I looked over the debug output from attempts that should have succeeded (valid username and password), vs. those that should have failed (invalid password). It seems like the result description is the following for a valid username / password: (1) Sent Access-Reject Id 10 from 192.168.1.2:1812 to 192.168.1.1:43315 length 20 and this for an invalid password: (0) Sent Access-Reject Id 9 from 192.168.1.2:1812 to 192.168.1.1:48225 length 20 That seems to imply that FreeRADIUS 3.0.17 is doing the right thing, but somehow the results for the Ubiquiti EdgeRouter VPN authentication are different. Am I reading the log correctly? I’ve posted in the Ubiquiti forums asking for help there as well, assuming that I’m reading this debug log correctly and authentication is actually succeeding: https://community.ubnt.com/t5/EdgeRouter/VPN-radius-authentication-incorrect... I did a quick web search to see if I could log the authentication response to the EdgeRouter, but didn’t find anything that was particularly clear. Did the authentication response change from 2.2.10 to 3.0.17? I could presumably rebuild and reconfigure with a 2.X version to see if that would be more compatible with the EdgeRouter. -Eric
On Dec 3, 2018, at 7:16 AM, Eric Wittle <eric@wittle.net> wrote:
And finally what success and failure look like from the router’s messages log:
Successful authentication with OS X Server’s FreeRADIUS 2.10:
Dec 3 12:11:39 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 60074. Local: 33742, Remote: 28 (ref=0/0). LNS session is 'default' Dec 3 12:11:39 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17357, Local: 45819, Remote: 7746, Serial: 1 Dec 3 12:11:39 ubnt pppd[17357]: pppd 2.4.4 started by root, uid 0 Dec 3 12:11:39 ubnt pppd[17357]: Connect: ppp0 <--> Dec 3 12:11:42 ubnt pppd[17357]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received Dec 3 12:11:43 ubnt pppd[17357]: Cannot determine ethernet address for proxy ARP Dec 3 12:11:43 ubnt pppd[17357]: local IP address 10.255.255.0 Dec 3 12:11:43 ubnt pppd[17357]: remote IP address 192.168.6.100 Dec 3 12:12:23 ubnt pppd[17357]: Connection terminated: no multilink. Dec 3 12:12:23 ubnt pppd[17357]: Modem hangup
Failed authentication with manually installed FreeRadius 3
Dec 3 12:13:03 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 49849. Local: 23776, Remote: 29 (ref=0/0). LNS session is 'default' Dec 3 12:13:03 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17610, Local: 11728, Remote: 7750, Serial: 1 Dec 3 12:13:03 ubnt pppd[17610]: pppd 2.4.4 started by root, uid 0 Dec 3 12:13:03 ubnt pppd[17610]: Connect: ppp0 <--> Dec 3 12:13:06 ubnt pppd[17610]: Dec 3 12:13:06 ubnt pppd[17610]: Peer eric failed CHAP authentication Dec 3 12:13:12 ubnt pppd[17610]: Connection terminated: no multilink. Dec 3 12:13:12 ubnt pppd[17610]: Modem hangup
-Eric
On Dec 3, 2018, at 6:48 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.
-Eric
rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "eric" MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] No '@' in User-Name = "eric", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 178 ++[files] = ok [opendirectory] The host 192.168.1.1 does not have an access group. ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = MSCHAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: eric [mschap] Client is using MS-CHAPv2 for eric, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Successful authentication for eric ++[mschap] = ok +} # group MS-CHAP = ok Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net <http://router.wittle.net/> port 0) # Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 2 to 192.168.1.1 port 60795 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96 Acct-Session-Id = "5C0514303B2A00" User-Name = "eric" Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 192.168.6.100 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Acct-Delay-Time = 0 # Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"' [acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184". ++[acct_unique] = ok [suffix] No '@' in User-Name = "eric", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[files] = noop +} # group preacct = ok # Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1 [detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203 [detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203 [detail] expand: %t -> Mon Dec 3 06:32:00 2018 ++[detail] = ok ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> eric attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 3 to 192.168.1.1 port 40029 Finished request 1. Cleaning up request 1 ID 3 with timestamp +23 Going to the next request Waking up in 4.3 seconds. Cleaning up request 0 ID 2 with timestamp +22 Ready to process requests.
On Dec 3, 2018, at 6:26 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
-Eric
On Dec 3, 2018, at 6:14 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log -- Start: Server rolled log on: Nov 13 2018 21:17:19 -- Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log Dec 2 2018 14:52:43 233320us Stopping server processes ... Dec 2 2018 14:52:43 234062us Closing all incoming connections ... Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10 Dec 2 2018 14:52:43 234669us Stopping Network Processes ... Dec 2 2018 14:52:43 234682us Deinitializing networking ... Dec 2 2018 14:52:43 234701us Server Processes Stopped ... Dec 2 2018 14:52:43 234718us RunAppThread Stopped Dec 2 2018 14:52:43 234747us RunAppThread Deleted Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018 . Dec 2 2018 14:52:47 755702us RunAppThread Created Dec 2 2018 14:52:47 755746us RunAppThread Started Dec 2 2018 14:52:47 755760us Initializing Server Globals ... Dec 2 2018 14:52:47 768754us Initializing Networking ... Dec 2 2018 14:52:47 768819us Initializing TCP ... Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 14:52:47 824367us Starting Central Thread ... Dec 2 2018 14:52:47 824401us Starting other server processes ... Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop Dec 2 2018 14:52:47 824451us Initializing TCP ... Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 14:52:47 825558us Finished starting other server processes ... Dec 2 2018 14:52:47 825582us -- Password Server successfully started -- Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec -- Dec 2 2018 15:03:32 701865us Stopping server processes ... Dec 2 2018 15:03:32 702676us Closing all incoming connections ... Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:03:32 703930us Stopping Network Processes ... Dec 2 2018 15:03:32 703944us Deinitializing networking ... Dec 2 2018 15:03:32 703960us Server Processes Stopped ... Dec 2 2018 15:03:32 703977us RunAppThread Stopped Dec 2 2018 15:03:32 703989us RunAppThread Deleted Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018 . Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018 . Dec 2 2018 15:03:43 644253us RunAppThread Created Dec 2 2018 15:03:43 644295us RunAppThread Started Dec 2 2018 15:03:43 644316us Initializing Server Globals ... Dec 2 2018 15:03:43 677609us Initializing Networking ... Dec 2 2018 15:03:43 677736us Initializing TCP ... Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:03:43 692877us Starting Central Thread ... Dec 2 2018 15:03:43 692895us Starting other server processes ... Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop Dec 2 2018 15:03:43 692938us Initializing TCP ... Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:03:43 694190us Finished starting other server processes ... Dec 2 2018 15:03:43 694212us -- Password Server successfully started -- Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec -- Dec 2 2018 15:05:24 289083us Stopping server processes ... Dec 2 2018 15:05:24 289128us Closing all incoming connections ... Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:05:24 290086us Stopping Network Processes ... Dec 2 2018 15:05:24 290098us Deinitializing networking ... Dec 2 2018 15:05:24 290113us Server Processes Stopped ... Dec 2 2018 15:05:24 290129us RunAppThread Stopped Dec 2 2018 15:05:24 290142us RunAppThread Deleted Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018 . Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018 . Dec 2 2018 15:07:34 103718us RunAppThread Created Dec 2 2018 15:07:34 103758us RunAppThread Started Dec 2 2018 15:07:34 103779us Initializing Server Globals ... Dec 2 2018 15:07:34 118899us Initializing Networking ... Dec 2 2018 15:07:34 118961us Initializing TCP ... Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:07:34 139134us Starting Central Thread ... Dec 2 2018 15:07:34 139141us Starting other server processes ... Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop Dec 2 2018 15:07:34 139174us Initializing TCP ... Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:07:34 140156us Finished starting other server processes ... Dec 2 2018 15:07:34 140178us -- Password Server successfully started -- Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec -- Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
On Dec 3, 2018, at 5:41 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Pasted this time…
FreeRADIUS Version 3.0.17 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com <http://example.com/> { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = opendirectory radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no use_open_directory = yes } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_opendirectory # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_sql # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_sqlite" server = "" port = 0 login = "" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } accounting-off { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked Creating attribute SQL-Group # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.key" certificate_file = "/usr/local/etc/raddb/certs/server.crt" ca_file = "/usr/local/etc/raddb/certs/ca.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql rlm_sql_sqlite: libsqlite version: 3.19.3 sqlite { filename = "/var/db/radius/freeradius.db" busy_timeout = 200 } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 59453 Listening on proxy address :: port 59454 Ready to process requests (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0 (0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562 (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0 (0) mschap: Stepbuf peer challenge : ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c (0) mschap: Stepbuf p24 : 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562 (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0 (0) Framed-Protocol = PPP (0) Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +27 Ready to process requests
On Dec 2, 2018, at 9:47 PM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migrat... <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>