Thanks to Alan’s guide “Configuring Authentication with Active Directory", users are successfully authenticating their network device logons (Cisco/Juniper) via AD. • What: I would like password expiration prompts be made available on the network devices • Why: To use the burden of changing expired passwords • what you expect the server to do: pass the error code 648 ERROR_PASSWD_EXPIRED to the NAS, and by some magic I don't understand prompt the user to change their password • what the server does instead (i.e. debug output): debug below; NAS does not prompt for password change, but instead repeats password: prompt. Thanks -Art- 1 FreeRADIUS Version 3.0.13 2 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors 3 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 4 PARTICULAR PURPOSE 5 You may redistribute copies of FreeRADIUS under the terms of the 6 GNU General Public License 7 For more information about these matters, see the file named COPYRIGHT 8 Starting - reading configuration files ... 9 including dictionary file /usr/share/freeradius/dictionary 10 including dictionary file /usr/share/freeradius/dictionary.dhcp 11 including dictionary file /usr/share/freeradius/dictionary.vqp 12 including dictionary file /etc/raddb/dictionary 13 including configuration file /etc/raddb/radiusd.conf 14 including configuration file /etc/raddb/proxy.conf 15 including configuration file /etc/raddb/clients.conf 16 including files in directory /etc/raddb/mods-enabled/ 17 including configuration file /etc/raddb/mods-enabled/always 18 including configuration file /etc/raddb/mods-enabled/attr_filter 19 including configuration file /etc/raddb/mods-enabled/cache_eap 20 including configuration file /etc/raddb/mods-enabled/chap 21 including configuration file /etc/raddb/mods-enabled/date 22 including configuration file /etc/raddb/mods-enabled/detail 23 including configuration file /etc/raddb/mods-enabled/detail.log 24 including configuration file /etc/raddb/mods-enabled/dhcp 25 including configuration file /etc/raddb/mods-enabled/digest 26 including configuration file /etc/raddb/mods-enabled/dynamic_clients 27 including configuration file /etc/raddb/mods-enabled/eap 28 including configuration file /etc/raddb/mods-enabled/echo 29 including configuration file /etc/raddb/mods-enabled/exec 30 including configuration file /etc/raddb/mods-enabled/expiration 31 including configuration file /etc/raddb/mods-enabled/expr 32 including configuration file /etc/raddb/mods-enabled/files 33 including configuration file /etc/raddb/mods-enabled/linelog 34 including configuration file /etc/raddb/mods-enabled/logintime 35 including configuration file /etc/raddb/mods-enabled/mschap 36 including configuration file /etc/raddb/mods-enabled/ntlm_auth 37 including configuration file /etc/raddb/mods-enabled/pap 38 including configuration file /etc/raddb/mods-enabled/passwd 39 including configuration file /etc/raddb/mods-enabled/preprocess 40 including configuration file /etc/raddb/mods-enabled/radutmp 41 including configuration file /etc/raddb/mods-enabled/realm 42 including configuration file /etc/raddb/mods-enabled/replicate 43 including configuration file /etc/raddb/mods-enabled/soh 44 including configuration file /etc/raddb/mods-enabled/sradutmp 45 including configuration file /etc/raddb/mods-enabled/unix 46 including configuration file /etc/raddb/mods-enabled/unpack 47 including configuration file /etc/raddb/mods-enabled/utf8 48 including files in directory /etc/raddb/policy.d/ 49 including configuration file /etc/raddb/policy.d/accounting 50 including configuration file /etc/raddb/policy.d/canonicalization 51 including configuration file /etc/raddb/policy.d/control 52 including configuration file /etc/raddb/policy.d/cui 53 including configuration file /etc/raddb/policy.d/debug 54 including configuration file /etc/raddb/policy.d/dhcp 55 including configuration file /etc/raddb/policy.d/eap 56 including configuration file /etc/raddb/policy.d/filter 57 including configuration file /etc/raddb/policy.d/operator-name 58 including files in directory /etc/raddb/sites-enabled/ 59 including configuration file /etc/raddb/sites-enabled/inner-tunnel 60 including configuration file /etc/raddb/sites-enabled/default 61 main { 62 security { 63 user = "radiusd" 64 group = "radiusd" 65 allow_core_dumps = no 66 } 67 name = "radiusd" 68 prefix = "/usr" 69 localstatedir = "/var" 70 logdir = "/var/log/radius" 71 run_dir = "/var/run/radiusd" 72 } 73 main { 74 name = "radiusd" 75 prefix = "/usr" 76 localstatedir = "/var" 77 sbindir = "/usr/sbin" 78 logdir = "/var/log/radius" 79 run_dir = "/var/run/radiusd" 80 libdir = "/usr/lib64/freeradius" 81 radacctdir = "/var/log/radius/radacct" 82 hostname_lookups = no 83 max_request_time = 30 84 cleanup_delay = 5 85 max_requests = 16384 86 pidfile = "/var/run/radiusd/radiusd.pid" 87 checkrad = "/usr/sbin/checkrad" 88 debug_level = 0 89 proxy_requests = yes 90 log { 91 stripped_names = no 92 auth = yes 93 auth_badpass = no 94 auth_goodpass = no 95 colourise = yes 96 msg_denied = "You are already logged in - access denied" 97 } 98 resources { 99 } 100 security { 101 max_attributes = 200 102 reject_delay = 1.000000 103 status_server = yes 104 } 105 } 106 radiusd: #### Loading Realms and Home Servers #### 107 proxy server { 108 retry_delay = 5 109 retry_count = 3 110 default_fallback = no 111 dead_time = 120 112 wake_all_if_all_dead = no 113 } 114 home_server localhost { 115 ipaddr = 127.0.0.1 116 port = 1812 117 type = "auth" 118 secret = <<< secret >>> 119 response_window = 20.000000 120 response_timeouts = 1 121 max_outstanding = 65536 122 zombie_period = 40 123 status_check = "status-server" 124 ping_interval = 30 125 check_interval = 30 126 check_timeout = 4 127 num_answers_to_alive = 3 128 revive_interval = 120 129 limit { 130 max_connections = 16 131 max_requests = 0 132 lifetime = 0 133 idle_timeout = 0 134 } 135 coa { 136 irt = 2 137 mrt = 16 138 mrc = 5 139 mrd = 30 140 } 141 } 142 home_server_pool my_auth_failover { 143 type = fail-over 144 home_server = localhost 145 } 146 realm example.com { 147 auth_pool = my_auth_failover 148 } 149 realm LOCAL { 150 } 151 radiusd: #### Loading Clients #### 152 client localhost { 153 ipaddr = 127.0.0.1 154 require_message_authenticator = no 155 secret = <<< secret >>> 156 nas_type = "other" 157 proto = "*" 158 limit { 159 max_connections = 16 160 lifetime = 0 161 idle_timeout = 30 162 } 163 } 164 client localhost_ipv6 { 165 ipv6addr = ::1 166 require_message_authenticator = no 167 secret = <<< secret >>> 168 limit { 169 max_connections = 16 170 lifetime = 0 171 idle_timeout = 30 Clients removed 1603 } 1604 Debugger not attached 1605 # Creating Auth-Type = mschap 1606 # Creating Auth-Type = eap 1607 # Creating Auth-Type = PAP 1608 # Creating Auth-Type = CHAP 1609 # Creating Auth-Type = MS-CHAP 1610 # Creating Auth-Type = ntlm_auth 1611 # Creating Auth-Type = digest 1612 radiusd: #### Instantiating modules #### 1613 modules { 1614 # Loaded module rlm_always 1615 # Loading module "reject" from file /etc/raddb/mods-enabled/always 1616 always reject { 1617 rcode = "reject" 1618 simulcount = 0 1619 mpp = no 1620 } 1621 # Loading module "fail" from file /etc/raddb/mods-enabled/always 1622 always fail { 1623 rcode = "fail" 1624 simulcount = 0 1625 mpp = no 1626 } 1627 # Loading module "ok" from file /etc/raddb/mods-enabled/always 1628 always ok { 1629 rcode = "ok" 1630 simulcount = 0 1631 mpp = no 1632 } 1633 # Loading module "handled" from file /etc/raddb/mods-enabled/always 1634 always handled { 1635 rcode = "handled" 1636 simulcount = 0 1637 mpp = no 1638 } 1639 # Loading module "invalid" from file /etc/raddb/mods-enabled/always 1640 always invalid { 1641 rcode = "invalid" 1642 simulcount = 0 1643 mpp = no 1644 } 1645 # Loading module "userlock" from file /etc/raddb/mods-enabled/always 1646 always userlock { 1647 rcode = "userlock" 1648 simulcount = 0 1649 mpp = no 1650 } 1651 # Loading module "notfound" from file /etc/raddb/mods-enabled/always 1652 always notfound { 1653 rcode = "notfound" 1654 simulcount = 0 1655 mpp = no 1656 } 1657 # Loading module "noop" from file /etc/raddb/mods-enabled/always 1658 always noop { 1659 rcode = "noop" 1660 simulcount = 0 1661 mpp = no 1662 } 1663 # Loading module "updated" from file /etc/raddb/mods-enabled/always 1664 always updated { 1665 rcode = "updated" 1666 simulcount = 0 1667 mpp = no 1668 } 1669 # Loaded module rlm_attr_filter 1670 # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter 1671 attr_filter attr_filter.post-proxy { 1672 filename = "/etc/raddb/mods-config/attr_filter/post-proxy" 1673 key = "%{Realm}" 1674 relaxed = no 1675 } 1676 # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter 1677 attr_filter attr_filter.pre-proxy { 1678 filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" 1679 key = "%{Realm}" 1680 relaxed = no 1681 } 1682 # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter 1683 attr_filter attr_filter.access_reject { 1684 filename = "/etc/raddb/mods-config/attr_filter/access_reject" 1685 key = "%{User-Name}" 1686 relaxed = no 1687 } 1688 # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter 1689 attr_filter attr_filter.access_challenge { 1690 filename = "/etc/raddb/mods-config/attr_filter/access_challenge" 1691 key = "%{User-Name}" 1692 relaxed = no 1693 } 1694 # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter 1695 attr_filter attr_filter.accounting_response { 1696 filename = "/etc/raddb/mods-config/attr_filter/accounting_response" 1697 key = "%{User-Name}" 1698 relaxed = no 1699 } 1700 # Loaded module rlm_cache 1701 # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap 1702 cache cache_eap { 1703 driver = "rlm_cache_rbtree" 1704 key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" 1705 ttl = 15 1706 max_entries = 0 1707 epoch = 0 1708 add_stats = no 1709 } 1710 # Loaded module rlm_chap 1711 # Loading module "chap" from file /etc/raddb/mods-enabled/chap 1712 # Loaded module rlm_date 1713 # Loading module "date" from file /etc/raddb/mods-enabled/date 1714 date { 1715 format = "%b %e %Y %H:%M:%S %Z" 1716 } 1717 # Loaded module rlm_detail 1718 # Loading module "detail" from file /etc/raddb/mods-enabled/detail 1719 detail { 1720 filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/detail-%Y%m%d" 1721 header = "%t" 1722 permissions = 384 1723 locking = no 1724 escape_filenames = no 1725 log_packet_header = no 1726 } 1727 # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log 1728 detail auth_log { 1729 filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/auth-detail-%Y%m%d" 1730 header = "%t" 1731 permissions = 384 1732 locking = no 1733 escape_filenames = no 1734 log_packet_header = no 1735 } 1736 # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log 1737 detail reply_log { 1738 filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/reply-detail-%Y%m%d" 1739 header = "%t" 1740 permissions = 384 1741 locking = no 1742 escape_filenames = no 1743 log_packet_header = no 1744 } 1745 # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log 1746 detail pre_proxy_log { 1747 filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/pre-proxy-detail-%Y%m%d" 1748 header = "%t" 1749 permissions = 384 1750 locking = no 1751 escape_filenames = no 1752 log_packet_header = no 1753 } 1754 # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log 1755 detail post_proxy_log { 1756 filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/post-proxy-detail-%Y%m%d" 1757 header = "%t" 1758 permissions = 384 1759 locking = no 1760 escape_filenames = no 1761 log_packet_header = no 1762 } 1763 # Loaded module rlm_dhcp 1764 # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp 1765 # Loaded module rlm_digest 1766 # Loading module "digest" from file /etc/raddb/mods-enabled/digest 1767 # Loaded module rlm_dynamic_clients 1768 # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients 1769 # Loaded module rlm_eap 1770 # Loading module "eap" from file /etc/raddb/mods-enabled/eap 1771 eap { 1772 default_eap_type = "md5" 1773 timer_expire = 60 1774 ignore_unknown_eap_types = no 1775 cisco_accounting_username_bug = no 1776 max_sessions = 16384 1777 } 1778 # Loaded module rlm_exec 1779 # Loading module "echo" from file /etc/raddb/mods-enabled/echo 1780 exec echo { 1781 wait = yes 1782 program = "/bin/echo %{User-Name}" 1783 input_pairs = "request" 1784 output_pairs = "reply" 1785 shell_escape = yes 1786 } 1787 # Loading module "exec" from file /etc/raddb/mods-enabled/exec 1788 exec { 1789 wait = no 1790 input_pairs = "request" 1791 shell_escape = yes 1792 timeout = 10 1793 } 1794 # Loaded module rlm_expiration 1795 # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration 1796 # Loaded module rlm_expr 1797 # Loading module "expr" from file /etc/raddb/mods-enabled/expr 1798 expr { 1799 safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" 1800 } 1801 # Loaded module rlm_files 1802 # Loading module "files" from file /etc/raddb/mods-enabled/files 1803 files { 1804 filename = "/etc/raddb/mods-config/files/authorize" 1805 acctusersfile = "/etc/raddb/mods-config/files/accounting" 1806 preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" 1807 } 1808 # Loaded module rlm_linelog 1809 # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog 1810 linelog { 1811 filename = "/var/log/radius/linelog" 1812 escape_filenames = no 1813 syslog_severity = "info" 1814 permissions = 384 1815 format = "This is a log message for %{User-Name}" 1816 reference = "messages.%{%{reply:Packet-Type}:-default}" 1817 } 1818 # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog 1819 linelog log_accounting { 1820 filename = "/var/log/radius/linelog-accounting" 1821 escape_filenames = no 1822 syslog_severity = "info" 1823 permissions = 384 1824 format = "" 1825 reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" 1826 } 1827 # Loaded module rlm_logintime 1828 # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime 1829 logintime { 1830 minimum_timeout = 60 1831 } 1832 # Loaded module rlm_mschap 1833 # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap 1834 mschap { 1835 use_mppe = yes 1836 require_encryption = no 1837 require_strong = no 1838 with_ntdomain_hack = yes 1839 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-DOMAIN.REMOVED} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" 1840 passchange { 1841 ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" 1842 ntlm_auth_username = "username: %{mschap:User-Name}" 1843 ntlm_auth_domain = "nt-domain: %{%{mschap:NT-Domain}:-DOMAIN.REMOVED}" 1844 } 1845 allow_retry = yes 1846 winbind_retry_with_normalised_username = no 1847 } 1848 # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth 1849 exec ntlm_auth { 1850 wait = yes 1851 program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN.REMOVED --username=%{mschap:User-Name} --password=%{User-Password}" 1852 shell_escape = yes 1853 } 1854 # Loaded module rlm_pap 1855 # Loading module "pap" from file /etc/raddb/mods-enabled/pap 1856 pap { 1857 normalise = yes 1858 } 1859 # Loaded module rlm_passwd 1860 # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd 1861 passwd etc_passwd { 1862 filename = "/etc/passwd" 1863 format = "*User-Name:Crypt-Password:" 1864 delimiter = ":" 1865 ignore_nislike = no 1866 ignore_empty = yes 1867 allow_multiple_keys = no 1868 hash_size = 100 1869 } 1870 # Loaded module rlm_preprocess 1871 # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess 1872 preprocess { 1873 huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" 1874 hints = "/etc/raddb/mods-config/preprocess/hints" 1875 with_ascend_hack = no 1876 ascend_channels_per_line = 23 1877 with_ntdomain_hack = no 1878 with_specialix_jetstream_hack = no 1879 with_cisco_vsa_hack = no 1880 with_alvarion_vsa_hack = no 1881 } 1882 # Loaded module rlm_radutmp 1883 # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp 1884 radutmp { 1885 filename = "/var/log/radius/radutmp" 1886 username = "%{User-Name}" 1887 case_sensitive = yes 1888 check_with_nas = yes 1889 permissions = 384 1890 caller_id = yes 1891 } 1892 # Loaded module rlm_realm 1893 # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm 1894 realm IPASS { 1895 format = "prefix" 1896 delimiter = "/" 1897 ignore_default = no 1898 ignore_null = no 1899 } 1900 # Loading module "suffix" from file /etc/raddb/mods-enabled/realm 1901 realm suffix { 1902 format = "suffix" 1903 delimiter = "@" 1904 ignore_default = no 1905 ignore_null = no 1906 } 1907 # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm 1908 realm realmpercent { 1909 format = "suffix" 1910 delimiter = "%" 1911 ignore_default = no 1912 ignore_null = no 1913 } 1914 # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm 1915 realm ntdomain { 1916 format = "prefix" 1917 delimiter = "\\" 1918 ignore_default = no 1919 ignore_null = no 1920 } 1921 # Loaded module rlm_replicate 1922 # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate 1923 # Loaded module rlm_soh 1924 # Loading module "soh" from file /etc/raddb/mods-enabled/soh 1925 soh { 1926 dhcp = yes 1927 } 1928 # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp 1929 radutmp sradutmp { 1930 filename = "/var/log/radius/sradutmp" 1931 username = "%{User-Name}" 1932 case_sensitive = yes 1933 check_with_nas = yes 1934 permissions = 420 1935 caller_id = no 1936 } 1937 # Loaded module rlm_unix 1938 # Loading module "unix" from file /etc/raddb/mods-enabled/unix 1939 unix { 1940 radwtmp = "/var/log/radius/radwtmp" 1941 } 1942 Creating attribute Unix-Group 1943 # Loaded module rlm_unpack 1944 # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack 1945 # Loaded module rlm_utf8 1946 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 1947 instantiate { 1948 } 1949 # Instantiating module "reject" from file /etc/raddb/mods-enabled/always 1950 # Instantiating module "fail" from file /etc/raddb/mods-enabled/always 1951 # Instantiating module "ok" from file /etc/raddb/mods-enabled/always 1952 # Instantiating module "handled" from file /etc/raddb/mods-enabled/always 1953 # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always 1954 # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always 1955 # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always 1956 # Instantiating module "noop" from file /etc/raddb/mods-enabled/always 1957 # Instantiating module "updated" from file /etc/raddb/mods-enabled/always 1958 # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter 1959 reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy 1960 # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter 1961 reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy 1962 # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter 1963 reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject 1964 [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". 1965 [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". 1966 # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter 1967 reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge 1968 # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter 1969 reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response 1970 # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap 1971 rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked 1972 # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail 1973 # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log 1974 rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output 1975 # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log 1976 # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log 1977 # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log 1978 # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap 1979 # Linked to sub-module rlm_eap_md5 1980 # Linked to sub-module rlm_eap_leap 1981 # Linked to sub-module rlm_eap_gtc 1982 gtc { 1983 challenge = "Password: " 1984 auth_type = "PAP" 1985 } 1986 # Linked to sub-module rlm_eap_tls 1987 tls { 1988 tls = "tls-common" 1989 } 1990 tls-config tls-common { 1991 verify_depth = 0 1992 ca_path = "/etc/raddb/certs" 1993 pem_file_type = yes 1994 private_key_file = "/etc/raddb/certs/server.pem" 1995 certificate_file = "/etc/raddb/certs/server.pem" 1996 ca_file = "/etc/raddb/certs/ca.pem" 1997 private_key_password = <<< secret >>> 1998 dh_file = "/etc/raddb/certs/dh" 1999 fragment_size = 1024 2000 include_length = yes 2001 auto_chain = yes 2002 check_crl = no 2003 check_all_crl = no 2004 cipher_list = "DEFAULT" 2005 cipher_server_preference = no 2006 ecdh_curve = "prime256v1" 2007 cache { 2008 enable = no 2009 lifetime = 24 2010 max_entries = 255 2011 } 2012 verify { 2013 skip_if_ocsp_ok = no 2014 } 2015 ocsp { 2016 enable = no 2017 override_cert_url = yes 2018 url = "http://127.0.0.1/ocsp/" 2019 use_nonce = yes 2020 timeout = 0 2021 softfail = no 2022 } 2023 } 2024 # Linked to sub-module rlm_eap_ttls 2025 ttls { 2026 tls = "tls-common" 2027 default_eap_type = "md5" 2028 copy_request_to_tunnel = no 2029 use_tunneled_reply = no 2030 virtual_server = "inner-tunnel" 2031 include_length = yes 2032 require_client_cert = no 2033 } 2034 tls: Using cached TLS configuration from previous invocation 2035 # Linked to sub-module rlm_eap_peap 2036 peap { 2037 tls = "tls-common" 2038 default_eap_type = "mschapv2" 2039 copy_request_to_tunnel = no 2040 use_tunneled_reply = no 2041 proxy_tunneled_request_as_eap = yes 2042 virtual_server = "inner-tunnel" 2043 soh = no 2044 require_client_cert = no 2045 } 2046 tls: Using cached TLS configuration from previous invocation 2047 # Linked to sub-module rlm_eap_mschapv2 2048 mschapv2 { 2049 with_ntdomain_hack = no 2050 send_error = no 2051 } 2052 # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration 2053 # Instantiating module "files" from file /etc/raddb/mods-enabled/files 2054 reading pairlist file /etc/raddb/mods-config/files/authorize 2055 reading pairlist file /etc/raddb/mods-config/files/accounting 2056 reading pairlist file /etc/raddb/mods-config/files/pre-proxy 2057 # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog 2058 # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog 2059 # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime 2060 # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap 2061 rlm_mschap (mschap): authenticating by calling 'ntlm_auth' 2062 # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap 2063 # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd 2064 rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no 2065 # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess 2066 reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups 2067 reading pairlist file /etc/raddb/mods-config/preprocess/hints 2068 # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm 2069 # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm 2070 # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm 2071 # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm 2072 } # modules 2073 radiusd: #### Loading Virtual Servers #### 2074 server { # from file /etc/raddb/radiusd.conf 2075 } # server 2076 server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel 2077 # Loading authenticate {...} 2078 # Loading authorize {...} 2079 Ignoring "sql" (see raddb/mods-available/README.rst) 2080 Ignoring "ldap" (see raddb/mods-available/README.rst) 2081 # Loading session {...} 2082 # Loading post-proxy {...} 2083 # Loading post-auth {...} 2084 # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:330 2085 } # server inner-tunnel 2086 server default { # from file /etc/raddb/sites-enabled/default 2087 # Loading authenticate {...} 2088 # Loading authorize {...} 2089 # Loading preacct {...} 2090 # Loading accounting {...} 2091 # Loading post-proxy {...} 2092 # Loading post-auth {...} 2093 } # server default 2094 radiusd: #### Opening IP addresses and Ports #### 2095 listen { 2096 type = "auth" 2097 ipaddr = 127.0.0.1 2098 port = 18120 2099 } 2100 listen { 2101 type = "auth" 2102 ipaddr = * 2103 port = 0 2104 limit { 2105 max_connections = 16 2106 lifetime = 0 2107 idle_timeout = 30 2108 } 2109 } 2110 listen { 2111 type = "acct" 2112 ipaddr = * 2113 port = 0 2114 limit { 2115 max_connections = 16 2116 lifetime = 0 2117 idle_timeout = 30 2118 } 2119 } 2120 listen { 2121 type = "auth" 2122 ipv6addr = :: 2123 port = 0 2124 limit { 2125 max_connections = 16 2126 lifetime = 0 2127 idle_timeout = 30 2128 } 2129 } 2130 listen { 2131 type = "acct" 2132 ipv6addr = :: 2133 port = 0 2134 limit { 2135 max_connections = 16 2136 lifetime = 0 2137 idle_timeout = 30 2138 } 2139 } 2140 Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel 2141 Listening on auth address * port 1812 bound to server default 2142 Listening on acct address * port 1813 bound to server default 2143 Listening on auth address :: port 1812 bound to server default 2144 Listening on acct address :: port 1813 bound to server default 2145 Listening on proxy address * port 49658 2146 Listening on proxy address :: port 33500 2147 Ready to process requests 2148 (0) Received Access-Request Id 90 from IP-REMOVED:61997 to IP-REMOVED:1812 length 90 2149 (0) User-Name = "USERNAME-REMOVED" 2150 (0) User-Password = "PASSWORD-REMOVED" 2151 (0) NAS-Identifier = "JUNIPER-DEVICE-NAME-REMOVED" 2152 (0) Calling-Station-Id = "IP-REMOVED" 2153 (0) NAS-IP-Address = IP-REMOVED 2154 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default 2155 (0) authorize { 2156 (0) policy filter_username { 2157 (0) if (&User-Name) { 2158 (0) if (&User-Name) -> TRUE 2159 (0) if (&User-Name) { 2160 (0) if (&User-Name =~ / /) { 2161 (0) if (&User-Name =~ / /) -> FALSE 2162 (0) if (&User-Name =~ /@[^@]*@/ ) { 2163 (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE 2164 (0) if (&User-Name =~ /\.\./ ) { 2165 (0) if (&User-Name =~ /\.\./ ) -> FALSE 2166 (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { 2167 (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE 2168 (0) if (&User-Name =~ /\.$/) { 2169 (0) if (&User-Name =~ /\.$/) -> FALSE 2170 (0) if (&User-Name =~ /@\./) { 2171 (0) if (&User-Name =~ /@\./) -> FALSE 2172 (0) } # if (&User-Name) = notfound 2173 (0) } # policy filter_username = notfound 2174 (0) [preprocess] = ok 2175 (0) [chap] = noop 2176 (0) [mschap] = noop 2177 (0) [digest] = noop 2178 (0) suffix: Checking for suffix after "@" 2179 (0) suffix: No '@' in User-Name = "USERNAME-REMOVED", looking up realm NULL 2180 (0) suffix: No such realm "NULL" 2181 (0) [suffix] = noop 2182 (0) eap: No EAP-Message, not doing EAP 2183 (0) [eap] = noop 2184 (0) files: users: Matched entry USERNAME-REMOVED at line 96 2185 (0) [files] = ok 2186 (0) [expiration] = noop 2187 (0) [logintime] = noop 2188 (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type 2189 (0) pap: WARNING: Authentication will fail unless a "known good" password is available 2190 (0) [pap] = noop 2191 (0) } # authorize = ok 2192 (0) Found Auth-Type = ntlm_auth 2193 (0) # Executing group from file /etc/raddb/sites-enabled/default 2194 (0) authenticate { 2195 (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN.REMOVED --username=%{mschap:User-Name} --password=%{User-Password}: 2196 (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} 2197 (0) ntlm_auth: --> --username=USERNAME-REMOVED 2198 (0) ntlm_auth: EXPAND --password=%{User-Password} 2199 (0) ntlm_auth: --> --password=PASSWORD-REMOVED 2200 (0) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_PASSWORD_MUST_CHANGE: The user password must be changed before logging on the first time. (0xc0000224)' 2201 (0) [ntlm_auth] = reject 2202 (0) } # authenticate = reject 2203 (0) Failed to authenticate the user 2204 (0) Login incorrect (ntlm_auth: Program returned code (1) and output 'NT_STATUS_PASSWORD_MUST_CHANGE: The user password must be changed before logging on the first time. (0xc0000224)'): [USERNAME-REMOVED] (from client IP-REMOVED port 0 cli IP-REMOVED) 2205 (0) Using Post-Auth-Type Reject 2206 (0) # Executing group from file /etc/raddb/sites-enabled/default 2207 (0) Post-Auth-Type REJECT { 2208 (0) attr_filter.access_reject: EXPAND %{User-Name} 2209 (0) attr_filter.access_reject: --> USERNAME-REMOVED 2210 (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 2211 (0) [attr_filter.access_reject] = updated 2212 (0) [eap] = noop 2213 (0) policy remove_reply_message_if_eap { 2214 (0) if (&reply:EAP-Message && &reply:Reply-Message) { 2215 (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE 2216 (0) else { 2217 (0) [noop] = noop 2218 (0) } # else = noop 2219 (0) } # policy remove_reply_message_if_eap = noop 2220 (0) } # Post-Auth-Type REJECT = updated 2221 (0) Delaying response for 1.000000 seconds 2222 Waking up in 0.9 seconds. 2223 (0) (0) Discarding duplicate request from client IP-REMOVED port 61997 - ID: 90 due to delayed response 2224 Waking up in 0.2 seconds. 2225 (0) Sending delayed response 2226 (0) Sent Access-Reject Id 90 from IP-REMOVED:1812 to IP-REMOVED:61997 length 20 2227 Waking up in 3.9 seconds. 2228 (0) Cleaning up request packet ID 90 with timestamp +10 2229 Ready to process requests