Tried it but still I get access denied. Looking into the debug log I can understand that the Access-Accept has changed to 0, and the Class is 0x3334. Regarding the Access-Accept I don't know what to do, but I think that I know what to do with the Class. If I understand it right the value that the debug log shows is the ASCII translation of 34. Is it possible that the users file should indicate the Class value in hex format ? Here is the debug info: root@radius1:/etc/freeradius# freeradius -X 2>&1 | tee debugfile freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Jul 26 2017 at 15:27:21 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.0.1.0/8 { require_message_authenticator = no secret = "test" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 58381 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.1.211 port 50765, id=0, length=74 NAS-Identifier = "Network Equipment NAS" User-Name = "moshe" Tunnel-Medium-Type:0 = IPv4 User-Password = "moshe" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "moshe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry moshe at line 89 ++[files] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = updated +} # group authorize = updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +group PAP { [pap] login attempt with password "moshe" [pap] Using clear text password "moshe" [pap] User authenticated successfully ++[pap] = ok +} # group PAP = ok Login OK: [moshe/moshe] (from client 10.0.1.0/8 port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 0 to 10.0.1.211 port 50765 Service-Type = Administrative-User Class = 0x3334 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +9 Ready to process requests. From: Moshe Sakajo Sent: Wednesday, August 22, 2018 23:25 To: 'freeradius-users@lists.freeradius.org' Subject: RE: New to FreeRadius and can't manage to get it to work for me According to what I sniff, a Access-Accept (2) with Attribute Value Pair (AVP) With l=3 Class:34 The Class is the one that changes the privileges of my users. In my case the values of this Class are 34/32/31 How can I set the Server to send an Access-Accept with the values above Best regards, and thanks a lot for the support Moshe Sakajo From: Moshe Sakajo Sent: Wednesday, August 22, 2018 18:56 To: freeradius-users@lists.freeradius.org Subject: New to FreeRadius and can't manage to get it to work for me Hi to you all I am sending this message again only this time with the full debug info. I am a QA Engineer and my concern is to make sure that the "boxes" that I test cooperate with the most popular RADIUS Server. According to other RADIUS Server that I have tested with before, I manage to authenticate a user that performs a login into our boxes. I simply defined a Default (name of the client/group) with a secret and a vendor that is general (ietf) then I defined 3 users (one for each of my privileges: admin\read&write\read-only). Each user has two attributes: 1. User_Password with a type of Check the Value is the password string 2. Class with a type of Success-Reply which controls the priveleges of the users. The Value is an integer (4/2/1) The debug log below shows a login try that I performed with a user "moshe" and password "moshe" I have set FreeRadius like this: 1. I added the clients.conf file the following client client 10.0.1.0/8<http://10.0.1.0/8> { secret = test nastype = other } 2. I added a user into the users file moshe Cleartext-Password := "moshe" Service-Type = "6" 3. The radius.conf was set with the following log {} settings auth = yes auth-goodpass = yes with all of that said I can also tell the radius.log show that the Login attempts are OK but I still get Access denied from my device, like something is still missing. Can you please tell me what might be missing ? Thanks for the support I assume that I am missing some kind of reply from the server side. At the same time I need the server to identify the right privileges (4/2/1) according to the user definitions root@radius1:/etc/freeradius# freeradius -X 2>&1 | tee debugfile freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Jul 26 2017 at 15:27:21 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.0.1.0/8 { require_message_authenticator = no secret = "test" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 34081 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.1.211 port 49964, id=5, length=74 NAS-Identifier = "Network Equipment NAS" User-Name = "moshe" Tunnel-Medium-Type:0 = IPv4 User-Password = "moshe" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "moshe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry moshe at line 89 ++[files] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = updated +} # group authorize = updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +group PAP { [pap] login attempt with password "moshe" [pap] Using clear text password "moshe" [pap] User authenticated successfully ++[pap] = ok +} # group PAP = ok Login OK: [moshe/moshe] (from client 10.0.1.0/8 port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 5 to 10.0.1.211 port 49964 Service-Type = Administrative-User Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 5 with timestamp +21 Ready to process requests. Moshe Sakajo | Automation Developer & QA Testing Engineer Office: +972 3 7674619 Mobile: +972 50 739 4190 Fax: +972 77 865 8061 [cid:image001.jpg@01D43A75.D4E466F0]