> I read above links where it has been mentioned to used samba for AD integration, however this requires SAMBA AD-DC, which we don't have in our enviornment.
No, you need an AD domain (samba or MS, it is the same) and a linux box with a winbind daemon running: both the domain member and domain controller configuration work, but it suffices you install winbind, configure samba
(smb.conf) as domain member and join the domain.
--
There are only 10 kinds of people in the world --
Those who understand binary, and those who don't. (Roberto Maglica)
------------------------------
Subject: Digest Footer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 213, Issue 5
************************************************
------------------------------------------------------------------------------
External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints
2
1