I previously ran freeradius 2 incident free , having recently upgraded to freeradius 3 . I am bogged down with stale sessions freeradius is already the newest version (3.0.12+dfsg-5+deb9u1). The Nas are linksys accesspoints running on openwrt If the user manually disconnects from the network , and acctstop is updated and the records close properly , but if the person walks away from the network no update is made ####################################################################################################################################### Here is a snippet from the radacct table 138 5B801D36-00000A2C e43af52ec2774d18313225d069f615ec aarti_lutchmiesingh 161.0.155.238 9 Wireless-802.11 05/09/2018 10:23 05/09/2018 10:23 NULL NULL 0 RADIUS CONNECT 54Mbps 802.11g 0 0 00-25-9C-13-AF-58:Ryan 9 - Radius 10-F1-F2-0D-BC-43 168 5B801C20-00000E97 a893aa385671e09334072372c0904fdb abd-al-qaadir_islam 161.0.155.238 9 Wireless-802.11 05/09/2018 10:30 05/09/2018 10:30 NULL NULL 0 RADIUS CONNECT 54Mbps 802.11g 0 0 00-25-9C-13-AF-58:Ryan 9 - Radius 10-F1-F2-0D-BC-43 You would have expected that because the calling station id is the same in both records that freeradius would have declared the older record a stale session ###############################################freeradius -X########################################################################## FreeRADIUS Version 3.0.12 Copyright (C) 1999-2016 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/expiration including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/dhcp including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = * require_message_authenticator = no secret = <<< secret >>> nas_type = "cisco" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_exec # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "root" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL " simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, #framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND callingstationid = '%{Calling-Station-Id}'AND acctstarttime IS NOT FROM_UNIXTIME(%{integer:Event-Timestamp})" } stop { query = "INSERT INTO radacctold SELECT * FROM radacct WHERE acctstoptime <> 'NULL'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration instantiate { } # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql rlm_sql_mysql: libmysql version: 10.1.26-MariaDB mysql { tls { } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Released connection (0) rlm_sql (sql): Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key" certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" disable_tlsv1_2 = yes cache { enable = yes lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-auth {...} } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Ready to process requests (0) Received Access-Request Id 59 from 131.100.39.166:51503 to 198.58.110.29:1812 length 239 (0) User-Name = "sharisse_pragsingh" (0) NAS-Identifier = "Ryan4-2ghz-Radius" (0) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 14 (0) Calling-Station-Id = "80-4E-81-86-03-C5" (0) Connect-Info = "CONNECT 54Mbps 802.11g" (0) Acct-Session-Id = "B15D601DE21D9FFF" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x02b400170173686172697373655f7072616773696e6768 (0) Message-Authenticator = 0x8d98008fc1b0cc92a987b3e7b23c0696 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "sharisse_pragsingh", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 180 length 23 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 181 length 22 (0) eap: EAP session adding &reply:State = 0x5adb3d025a6e3931 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 59 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (0) EAP-Message = 0x01b50016041063537c4fe2a0c46f29a02d18749c41c7 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x5adb3d025a6e3931aa88cfc6895d11e4 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 60 from 131.100.39.166:51503 to 198.58.110.29:1812 length 240 (1) User-Name = "sharisse_pragsingh" (1) NAS-Identifier = "Ryan4-2ghz-Radius" (1) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 14 (1) Calling-Station-Id = "80-4E-81-86-03-C5" (1) Connect-Info = "CONNECT 54Mbps 802.11g" (1) Acct-Session-Id = "B15D601DE21D9FFF" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x02b500060319 (1) State = 0x5adb3d025a6e3931aa88cfc6895d11e4 (1) Message-Authenticator = 0xb38a6583f2c160efa5d419c5b2d8454e (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "sharisse_pragsingh", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 181 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (1) sql: --> sharisse_pragsingh (1) sql: SQL-User-Name set to 'sharisse_pragsingh' rlm_sql (sql): Reserved connection (1) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sharisse_pragsingh' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sharisse_pragsingh' ORDER BY id (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'sharisse_pragsingh' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'sharisse_pragsingh' ORDER BY priority (1) sql: User not found in any groups rlm_sql (sql): Released connection (1) rlm_sql (sql): Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 (1) [sql] = notfound (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x5adb3d025a6e3931 (1) eap: Finished EAP session with state 0x5adb3d025a6e3931 (1) eap: Previous EAP request found for state 0x5adb3d025a6e3931, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 182 length 6 (1) eap: EAP session adding &reply:State = 0x5adb3d025b6d2431 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 60 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (1) EAP-Message = 0x01b600061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x5adb3d025b6d2431aa88cfc6895d11e4 (1) Finished request Waking up in 4.9 seconds. ^C root@box:~# freeradius -X FreeRADIUS Version 3.0.12 Copyright (C) 1999-2016 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/expiration including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/dhcp including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = * require_message_authenticator = no secret = <<< secret >>> nas_type = "cisco" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_exec # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "root" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL " simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, #framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND callingstationid = '%{Calling-Station-Id}'AND acctstarttime IS NOT FROM_UNIXTIME(%{integer:Event-Timestamp})" } stop { query = "INSERT INTO radacctold SELECT * FROM radacct WHERE acctstoptime <> 'NULL'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration instantiate { } # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql rlm_sql_mysql: libmysql version: 10.1.26-MariaDB mysql { tls { } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Released connection (0) rlm_sql (sql): Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key" certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" disable_tlsv1_2 = yes cache { enable = yes lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-auth {...} } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Ready to process requests (0) Received Access-Request Id 61 from 131.100.39.166:51503 to 198.58.110.29:1812 length 430 (0) User-Name = "sharisse_pragsingh" (0) NAS-Identifier = "Ryan4-2ghz-Radius" (0) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 14 (0) Calling-Station-Id = "80-4E-81-86-03-C5" (0) Connect-Info = "CONNECT 54Mbps 802.11g" (0) Acct-Session-Id = "B15D601DE21D9FFF" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x02b600c41980000000ba16030100b5010000b10301b03b81650d6cb379ba73d735073391bb8f9fbe87e64f28a843146c2c68a40a30000048c014c00a00390038c00fc0050035c013c00900330032c00ec004002fc011c007c00cc00200050004c012c00800160013c00dc003000a001500120009001400 (0) State = 0x5adb3d025b6d2431aa88cfc6895d11e4 (0) Message-Authenticator = 0x004581f9ac8035ff327e927eece6eb4d (0) session-state: No cached attributes (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "sharisse_pragsingh", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 182 length 196 (0) eap: Continuing tunnel setup (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { rlm_eap (EAP): No EAP session matching state 0x5adb3d025b6d2431 (0) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (0) sql: --> sharisse_pragsingh (0) sql: SQL-User-Name set to 'sharisse_pragsingh' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'sharisse_pragsingh', '', 'Access-Reject', '2018-09-05 13:02:17') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'sharisse_pragsingh', '', 'Access-Reject', '2018-09-05 13:02:17') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) rlm_sql (sql): Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 (0) [sql] = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> sharisse_pragsingh (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated rlm_eap (EAP): No EAP session matching state 0x5adb3d025b6d2431 (0) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (0) eap: Failed to get handler, probably already removed, not inserting EAP-Failure (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 61 from 198.58.110.29:1812 to 131.100.39.166:51503 length 20 Waking up in 3.9 seconds. (1) Received Access-Request Id 62 from 131.100.39.166:51503 to 198.58.110.29:1812 length 231 (1) User-Name = "victoria_ghool" (1) NAS-Identifier = "Ryan4-2ghz-Radius" (1) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 15 (1) Calling-Station-Id = "14-B4-84-40-1F-DC" (1) Connect-Info = "CONNECT 54Mbps 802.11g" (1) Acct-Session-Id = "CEF73F6854ED0E37" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x027a001301766963746f7269615f67686f6f6c (1) Message-Authenticator = 0x6947e9245c529271a1a96a6c359860c0 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 122 length 19 (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Peer sent packet with method EAP Identity (1) (1) eap: Calling submodule eap_md5 to process data (1) eap_md5: Issuing MD5 Challenge (1) eap: Sending EAP Request (code 1) ID 123 length 22 (1) eap: EAP session adding &reply:State = 0xc71cb679c767b212 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 62 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (1) EAP-Message = 0x017b00160410587eb3fc850295c3b88924853c914dcb (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xc71cb679c767b212581da811d62e0aa7 (1) Finished request Waking up in 3.2 seconds. (2) Received Access-Request Id 63 from 131.100.39.166:51503 to 198.58.110.29:1812 length 236 (2) User-Name = "victoria_ghool" (2) NAS-Identifier = "Ryan4-2ghz-Radius" (2) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) NAS-Port = 15 (2) Calling-Station-Id = "14-B4-84-40-1F-DC" (2) Connect-Info = "CONNECT 54Mbps 802.11g" (2) Acct-Session-Id = "CEF73F6854ED0E37" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027073 (2) Framed-MTU = 1400 (2) EAP-Message = 0x027b00060319 (2) State = 0xc71cb679c767b212581da811d62e0aa7 (2) Message-Authenticator = 0xd84dde2206036377d997e5645602c63a (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 123 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (2) sql: --> victoria_ghool (2) sql: SQL-User-Name set to 'victoria_ghool' rlm_sql (sql): Reserved connection (2) (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id (2) sql: User found in radcheck table (2) sql: Conditional check items matched, merging assignment check items (2) sql: Cleartext-Password := "WaterFalls16" (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql: --> SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority (2) sql: User found in the group table (2) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (2) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id (2) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id (2) sql: Group "dialup": Conditional check items matched (2) sql: Group "dialup": Merging assignment check items (2) sql: Simultaneous-Use := 200 (2) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (2) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id (2) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id (2) sql: Group "dialup": Merging reply items rlm_sql (sql): Released connection (2) rlm_sql (sql): Need 3 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 (2) [sql] = ok (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xc71cb679c767b212 (2) eap: Finished EAP session with state 0xc71cb679c767b212 (2) eap: Previous EAP request found for state 0xc71cb679c767b212, released from the list (2) eap: Peer sent packet with method EAP NAK (3) (2) eap: Found mutually acceptable type PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Initiating new EAP-TLS session (2) eap_peap: [eaptls start] = request (2) eap: Sending EAP Request (code 1) ID 124 length 6 (2) eap: EAP session adding &reply:State = 0xc71cb679c660af12 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Sent Access-Challenge Id 63 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (2) EAP-Message = 0x017c00061920 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xc71cb679c660af12581da811d62e0aa7 (2) Finished request Waking up in 3.2 seconds. (3) Received Access-Request Id 64 from 131.100.39.166:51503 to 198.58.110.29:1812 length 438 (3) User-Name = "victoria_ghool" (3) NAS-Identifier = "Ryan4-2ghz-Radius" (3) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) NAS-Port = 15 (3) Calling-Station-Id = "14-B4-84-40-1F-DC" (3) Connect-Info = "CONNECT 54Mbps 802.11g" (3) Acct-Session-Id = "CEF73F6854ED0E37" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Framed-MTU = 1400 (3) EAP-Message = 0x027c00d01980000000c616030100c1010000bd03015b900c1abde6f6c0ff7fe300f1015c8d8878387a955d4741fc03394c80d0b5a8000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc00200 (3) State = 0xc71cb679c660af12581da811d62e0aa7 (3) Message-Authenticator = 0x71a1c7e0502fa99ef80aad9d09ae88cc (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 124 length 208 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xc71cb679c660af12 (3) eap: Finished EAP session with state 0xc71cb679c660af12 (3) eap: Previous EAP request found for state 0xc71cb679c660af12, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer indicated complete TLS record size will be 198 bytes (3) eap_peap: Got complete TLS record (198 bytes) (3) eap_peap: [eaptls verify] = length included (3) eap_peap: (other): before SSL initialization (3) eap_peap: TLS_accept: before SSL initialization (3) eap_peap: TLS_accept: before SSL initialization (3) eap_peap: <<< recv TLS 1.2 [length 00c1] (3) eap_peap: TLS_accept: SSLv3/TLS read client hello (3) eap_peap: >>> send TLS 1.0 Handshake [length 0039], ServerHello (3) eap_peap: TLS_accept: SSLv3/TLS write server hello (3) eap_peap: >>> send TLS 1.0 Handshake [length 02fd], Certificate (3) eap_peap: TLS_accept: SSLv3/TLS write certificate (3) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (3) eap_peap: TLS_accept: SSLv3/TLS write key exchange (3) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (3) eap_peap: TLS_accept: SSLv3/TLS write server done (3) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (3) eap_peap: In SSL Handshake Phase (3) eap_peap: In SSL Accept mode (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 125 length 1004 (3) eap: EAP session adding &reply:State = 0xc71cb679c561af12 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Sent Access-Challenge Id 64 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (3) EAP-Message = 0x017d03ec19c00000049916030100390200003503010f4b49d9df3b30f484e30a9bee297f36fdcd022c065c567b3fa4e9da8980a0e900c01400000dff01000100000b00040300010216030102fd0b0002f90002f60002f3308202ef308201d7a00302010202090093b40acbed3d0944300d06092a864886 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xc71cb679c561af12581da811d62e0aa7 (3) Finished request Waking up in 3.0 seconds. (4) Received Access-Request Id 65 from 131.100.39.166:51503 to 198.58.110.29:1812 length 236 (4) User-Name = "victoria_ghool" (4) NAS-Identifier = "Ryan4-2ghz-Radius" (4) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) NAS-Port = 15 (4) Calling-Station-Id = "14-B4-84-40-1F-DC" (4) Connect-Info = "CONNECT 54Mbps 802.11g" (4) Acct-Session-Id = "CEF73F6854ED0E37" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027073 (4) Framed-MTU = 1400 (4) EAP-Message = 0x027d00061900 (4) State = 0xc71cb679c561af12581da811d62e0aa7 (4) Message-Authenticator = 0x9e0cf5f848a983a0a9cd18e98d71905b (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 125 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xc71cb679c561af12 (4) eap: Finished EAP session with state 0xc71cb679c561af12 (4) eap: Previous EAP request found for state 0xc71cb679c561af12, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 126 length 189 (4) eap: EAP session adding &reply:State = 0xc71cb679c462af12 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Sent Access-Challenge Id 65 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (4) EAP-Message = 0x017e00bd19004968fea2c5fdcee3fd5be12cf2782d130c9b165bd5e59681b1f2c8def9f0a730517a9dc0d7a47088149b7729b044838e53b0b2257179da8577bb6818004b4069fbb947f4ca24c61b2263f141f0da55088156257549347ddec48a790f4221680f7a9ef2943859b0b627a90ffe7217399d1e (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xc71cb679c462af12581da811d62e0aa7 (4) Finished request Waking up in 2.9 seconds. (5) Received Access-Request Id 66 from 131.100.39.166:51503 to 198.58.110.29:1812 length 374 (5) User-Name = "victoria_ghool" (5) NAS-Identifier = "Ryan4-2ghz-Radius" (5) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) NAS-Port = 15 (5) Calling-Station-Id = "14-B4-84-40-1F-DC" (5) Connect-Info = "CONNECT 54Mbps 802.11g" (5) Acct-Session-Id = "CEF73F6854ED0E37" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027073 (5) Framed-MTU = 1400 (5) EAP-Message = 0x027e009019800000008616030100461000004241041eea0b672ce9470e959ca5b2c3c1d3f70f8442cd51ace441ebfc536505f80e306265431fd3115f3bac064503060d272bc1ad184a2b83a46735a92195e1d0e8be14030100010116030100300a4c5d7cba81d687d1ba355636194f71abc703d87e923d (5) State = 0xc71cb679c462af12581da811d62e0aa7 (5) Message-Authenticator = 0xe049f18183792f7d027fa2dacc74367a (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 126 length 144 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xc71cb679c462af12 (5) eap: Finished EAP session with state 0xc71cb679c462af12 (5) eap: Previous EAP request found for state 0xc71cb679c462af12, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer indicated complete TLS record size will be 134 bytes (5) eap_peap: Got complete TLS record (134 bytes) (5) eap_peap: [eaptls verify] = length included (5) eap_peap: TLS_accept: SSLv3/TLS write server done (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3/TLS read finished (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3/TLS write finished (5) eap_peap: (other): SSL negotiation finished successfully (5) eap_peap: SSL Connection Established (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 127 length 65 (5) eap: EAP session adding &reply:State = 0xc71cb679c363af12 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Sent Access-Challenge Id 66 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (5) EAP-Message = 0x017f004119001403010001011603010030aafc4e1f3e70822a01839414449efaa8f10398f15118b7b64a47bc5f60a90ab1e44f83305881591220fb6973efdde0c2 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xc71cb679c363af12581da811d62e0aa7 (5) Finished request Waking up in 2.8 seconds. (6) Received Access-Request Id 67 from 131.100.39.166:51503 to 198.58.110.29:1812 length 236 (6) User-Name = "victoria_ghool" (6) NAS-Identifier = "Ryan4-2ghz-Radius" (6) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) NAS-Port = 15 (6) Calling-Station-Id = "14-B4-84-40-1F-DC" (6) Connect-Info = "CONNECT 54Mbps 802.11g" (6) Acct-Session-Id = "CEF73F6854ED0E37" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Framed-MTU = 1400 (6) EAP-Message = 0x027f00061900 (6) State = 0xc71cb679c363af12581da811d62e0aa7 (6) Message-Authenticator = 0x5f31b1ca41ac472e209f89eb73871d30 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 127 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xc71cb679c363af12 (6) eap: Finished EAP session with state 0xc71cb679c363af12 (6) eap: Previous EAP request found for state 0xc71cb679c363af12, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: [eaptls verify] = success (6) eap_peap: [eaptls process] = success (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 128 length 43 (6) eap: EAP session adding &reply:State = 0xc71cb679c29caf12 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Sent Access-Challenge Id 67 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (6) EAP-Message = 0x0180002b190017030100203c45cd1af0cfec87b4097b018f98e0a2b7b2c071ed2d3739878a9f76661bd858 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xc71cb679c29caf12581da811d62e0aa7 (6) Finished request Waking up in 2.7 seconds. (7) Received Access-Request Id 68 from 131.100.39.166:51503 to 198.58.110.29:1812 length 326 (7) User-Name = "victoria_ghool" (7) NAS-Identifier = "Ryan4-2ghz-Radius" (7) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 15 (7) Calling-Station-Id = "14-B4-84-40-1F-DC" (7) Connect-Info = "CONNECT 54Mbps 802.11g" (7) Acct-Session-Id = "CEF73F6854ED0E37" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) EAP-Message = 0x0280006019001703010020ce67d91a2bbfa70039f17489dac9d9706b096712c8615e170bc14a27c3cfc9961703010030c4b2434771097f53eaeaa9fb73fd74dea58ec4d6d2538ef34719a8e4dfb7dc7f351b2f88f02f4d6ccf061ec572902934 (7) State = 0xc71cb679c29caf12581da811d62e0aa7 (7) Message-Authenticator = 0x7d16dafcd8b302cf3175badc535a5001 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 128 length 96 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xc71cb679c29caf12 (7) eap: Finished EAP session with state 0xc71cb679c29caf12 (7) eap: Previous EAP request found for state 0xc71cb679c29caf12, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - victoria_ghool (7) eap_peap: Got inner identity 'victoria_ghool' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0280001301766963746f7269615f67686f6f6c (7) eap_peap: Setting User-Name to victoria_ghool (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0280001301766963746f7269615f67686f6f6c (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "victoria_ghool" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0280001301766963746f7269615f67686f6f6c (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "victoria_ghool" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 128 length 19 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 129 length 43 (7) eap: EAP session adding &reply:State = 0x6581a8b46500b26d (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x0181002b1a0181002610808cabf382627e81820ea15bfbaba6c7667265657261646975732d332e302e3132 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x6581a8b46500b26d4c1af2a42017fb07 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x0181002b1a0181002610808cabf382627e81820ea15bfbaba6c7667265657261646975732d332e302e3132 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x6581a8b46500b26d4c1af2a42017fb07 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x0181002b1a0181002610808cabf382627e81820ea15bfbaba6c7667265657261646975732d332e302e3132 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x6581a8b46500b26d4c1af2a42017fb07 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 129 length 75 (7) eap: EAP session adding &reply:State = 0xc71cb679c19daf12 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Sent Access-Challenge Id 68 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (7) EAP-Message = 0x0181004b19001703010040c0f93c1efe819bde1f8e4b8963983def94ca8413d9d4906aa24a0b8d9801a16a7806dae013613bebaaa9771d490e93b0e92e9cc012179adb4f28ec55ab77bebc (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xc71cb679c19daf12581da811d62e0aa7 (7) Finished request Waking up in 2.6 seconds. (8) Received Access-Request Id 69 from 131.100.39.166:51503 to 198.58.110.29:1812 length 374 (8) User-Name = "victoria_ghool" (8) NAS-Identifier = "Ryan4-2ghz-Radius" (8) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) NAS-Port = 15 (8) Calling-Station-Id = "14-B4-84-40-1F-DC" (8) Connect-Info = "CONNECT 54Mbps 802.11g" (8) Acct-Session-Id = "CEF73F6854ED0E37" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) EAP-Message = 0x0281009019001703010020df6d7a0000dcf7cc20a56a5368b647a0b6cec88cf6d8f74c2e2b8dbc0b911e5917030100608bbbc2935bb16e42046a6b6361af98d62a8a9d8e72b01c52ecdaa8ad3ff528175f9530750744ee5c1f583f2235ae0845aa5114e78c61abd52ec36d574d8ae17ae660273165dfca (8) State = 0xc71cb679c19daf12581da811d62e0aa7 (8) Message-Authenticator = 0xb8bcc788e454b8050fa7261dafa266ae (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 129 length 144 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x6581a8b46500b26d (8) eap: Finished EAP session with state 0xc71cb679c19daf12 (8) eap: Previous EAP request found for state 0xc71cb679c19daf12, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x028100491a0281004431e717f6003bf96983c5c6510c1bb72230000000000000000064bb35523924120e94c7e0a57fd5ca1b6854cfe15242ab5000766963746f7269615f67686f6f6c (8) eap_peap: Setting User-Name to victoria_ghool (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x028100491a0281004431e717f6003bf96983c5c6510c1bb72230000000000000000064bb35523924120e94c7e0a57fd5ca1b6854cfe15242ab5000766963746f7269615f67686f6f6c (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "victoria_ghool" (8) eap_peap: State = 0x6581a8b46500b26d4c1af2a42017fb07 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x028100491a0281004431e717f6003bf96983c5c6510c1bb72230000000000000000064bb35523924120e94c7e0a57fd5ca1b6854cfe15242ab5000766963746f7269615f67686f6f6c (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "victoria_ghool" (8) State = 0x6581a8b46500b26d4c1af2a42017fb07 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 129 length 73 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (8) sql: --> victoria_ghool (8) sql: SQL-User-Name set to 'victoria_ghool' rlm_sql (sql): Reserved connection (3) (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id (8) sql: User found in radcheck table (8) sql: Conditional check items matched, merging assignment check items (8) sql: Cleartext-Password := "WaterFalls16" (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id (8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority (8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority (8) sql: User found in the group table (8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (8) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id (8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id (8) sql: Group "dialup": Conditional check items matched (8) sql: Group "dialup": Merging assignment check items (8) sql: Simultaneous-Use := 200 (8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (8) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id (8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id (8) sql: Group "dialup": Merging reply items rlm_sql (sql): Released connection (3) rlm_sql (sql): Need 2 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (8), 1 of 24 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 (8) [sql] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x6581a8b46500b26d (8) eap: Finished EAP session with state 0x6581a8b46500b26d (8) eap: Previous EAP request found for state 0x6581a8b46500b26d, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: Found Cleartext-Password, hashing to create NT-Password (8) mschap: Found Cleartext-Password, hashing to create LM-Password (8) mschap: Creating challenge hash with username: victoria_ghool (8) mschap: Client is using MS-CHAPv2 (8) mschap: Adding MS-CHAPv2 MPPE keys (8) [mschap] = ok (8) } # authenticate = ok (8) MSCHAP Success (8) eap: Sending EAP Request (code 1) ID 130 length 51 (8) eap: EAP session adding &reply:State = 0x6581a8b46403b26d (8) [eap] = handled (8) } # authenticate = handled (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x018200331a0381002e533d36383835433941383230374535354644323637313932433135343339423931443733444345364444 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x6581a8b46403b26d4c1af2a42017fb07 (8) eap_peap: Got tunneled reply code 11 (8) eap_peap: EAP-Message = 0x018200331a0381002e533d36383835433941383230374535354644323637313932433135343339423931443733444345364444 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0x6581a8b46403b26d4c1af2a42017fb07 (8) eap_peap: Got tunneled reply RADIUS code 11 (8) eap_peap: EAP-Message = 0x018200331a0381002e533d36383835433941383230374535354644323637313932433135343339423931443733444345364444 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0x6581a8b46403b26d4c1af2a42017fb07 (8) eap_peap: Got tunneled Access-Challenge (8) eap: Sending EAP Request (code 1) ID 130 length 91 (8) eap: EAP session adding &reply:State = 0xc71cb679c09eaf12 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Sent Access-Challenge Id 69 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (8) EAP-Message = 0x0182005b19001703010050a985e34fc1a70f310df4ef5e3b72f605227538370fb8d892624aca33ba5350b9bee8967259ebefe47093f381633227250ae0442af6513adb3a48a0997c64139f77e0d026024266b2a7f16ebb6b24ce8c (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xc71cb679c09eaf12581da811d62e0aa7 (8) Finished request Waking up in 2.5 seconds. (9) Received Access-Request Id 70 from 131.100.39.166:51503 to 198.58.110.29:1812 length 310 (9) User-Name = "victoria_ghool" (9) NAS-Identifier = "Ryan4-2ghz-Radius" (9) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) NAS-Port = 15 (9) Calling-Station-Id = "14-B4-84-40-1F-DC" (9) Connect-Info = "CONNECT 54Mbps 802.11g" (9) Acct-Session-Id = "CEF73F6854ED0E37" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Framed-MTU = 1400 (9) EAP-Message = 0x0282005019001703010020e7954ce1237c93bc33c537ee5de1cdf3c989932a72c5f7c1d390e81f4f4967f2170301002005669fd4c14eb3cf382aeceb5559628fbe5fdbb9c1a022a9cc280ff0a977b2f0 (9) State = 0xc71cb679c09eaf12581da811d62e0aa7 (9) Message-Authenticator = 0xb37e6b3b50cda656f799fa7e720e8d3c (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 130 length 80 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x6581a8b46403b26d (9) eap: Finished EAP session with state 0xc71cb679c09eaf12 (9) eap: Previous EAP request found for state 0xc71cb679c09eaf12, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x028200061a03 (9) eap_peap: Setting User-Name to victoria_ghool (9) eap_peap: Sending tunneled request to inner-tunnel (9) eap_peap: EAP-Message = 0x028200061a03 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "victoria_ghool" (9) eap_peap: State = 0x6581a8b46403b26d4c1af2a42017fb07 (9) Virtual server inner-tunnel received request (9) EAP-Message = 0x028200061a03 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "victoria_ghool" (9) State = 0x6581a8b46403b26d4c1af2a42017fb07 (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) update control { (9) &Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: Peer sent EAP Response (code 2) ID 130 length 6 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (9) sql: --> victoria_ghool (9) sql: SQL-User-Name set to 'victoria_ghool' rlm_sql (sql): Reserved connection (4) (9) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (9) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id (9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id (9) sql: User found in radcheck table (9) sql: Conditional check items matched, merging assignment check items (9) sql: Cleartext-Password := "WaterFalls16" (9) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (9) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id (9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id (9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (9) sql: --> SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority (9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority (9) sql: User found in the group table (9) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (9) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id (9) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id (9) sql: Group "dialup": Conditional check items matched (9) sql: Group "dialup": Merging assignment check items (9) sql: Simultaneous-Use := 200 (9) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (9) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id (9) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id (9) sql: Group "dialup": Merging reply items rlm_sql (sql): Released connection (4) (9) [sql] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x6581a8b46403b26d (9) eap: Finished EAP session with state 0x6581a8b46403b26d (9) eap: Previous EAP request found for state 0x6581a8b46403b26d, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap: Sending EAP Success (code 3) ID 130 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (9) session { (9) radutmp: EXPAND /var/log/freeradius/radutmp (9) radutmp: --> /var/log/freeradius/radutmp (9) radutmp: EXPAND %{User-Name} (9) radutmp: --> victoria_ghool (9) [radutmp] = ok (9) } # session = ok (9) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (9) post-auth { (9) sql: EXPAND .query (9) sql: --> .query (9) sql: Using query template 'query' rlm_sql (sql): Reserved connection (0) (9) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (9) sql: --> victoria_ghool (9) sql: SQL-User-Name set to 'victoria_ghool' (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'victoria_ghool', '', 'Access-Accept', '2018-09-05 13:02:20') (9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'victoria_ghool', '', 'Access-Accept', '2018-09-05 13:02:20') (9) sql: SQL query returned: success (9) sql: 1 record(s) updated rlm_sql (sql): Released connection (0) (9) [sql] = ok (9) } # post-auth = ok (9) } # server inner-tunnel (9) Virtual server sending reply (9) MS-MPPE-Encryption-Policy = Encryption-Allowed (9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (9) MS-MPPE-Send-Key = 0x0b4231615ae3e7fd3094e5d39de5f7c7 (9) MS-MPPE-Recv-Key = 0xe1301e846fcad9a1bf19018c4c9685e5 (9) EAP-Message = 0x03820004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "victoria_ghool" (9) eap_peap: Got tunneled reply code 2 (9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (9) eap_peap: MS-MPPE-Send-Key = 0x0b4231615ae3e7fd3094e5d39de5f7c7 (9) eap_peap: MS-MPPE-Recv-Key = 0xe1301e846fcad9a1bf19018c4c9685e5 (9) eap_peap: EAP-Message = 0x03820004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: User-Name = "victoria_ghool" (9) eap_peap: Got tunneled reply RADIUS code 2 (9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (9) eap_peap: MS-MPPE-Send-Key = 0x0b4231615ae3e7fd3094e5d39de5f7c7 (9) eap_peap: MS-MPPE-Recv-Key = 0xe1301e846fcad9a1bf19018c4c9685e5 (9) eap_peap: EAP-Message = 0x03820004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: User-Name = "victoria_ghool" (9) eap_peap: Tunneled authentication was successful (9) eap_peap: SUCCESS (9) eap: Sending EAP Request (code 1) ID 131 length 43 (9) eap: EAP session adding &reply:State = 0xc71cb679cf9faf12 (9) [eap] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) Sent Access-Challenge Id 70 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (9) EAP-Message = 0x0183002b19001703010020896019e97c4c517d4b43048455c6d4b24634455babf837c0f3c810cba91b4dee (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xc71cb679cf9faf12581da811d62e0aa7 (9) Finished request Waking up in 2.4 seconds. (10) Received Access-Request Id 71 from 131.100.39.166:51503 to 198.58.110.29:1812 length 310 (10) User-Name = "victoria_ghool" (10) NAS-Identifier = "Ryan4-2ghz-Radius" (10) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) NAS-Port = 15 (10) Calling-Station-Id = "14-B4-84-40-1F-DC" (10) Connect-Info = "CONNECT 54Mbps 802.11g" (10) Acct-Session-Id = "CEF73F6854ED0E37" (10) WLAN-Pairwise-Cipher = 1027076 (10) WLAN-Group-Cipher = 1027076 (10) WLAN-AKM-Suite = 1027073 (10) Framed-MTU = 1400 (10) EAP-Message = 0x028300501900170301002030b46d3fb23de6d64752535400d6c85cc571b653dff298fa8e02b035b81af742170301002098a80a7152effcca6ce046b82f56bac2f0b6a0401152ef8d0913b759967467c2 (10) State = 0xc71cb679cf9faf12581da811d62e0aa7 (10) Message-Authenticator = 0x8d8212058640174b75086cdc61a75764 (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 131 length 80 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (10) authenticate { (10) eap: Expiring EAP session with state 0xc71cb679cf9faf12 (10) eap: Finished EAP session with state 0xc71cb679cf9faf12 (10) eap: Previous EAP request found for state 0xc71cb679cf9faf12, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: Continuing EAP-TLS (10) eap_peap: [eaptls verify] = ok (10) eap_peap: Done initial handshake (10) eap_peap: [eaptls process] = ok (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state send tlv success (10) eap_peap: Received EAP-TLV response (10) eap_peap: Success (10) eap: Sending EAP Success (code 3) ID 131 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (10) post-auth { (10) update { (10) No attributes updated (10) } # update = noop (10) sql: EXPAND .query (10) sql: --> .query (10) sql: Using query template 'query' rlm_sql (sql): Reserved connection (5) (10) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (10) sql: --> victoria_ghool (10) sql: SQL-User-Name set to 'victoria_ghool' (10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'victoria_ghool', '', 'Access-Accept', '2018-09-05 13:02:20') (10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'victoria_ghool', '', 'Access-Accept', '2018-09-05 13:02:20') (10) sql: SQL query returned: success (10) sql: 1 record(s) updated rlm_sql (sql): Released connection (5) (10) [sql] = ok (10) [exec] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) } # post-auth = ok (10) Sent Access-Accept Id 71 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0 (10) MS-MPPE-Recv-Key = 0xdf747ac6983392d3d7afa992005a997ce771acde2adb324435a5122646fd4a62 (10) MS-MPPE-Send-Key = 0xf261857a7080c8e095f9530acf7b2544aa4c30094dd9a66ba546c29181ad9472 (10) EAP-Message = 0x03830004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) User-Name = "victoria_ghool" (10) Finished request Waking up in 2.3 seconds. (11) Received Accounting-Request Id 72 from 131.100.39.166:64857 to 198.58.110.29:1813 length 210 (11) Acct-Status-Type = Start (11) Acct-Authentic = RADIUS (11) User-Name = "victoria_ghool" (11) NAS-Identifier = "Ryan4-2ghz-Radius" (11) Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N" (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) NAS-Port = 15 (11) Calling-Station-Id = "14-B4-84-40-1F-DC" (11) Connect-Info = "CONNECT 54Mbps 802.11g" (11) Acct-Session-Id = "CEF73F6854ED0E37" (11) WLAN-Pairwise-Cipher = 1027076 (11) WLAN-Group-Cipher = 1027076 (11) WLAN-AKM-Suite = 1027073 (11) Event-Timestamp = "Sep 5 2018 13:02:20 AST" (11) Acct-Delay-Time = 0 (11) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (11) preacct { (11) [preprocess] = ok (11) policy acct_unique { (11) update request { (11) Tmp-String-9 := "ai:" (11) } # update request = noop (11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (11) EXPAND %{hex:&Class} (11) --> (11) EXPAND ^%{hex:&Tmp-String-9} (11) --> ^61693a (11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (11) else { (11) update request { (11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (11) --> 5ffef8deb1d414c7ab9813cb06977e5a (11) &Acct-Unique-Session-Id := 5ffef8deb1d414c7ab9813cb06977e5a (11) } # update request = noop (11) } # else = noop (11) } # policy acct_unique = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) [files] = noop (11) } # preacct = ok (11) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (11) accounting { (11) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (11) detail: --> /var/log/freeradius/radacct/131.100.39.166/detail-20180905 (11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/131.100.39.166/detail-20180905 (11) detail: EXPAND %t (11) detail: --> Wed Sep 5 13:02:20 2018 (11) [detail] = ok (11) [unix] = ok (11) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (11) sql: --> type.start.query (11) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (11) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (11) sql: --> victoria_ghool (11) sql: SQL-User-Name set to 'victoria_ghool' (11) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}') (11) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('CEF73F6854ED0E37', '5ffef8deb1d414c7ab9813cb06977e5a', 'victoria_ghool', '', '131.100.39.166', '15', 'Wireless-802.11', FROM_UNIXTIME(1536166940), FROM_UNIXTIME(1536166940), NULL, '0', 'RADIUS', 'CONNECT 54Mbps 802.11g', '', '0', '0', '16-91-82-C6-38-F7:Ryan4-Radius-N', '14-B4-84-40-1F-DC', '', 'Framed-User', '', '') (11) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('CEF73F6854ED0E37', '5ffef8deb1d414c7ab9813cb06977e5a', 'victoria_ghool', '', '131.100.39.166', '15', 'Wireless-802.11', FROM_UNIXTIME(1536166940), FROM_UNIXTIME(1536166940), NULL, '0', 'RADIUS', 'CONNECT 54Mbps 802.11g', '', '0', '0', '16-91-82-C6-38-F7:Ryan4-Radius-N', '14-B4-84-40-1F-DC', '', 'Framed-User', '', '') (11) sql: SQL query returned: success (11) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) (11) [sql] = ok (11) [exec] = noop (11) attr_filter.accounting_response: EXPAND %{User-Name} (11) attr_filter.accounting_response: --> victoria_ghool (11) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (11) [attr_filter.accounting_response] = updated (11) } # accounting = updated (11) Sent Accounting-Response Id 72 from 198.58.110.29:1813 to 131.100.39.166:64857 length 0 (11) Finished request (11) Cleaning up request packet ID 72 with timestamp +13 Waking up in 2.1 seconds. (0) Cleaning up request packet ID 61 with timestamp +10 Waking up in 1.7 seconds. (1) Cleaning up request packet ID 62 with timestamp +12 (2) Cleaning up request packet ID 63 with timestamp +12 Waking up in 0.1 seconds. (3) Cleaning up request packet ID 64 with timestamp +12 Waking up in 0.1 seconds. (4) Cleaning up request packet ID 65 with timestamp +12 Waking up in 0.1 seconds. (5) Cleaning up request packet ID 66 with timestamp +13 (6) Cleaning up request packet ID 67 with timestamp +13 (7) Cleaning up request packet ID 68 with timestamp +13 (8) Cleaning up request packet ID 69 with timestamp +13 (9) Cleaning up request packet ID 70 with timestamp +13 (10) Cleaning up request packet ID 71 with timestamp +13 Ready to process requests (12) Received Access-Request Id 143 from 190.213.227.180:50909 to 198.58.110.29:1812 length 208 (12) User-Name = "khadija_dyer" (12) NAS-Identifier = "ryan5" (12) Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius" (12) NAS-Port-Type = Wireless-802.11 (12) NAS-Port = 10 (12) Calling-Station-Id = "D8-5D-E2-E3-A5-D9" (12) Connect-Info = "CONNECT 54Mbps 802.11g" (12) Acct-Session-Id = "5B801D36-00000A57" (12) WLAN-Pairwise-Cipher = 1027076 (12) WLAN-Group-Cipher = 1027076 (12) WLAN-AKM-Suite = 1027073 (12) Framed-MTU = 1400 (12) EAP-Message = 0x020e0011016b686164696a615f64796572 (12) Message-Authenticator = 0x7f46c02a9fad1440fed4e171b00f99b3 (12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 14 length 17 (12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = eap (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) authenticate { (12) eap: Peer sent packet with method EAP Identity (1) (12) eap: Calling submodule eap_md5 to process data (12) eap_md5: Issuing MD5 Challenge (12) eap: Sending EAP Request (code 1) ID 15 length 22 (12) eap: EAP session adding &reply:State = 0xc25708d1c2580c43 (12) [eap] = handled (12) } # authenticate = handled (12) Using Post-Auth-Type Challenge (12) Post-Auth-Type sub-section not found. Ignoring. (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) Sent Access-Challenge Id 143 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0 (12) EAP-Message = 0x010f001604102f7a86066ae4b6898f6ea80dc5614f73 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0xc25708d1c2580c4397c377255ce49eba (12) Finished request Waking up in 4.9 seconds. (13) Received Access-Request Id 144 from 190.213.227.180:50909 to 198.58.110.29:1812 length 215 (13) User-Name = "khadija_dyer" (13) NAS-Identifier = "ryan5" (13) Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius" (13) NAS-Port-Type = Wireless-802.11 (13) NAS-Port = 10 (13) Calling-Station-Id = "D8-5D-E2-E3-A5-D9" (13) Connect-Info = "CONNECT 54Mbps 802.11g" (13) Acct-Session-Id = "5B801D36-00000A57" (13) WLAN-Pairwise-Cipher = 1027076 (13) WLAN-Group-Cipher = 1027076 (13) WLAN-AKM-Suite = 1027073 (13) Framed-MTU = 1400 (13) EAP-Message = 0x020f00060319 (13) State = 0xc25708d1c2580c4397c377255ce49eba (13) Message-Authenticator = 0x10748d6855404cef3ab315c6cceb925f (13) session-state: No cached attributes (13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: Peer sent EAP Response (code 2) ID 15 length 6 (13) eap: No EAP Start, assuming it's an on-going EAP conversation (13) [eap] = updated (13) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (13) sql: --> khadija_dyer (13) sql: SQL-User-Name set to 'khadija_dyer' rlm_sql (sql): Reserved connection (6) (13) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (13) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'khadija_dyer' ORDER BY id (13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'khadija_dyer' ORDER BY id (13) sql: User found in radcheck table (13) sql: Conditional check items matched, merging assignment check items (13) sql: Cleartext-Password := "sanghai123" (13) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (13) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'khadija_dyer' ORDER BY id (13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'khadija_dyer' ORDER BY id (13) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (13) sql: --> SELECT groupname FROM radusergroup WHERE username = 'khadija_dyer' ORDER BY priority (13) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'khadija_dyer' ORDER BY priority (13) sql: User found in the group table (13) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (13) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id (13) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id (13) sql: Group "dialup": Conditional check items matched (13) sql: Group "dialup": Merging assignment check items (13) sql: Simultaneous-Use := 200 (13) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (13) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id (13) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id (13) sql: Group "dialup": Merging reply items rlm_sql (sql): Released connection (6) rlm_sql (sql): Need 1 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (9), 1 of 23 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 (13) [sql] = ok (13) [expiration] = noop (13) [logintime] = noop (13) pap: WARNING: Auth-Type already set. Not setting to PAP (13) [pap] = noop (13) } # authorize = updated (13) Found Auth-Type = eap (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) authenticate { (13) eap: Expiring EAP session with state 0xc25708d1c2580c43 (13) eap: Finished EAP session with state 0xc25708d1c2580c43 (13) eap: Previous EAP request found for state 0xc25708d1c2580c43, released from the list (13) eap: Peer sent packet with method EAP NAK (3) (13) eap: Found mutually acceptable type PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: Initiating new EAP-TLS session (13) eap_peap: [eaptls start] = request (13) eap: Sending EAP Request (code 1) ID 16 length 6 (13) eap: EAP session adding &reply:State = 0xc25708d1c3471143 (13) [eap] = handled (13) } # authenticate = handled (13) Using Post-Auth-Type Challenge (13) Post-Auth-Type sub-section not found. Ignoring. (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) Sent Access-Challenge Id 144 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0 (13) EAP-Message = 0x011000061920 (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0xc25708d1c347114397c377255ce49eba (13) Finished request Waking up in 4.8 seconds. (14) Received Access-Request Id 145 from 190.213.227.180:50909 to 198.58.110.29:1812 length 331 (14) User-Name = "khadija_dyer" (14) NAS-Identifier = "ryan5" (14) Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port = 10 (14) Calling-Station-Id = "D8-5D-E2-E3-A5-D9" (14) Connect-Info = "CONNECT 54Mbps 802.11g" (14) Acct-Session-Id = "5B801D36-00000A57" (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-Group-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027073 (14) Framed-MTU = 1400 (14) EAP-Message = 0x0210007a198000000070160301006b0100006703015b900c1fa1294d2f712a57cc2e7c771d13af866892ac510bf7fcd4bbf3ef1a66000018c014c0130035002fc00ac00900380032000a00130005000401000026000500050100000000000a0006000400170018000b000201000023000000170000ff01 (14) State = 0xc25708d1c347114397c377255ce49eba (14) Message-Authenticator = 0x6345a7d3214c2a6e05da5b343c8dc40d (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 16 length 122 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0xc25708d1c3471143 (14) eap: Finished EAP session with state 0xc25708d1c3471143 (14) eap: Previous EAP request found for state 0xc25708d1c3471143, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer indicated complete TLS record size will be 112 bytes (14) eap_peap: Got complete TLS record (112 bytes) (14) eap_peap: [eaptls verify] = length included (14) eap_peap: (other): before SSL initialization (14) eap_peap: TLS_accept: before SSL initialization (14) eap_peap: TLS_accept: before SSL initialization (14) eap_peap: <<< recv TLS 1.2 [length 006b] (14) eap_peap: TLS_accept: SSLv3/TLS read client hello (14) eap_peap: >>> send TLS 1.0 Handshake [length 003d], ServerHello (14) eap_peap: TLS_accept: SSLv3/TLS write server hello (14) eap_peap: >>> send TLS 1.0 Handshake [length 02fd], Certificate (14) eap_peap: TLS_accept: SSLv3/TLS write certificate (14) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (14) eap_peap: TLS_accept: SSLv3/TLS write key exchange (14) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (14) eap_peap: TLS_accept: SSLv3/TLS write server done (14) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (14) eap_peap: In SSL Handshake Phase (14) eap_peap: In SSL Accept mode (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 17 length 1004 (14) eap: EAP session adding &reply:State = 0xc25708d1c0461143 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) Sent Access-Challenge Id 145 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0 (14) EAP-Message = 0x011103ec19c00000049d160301003d020000390301b74dc1446b0af5692d41ad96c114341fcd709cbf06a29ef3a8c206920a7f740700c014000011ff01000100000b0004030001020017000016030102fd0b0002f90002f60002f3308202ef308201d7a00302010202090093b40acbed3d0944300d0609 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0xc25708d1c046114397c377255ce49eba (14) Finished request Waking up in 4.7 seconds. (15) Received Access-Request Id 146 from 190.213.227.180:50909 to 198.58.110.29:1812 length 215 (15) User-Name = "khadija_dyer" (15) NAS-Identifier = "ryan5" (15) Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius" (15) NAS-Port-Type = Wireless-802.11 (15) NAS-Port = 10 (15) Calling-Station-Id = "D8-5D-E2-E3-A5-D9" (15) Connect-Info = "CONNECT 54Mbps 802.11g" (15) Acct-Session-Id = "5B801D36-00000A57" (15) WLAN-Pairwise-Cipher = 1027076 (15) WLAN-Group-Cipher = 1027076 (15) WLAN-AKM-Suite = 1027073 (15) Framed-MTU = 1400 (15) EAP-Message = 0x021100061900 (15) State = 0xc25708d1c046114397c377255ce49eba (15) Message-Authenticator = 0xd619840612e85bfb1a6b23f1a34af544 (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) [preprocess] = ok (15) [chap] = noop (15) [mschap] = noop (15) [digest] = noop (15) suffix: Checking for suffix after "@" (15) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL (15) suffix: No such realm "NULL" (15) [suffix] = noop (15) eap: Peer sent EAP Response (code 2) ID 17 length 6 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) authenticate { (15) eap: Expiring EAP session with state 0xc25708d1c0461143 (15) eap: Finished EAP session with state 0xc25708d1c0461143 (15) eap: Previous EAP request found for state 0xc25708d1c0461143, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: Continuing EAP-TLS (15) eap_peap: Peer ACKed our handshake fragment (15) eap_peap: [eaptls verify] = request (15) eap_peap: [eaptls process] = handled (15) eap: Sending EAP Request (code 1) ID 18 length 193 (15) eap: EAP session adding &reply:State = 0xc25708d1c1451143 (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) Post-Auth-Type sub-section not found. Ignoring. (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) Sent Access-Challenge Id 146 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0 (15) EAP-Message = 0x011200c11900c1994f5cf271aa2daa12e9f2817c2c2f654485d266fe39fa9eaaa39605b31ca371978fcebd6f8690e2fcd9d4ba51c3df3d3c67288940cd0fe34be8d8acdcbedd30a88e28ab4bf2c5b5b9a46cbba4e9f2aee5df7c3c3c7788910763ebb401a578499b6b533cb0bdd1ebf6bf4de421ae8fa4 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0xc25708d1c145114397c377255ce49eba (15) Finished request Waking up in 4.6 seconds. (16) Received Access-Request Id 147 from 190.213.227.180:50909 to 198.58.110.29:1812 length 353 (16) User-Name = "khadija_dyer" (16) NAS-Identifier = "ryan5" (16) Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius" (16) NAS-Port-Type = Wireless-802.11 (16) NAS-Port = 10 (16) Calling-Station-Id = "D8-5D-E2-E3-A5-D9" (16) Connect-Info = "CONNECT 54Mbps 802.11g" (16) Acct-Session-Id = "5B801D36-00000A57" (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-Group-Cipher = 1027076 (16) WLAN-AKM-Suite = 1027073 (16) Framed-MTU = 1400 (16) EAP-Message = 0x021200901980000000861603010046100000424104d3e55df7748455aa1f59972ddb1fc5ddafcf3a41412304355ae5b5bfefe491e65ad85a1282b37a160dadd3b6f62b14efe1ebf34c915096419b3a90af0c666ad5140301000101160301003094669adbca6f44c0295518dcc685f9bfe76a147a0b8f13 (16) State = 0xc25708d1c145114397c377255ce49eba (16) Message-Authenticator = 0xb04d47d1d89fc4257e5caf60a87b2ae8 (16) session-state: No cached attributes (16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 18 length 144 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0xc25708d1c1451143 (16) eap: Finished EAP session with state 0xc25708d1c1451143 (16) eap: Previous EAP request found for state 0xc25708d1c1451143, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: Peer indicated complete TLS record size will be 134 bytes (16) eap_peap: Got complete TLS record (134 bytes) (16) eap_peap: [eaptls verify] = length included (16) eap_peap: TLS_accept: SSLv3/TLS write server done (16) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (16) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (16) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (16) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (16) eap_peap: TLS_accept: SSLv3/TLS read finished (16) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (16) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (16) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (16) eap_peap: TLS_accept: SSLv3/TLS write finished (16) eap_peap: (other): SSL negotiation finished successfully (16) eap_peap: SSL Connection Established (16) eap_peap: [eaptls process] = handled (16) eap: Sending EAP Request (code 1) ID 19 length 65 (16) eap: EAP session adding &reply:State = 0xc25708d1c6441143 (16) [eap] = handled (16) } # authenticate = handled (16) Using Post-Auth-Type Challenge (16) Post-Auth-Type sub-section not found. Ignoring. (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) Sent Access-Challenge Id 147 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0 (16) EAP-Message = 0x01130041190014030100010116030100309dcf0d560833f4bfae995b203594eaeeb6aada1a90414974a6caff215c1f9933a228a6f2488d66f01f411b1695224e82 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0xc25708d1c644114397c377255ce49eba (16) Finished request Waking up in 4.4 seconds. (17) Received Access-Request Id 148 from 190.213.227.180:50909 to 198.58.110.29:1812 length 215 (17) User-Name = "khadija_dyer" (17) NAS-Identifier = "ryan5" (17) Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius" (17) NAS-Port-Type = Wireless-802.11 (17) NAS-Port = 10 (17) Calling-Station-Id = "D8-5D-E2-E3-A5-D9" (17) Connect-Info = "CONNECT 54Mbps 802.11g" (17) Acct-Session-Id = "5B801D36-00000A57" (17) WLAN-Pairwise-Cipher = 1027076 (17) WLAN-Group-Cipher = 1027076 (17) WLAN-AKM-Suite = 1027073 (17) Framed-MTU = 1400 (17) EAP-Message = 0x021300061900 (17) State = 0xc25708d1c644114397c377255ce49eba (17) Message-Authenticator = 0x3e2a0e69af369d7b59528aba2cee0ce3 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 19 length 6 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) authenticate { (17) eap: Expiring EAP session with state 0xc25708d1c6441143 (17) eap: Finished EAP session with state 0xc25708d1c6441143 (17) eap: Previous EAP request found for state 0xc25708d1c6441143, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Continuing EAP-TLS (17) eap_peap: Peer ACKed our handshake fragment. handshake is finished (17) eap_peap: [eaptls verify] = success (17) eap_peap: [eaptls process] = success (17) eap_peap: Session established. Decoding tunneled attributes (17) eap_peap: PEAP state TUNNEL ESTABLISHED (17) eap: Sending EAP Request (code 1) ID 20 length 43 (17) eap: EAP session adding &reply:State = 0xc25708d1c7431143 (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) Post-Auth-Type sub-section not found. Ignoring. (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) Sent Access-Challenge Id 148 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0 (17) EAP-Message = 0x0114002b190017030100200e7023f8fee87ad2a50b75d94e03a5bdfa63221cc7a8e5f664d51da66a376caa (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0xc25708d1c743114397c377255ce49eba (17) Finished request Waking up in 4.3 seconds. ####################################################################################################################################### Ill post the contents of the configuration files ####################################################################################################################################### # -*- text -*- ## ## clients.conf -- client configuration directives ## ## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $ client localhost { proto = * secret = whatever require_message_authenticator = no # nas_type = cisco # localhost isn't usually a NAS... idle_timeout = 30 } } # IPv6 Client client localhost_ipv6 { ipv6addr = ::1 secret = testing123 } ####################################################################################################################################### # -*- text -*- ## ## sql.conf -- SQL modules ## ## $Id: 4a59483c35c77f573fb177919e19ba4434cc3da1 $ ###################################################################### # # Configuration for the SQL module # # The database schemas and queries are located in subdirectories: # # sql/<DB>/main/schema.sql Schema # sql/<DB>/main/queries.conf Authorisation and Accounting queries # # Where "DB" is mysql, mssql, oracle, or postgresql. # # sql { # The sub-module to use to execute queries. This should match # the database you're attempting to connect to. # # * rlm_sql_mysql # * rlm_sql_mssql # * rlm_sql_oracle # * rlm_sql_postgresql # * rlm_sql_sqlite # * rlm_sql_null (log queries to disk) # driver = "rlm_sql_mysql" dialect = "mysql" # Connection info: # server = "localhost" port = 3306 login = "root" password = "**********" # Database table configuration for everything except Oracle radius_db = "radius" # If you are using Oracle then use this instead # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" # If you're using postgresql this can also be used instead of the connection info parameters # radius_db = "dbname=radius host=localhost user=radius password=raddpass" # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to # use SSL connections then use this form of connection info parameter # radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = "radacct" acct_table2 = "radacct" acct_table3 = "radacctold" # Allow for storing data after authentication postauth_table = "radpostauth" # Tables containing 'check' items authcheck_table = "radcheck" groupcheck_table = "radgroupcheck" # Tables containing 'reply' items authreply_table = "radreply" groupreply_table = "radgroupreply" # Table to keep group info usergroup_table = "radusergroup" # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table. # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table. read_groups = yes # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table. # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table. read_profiles = yes # Remove stale session if checkrad does not see a double login delete_stale_sessions = yes # Write SQL queries to a logfile. This is potentially useful for tracing # issues with authorization queries. See also "logfile" directives in # mods-config/sql/main/*/queries.conf. You can enable per-section logging # by enabling "logfile" there, or global logging by enabling "logfile" here. # # Per-section logging can be disabled by setting "logfile = ''" # logfile = ${logdir}/sqllog.sql # Set the maximum query duration and connection timeout # for rlm_sql_mysql. # query_timeout = 5 # As of version 3.0, the "pool" section has replaced the # following configuration items: # # num_sql_socks # connect_failure_retry_delay # lifetime # max_queries # # The connection pool is new for 3.0, and will be used in many # modules, for all kinds of connection-related activity. # # When the server is not threaded, the connection pool # limits are ignored, and only one connection is used. # # If you want to have multiple SQL modules re-use the same # connection pool, use "pool = name" instead of a "pool" # section. e.g. # # sql1 { # ... # pool { # ... # } # } # # # sql2 will use the connection pool from sql1 # sql2 { # ... # pool = sql1 # } # pool { # Connections to create during module instantiation. # If the server cannot create specified number of # connections during instantiation it will exit. # Set to 0 to allow the server to start without the # database being available. start = ${thread[pool].start_servers} # Minimum number of connections to keep open min = ${thread[pool].min_spare_servers} # Maximum number of connections # # If these connections are all in use and a new one # is requested, the request will NOT get a connection. # # Setting 'max' to LESS than the number of threads means # that some threads may starve, and you will see errors # like 'No connections available and at max connection limit' # # Setting 'max' to MORE than the number of threads means # that there are more connections than necessary. max = ${thread[pool].max_servers} # Spare connections to be left idle # # NOTE: Idle connections WILL be closed if "idle_timeout" # is set. This should be less than or equal to "max" above. spare = ${thread[pool].max_spare_servers} # Number of uses before the connection is closed # # 0 means "infinite" uses = 0 # The number of seconds to wait after the server tries # to open a connection, and fails. During this time, # no new connections will be opened. retry_delay = 30 # The lifetime (in seconds) of the connection lifetime = 0 # idle timeout (in seconds). A connection which is # unused for this length of time will be closed. idle_timeout = 60 # NOTE: All configuration settings are enforced. If a # connection is closed because of "idle_timeout", # "uses", or "lifetime", then the total number of # connections MAY fall below "min". When that # happens, it will open a new connection. It will # also log a WARNING message. # # The solution is to either lower the "min" connections, # or increase lifetime/idle_timeout. } # Set to 'yes' to read radius clients from the database ('nas' table) # Clients will ONLY be read on server startup. read_clients = yes # Table to keep radius client info client_table = "nas" # # The group attribute specific to this instance of rlm_sql # # This entry should be used for additional instances (sql foo {}) # of the SQL module. # group_attribute = "${.:instance}-SQL-Group" # This entry should be used for the default instance (sql {}) # of the SQL module. group_attribute = "SQL-Group" # Read database-specific queries $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf ####################################################################################################################################### # -*- text -*- # # main/mysql/queries.conf-- MySQL configuration for default schema (schema.sql) # # $Id: 40508024d5fd6a319bbb85775c3fe1e8388be656 $ # Safe characters list for sql queries. Everything else is replaced # with their mime-encoded equivalents. # The default list should be ok #safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" ####################################################################### # Connection config ####################################################################### # The character set is not configurable. The default character set of # the mysql client library is used. To control the character set, # create/edit my.cnf (typically in /etc/mysql/my.cnf or /etc/my.cnf) # and enter # [client] # default-character-set = utf8 # ####################################################################### # Query config: Username ####################################################################### # This is the username that will get substituted, escaped, and added # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below # everywhere a username substitution is needed so you you can be sure # the username passed from the client is escaped properly. # # Uncomment the next line, if you want the sql_user_name to mean: # # Use Stripped-User-Name, if it's there. # Else use User-Name, if it's there, # Else use hard-coded string "DEFAULT" as the user name. sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" # #sql_user_name = "%{User-Name}" ####################################################################### # Default profile ####################################################################### # This is the default profile. It is found in SQL by group membership. # That means that this profile must be a member of at least one group # which will contain the corresponding check and reply items. # This profile will be queried in the authorize section for every user. # The point is to assign all users a default profile without having to # manually add each one to a group that will contain the profile. # The SQL module will also honor the User-Profile attribute. This # attribute can be set anywhere in the authorize section (ie the users # file). It is found exactly as the default profile is found. # If it is set then it will *overwrite* the default profile setting. # The idea is to select profiles based on checks on the incoming packets, # not on user group membership. For example: # -- users file -- # DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" # DEFAULT Service-Type == Framed-User, User-Profile := "framed" # # By default the default_user_profile is not set # #default_user_profile = "DEFAULT" ####################################################################### # NAS Query ####################################################################### # This query retrieves the radius clients # # 0. Row ID (currently unused) # 1. Name (or IP address) # 2. Shortname # 3. Type # 4. Secret # 5. Server ####################################################################### client_query = "\ SELECT id, nasname, shortname, type, secret, server \ FROM ${client_table}" ####################################################################### # Authorization Queries ####################################################################### # These queries compare the check items for the user # in ${authcheck_table} and setup the reply items in # ${authreply_table}. You can use any query/tables # you want, but the return data for each row MUST # be in the following order: # # 0. Row ID (currently unused) # 1. UserName/GroupName # 2. Item Attr Name # 3. Item Attr Value # 4. Item Attr Operation ####################################################################### # Use these for case sensitive usernames. #authorize_check_query = "\ # SELECT id, username, attribute, value, op \ # FROM ${authcheck_table} \ # WHERE username = BINARY '%{SQL-User-Name}' \ # ORDER BY id" #authorize_reply_query = "\ # SELECT id, username, attribute, value, op \ # FROM ${authreply_table} \ # WHERE username = BINARY '%{SQL-User-Name}' \ # ORDER BY id" # # The default queries are case insensitive. (for compatibility with # older versions of FreeRADIUS) # authorize_check_query = "\ SELECT id, username, attribute, value, op \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id" authorize_reply_query = "\ SELECT id, username, attribute, value, op \ FROM ${authreply_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id" # # Use these for case sensitive usernames. # #group_membership_query = "\ # SELECT groupname \ # FROM ${usergroup_table} \ # WHERE username = BINARY '%{SQL-User-Name}' \ # ORDER BY priority" group_membership_query = "\ SELECT groupname \ FROM ${usergroup_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY priority" authorize_group_check_query = "\ SELECT id, groupname, attribute, \ Value, op \ FROM ${groupcheck_table} \ WHERE groupname = '%{${group_attribute}}' \ ORDER BY id" authorize_group_reply_query = "\ SELECT id, groupname, attribute, \ value, op \ FROM ${groupreply_table} \ WHERE groupname = '%{${group_attribute}}' \ ORDER BY id" ####################################################################### # Simultaneous Use Checking Queries ####################################################################### # simul_count_query - query for the number of current connections # - If this is not defined, no simultaneous use checking # - will be performed by this module instance # simul_verify_query - query to return details of current connections # for verification # - Leave blank or commented out to disable verification step # - Note that the returned field order should not be changed. ####################################################################### simul_count_query = "\ SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL " simul_verify_query = "\ SELECT \ radacctid, acctsessionid, username, nasipaddress, nasportid, #framedipaddress, \ callingstationid, framedprotocol \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" ####################################################################### # Accounting and Post-Auth Queries ####################################################################### # These queries insert/update accounting and authentication records. # The query to use is determined by the value of 'reference'. # This value is used as a configuration path and should resolve to one # or more 'query's. If reference points to multiple queries, and a query # fails, the next query is executed. # # Behaviour is identical to the old 1.x/2.x module, except we can now # fail between N queries, and query selection can be based on any # combination of attributes, or custom 'Acct-Status-Type' values. ####################################################################### accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" # Write SQL queries to a logfile. This is potentially useful for bulk inserts # when used with the rlm_sql_null driver. # logfile = ${logdir}/accounting.sql column_list = "\ acctsessionid, acctuniqueid, username, \ realm, nasipaddress, nasportid, \ nasporttype, acctstarttime, acctupdatetime, \ acctstoptime, acctsessiontime, acctauthentic, \ connectinfo_start, connectinfo_stop, acctinputoctets, \ acctoutputoctets, calledstationid, callingstationid, \ acctterminatecause, servicetype, framedprotocol, \ framedipaddress" type { accounting-on { # # Bulk terminate all sessions associated with a given NAS # query = "\ UPDATE ${....acct_table1} \ SET \ acctstoptime = FROM_UNIXTIME(\ %{integer:Event-Timestamp}), \ acctsessiontime = '%{integer:Event-Timestamp}' \ - UNIX_TIMESTAMP(acctstarttime), \ acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \ WHERE acctstoptime IS NULL \ AND nasipaddress = '%{NAS-IP-Address}' \ AND acctstarttime <= FROM_UNIXTIME(\ %{integer:Event-Timestamp})" } accounting-off { query = "${..accounting-on.query}" } start { # # Insert a new record into the sessions table # query = "\ INSERT INTO ${....acct_table1} \ (${...column_list}) \ VALUES \ ('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{NAS-IP-Address}', \ '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ '%{NAS-Port-Type}', \ FROM_UNIXTIME(%{integer:Event-Timestamp}), \ FROM_UNIXTIME(%{integer:Event-Timestamp}), \ NULL, \ '0', \ '%{Acct-Authentic}', \ '%{Connect-Info}', \ '', \ '0', \ '0', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ '%{Framed-IP-Address}')" # # Key constraints prevented us from inserting a new session, # use the alternate query to update an existing session. # query = "\ UPDATE ${....acct_table1} SET \ acctstarttime = FROM_UNIXTIME(%{integer:Event-Timestamp}), \ acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), \ connectinfo_start = '%{Connect-Info}' \ WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" query = "\ UPDATE ${....acct_table1} SET \ acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), \ acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \ WHERE acctstoptime IS NULL \ AND callingstationid = '%{Calling-Station-Id}'\ AND acctstarttime IS NOT FROM_UNIXTIME(%{integer:Event-Timestamp})" } interim-update { # # Update an existing session and calculate the interval # between the last data we received for the session and this # update. This can be used to find stale sessions. # query = "\ UPDATE ${....acct_table1} SET \ acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), \ acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \ WHERE acctstoptime IS NULL \ AND callingstationid = '%{Calling-Station-Id}'\ AND acctstarttime IS NOT FROM_UNIXTIME(%{integer:Event-Timestamp})" query = "\ UPDATE ${....acct_table1} \ SET \ acctupdatetime = (@acctupdatetime_old:=acctupdatetime), \ acctupdatetime = FROM_UNIXTIME(\ %{integer:Event-Timestamp}), \ acctinterval = %{integer:Event-Timestamp} - \ UNIX_TIMESTAMP(@acctupdatetime_old), \ framedipaddress = '%{Framed-IP-Address}', \ acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \ acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \ << 32 | '%{%{Acct-Input-Octets}:-0}', \ acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \ << 32 | '%{%{Acct-Output-Octets}:-0}' \ WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" # # The update condition matched no existing sessions. Use # the values provided in the update to create a new session. # query = "\ INSERT INTO ${....acct_table1} \ (${...column_list}) \ VALUES \ ('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{NAS-IP-Address}', \ '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ '%{NAS-Port-Type}', \ FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), \ FROM_UNIXTIME(%{integer:Event-Timestamp}), \ NULL, \ %{%{Acct-Session-Time}:-NULL}, \ '%{Acct-Authentic}', \ '%{Connect-Info}', \ '', \ '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \ '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ '%{Framed-IP-Address}')" } stop { # # Session has terminated, update the stop time and statistics. # ########################################## delete taolle query = "\ INSERT INTO ${....acct_table3} \ SELECT * FROM ${....acct_table1} \ WHERE acctstoptime <> 'NULL'" query = "\ DELETE FROM ${....acct_table1} \ WHERE acctstoptime IS NOT NULL" query = "\ UPDATE ${....acct_table2} SET \ acctstoptime = FROM_UNIXTIME(\ %{integer:Event-Timestamp}), \ acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \ acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \ << 32 | '%{%{Acct-Input-Octets}:-0}', \ acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \ << 32 | '%{%{Acct-Output-Octets}:-0}', \ acctterminatecause = '%{Acct-Terminate-Cause}', \ connectinfo_stop = '%{Connect-Info}' \ WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" # # The update condition matched no existing sessions. Use # the values provided in the update to create a new session. # query = "\ INSERT INTO ${....acct_table2} \ (${...column_list}) \ VALUES \ ('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{NAS-IP-Address}', \ '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ '%{NAS-Port-Type}', \ FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), \ FROM_UNIXTIME(%{integer:Event-Timestamp}), \ FROM_UNIXTIME(%{integer:Event-Timestamp}), \ %{%{Acct-Session-Time}:-NULL}, \ '%{Acct-Authentic}', \ '', \ '%{Connect-Info}', \ '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \ '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '%{Acct-Terminate-Cause}', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ '%{Framed-IP-Address}')" } } } ####################################################################### # Authentication Logging Queries ####################################################################### # postauth_query - Insert some info after authentication ####################################################################### post-auth { # Write SQL queries to a logfile. This is potentially useful for bulk inserts # when used with the rlm_sql_null driver. # logfile = ${logdir}/post-auth.sql query = "\ INSERT INTO ${..postauth_table} \ (username, pass, reply, authdate) \ VALUES ( \ '%{SQL-User-Name}', \ '%{%{User-Password}:-%{Chap-Password}}', \ '%{reply:Packet-Type}', \ '%S')" } #################################################################################################################################### ###################################################################### # # As of 2.0.0, FreeRADIUS supports virtual hosts using the # "server" section, and configuration directives. # # Virtual hosts should be put into the "sites-available" # directory. Soft links should be created in the "sites-enabled" # directory to these files. This is done in a normal installation. # # If you are using 802.1X (EAP) authentication, please see also # the "inner-tunnel" virtual server. You will likely have to edit # that, too, for authentication to work. # # $Id: 083407596aa5074d665adac9606e7de655b634aa $ # ###################################################################### # # Read "man radiusd" before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. See also "man unlang", which documents the format # of this file. # # This configuration is designed to work in the widest possible # set of circumstances, with the widest possible number of # authentication methods. This means that in general, you should # need to make very few changes to this file. # # The best way to configure the server for your local system # is to CAREFULLY edit this file. Most attempts to make large # edits to this file will BREAK THE SERVER. Any edits should # be small, and tested by running the server with "radiusd -X". # Once the edits have been verified to work, save a copy of these # configuration files somewhere. (e.g. as a "tar" file). Then, # make more edits, and test, as above. # # There are many "commented out" references to modules such # as ldap, sql, etc. These references serve as place-holders. # If you need the functionality of that module, then configure # it in radiusd.conf, and un-comment the references to it in # this file. In most cases, those small changes will result # in the server being able to connect to the DB, and to # authenticate users. # ###################################################################### server default { # # If you want the server to listen on additional addresses, or on # additional ports, you can use multiple "listen" sections. # # Each section make the server listen for only one type of packet, # therefore authentication and accounting have to be configured in # different sections. # # The server ignore all "listen" section if you are using '-i' and '-p' # on the command line. # listen { # Type of packets to listen for. # Allowed values are: # auth listen for authentication packets # acct listen for accounting packets # proxy IP to use for sending proxied packets # detail Read from the detail file. For examples, see # raddb/sites-available/copy-acct-to-home-server # status listen for Status-Server packets. For examples, # see raddb/sites-available/status # coa listen for CoA-Request and Disconnect-Request # packets. For examples, see the file # raddb/sites-available/coa # type = auth # Note: "type = proxy" lets you control the source IP used for # proxying packets, with some limitations: # # * A proxy listener CANNOT be used in a virtual server section. # * You should probably set "port = 0". # * Any "clients" configuration will be ignored. # # See also proxy.conf, and the "src_ipaddr" configuration entry # in the sample "home_server" section. When you specify the # source IP address for packets sent to a home server, the # proxy listeners are automatically created. # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. # Out of several options the first one will be used. # # Allowed values are: # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) # hostname (radius.example.com, # A record for ipv4addr, # AAAA record for ipv6addr, # A or AAAA record for ipaddr) # wildcard (*) # # ipv4addr = * # ipv6addr = * ipaddr = * # Port on which to listen. # Allowed values are: # integer port number (1812) # 0 means "use /etc/services for the proper port" port = 0 # Some systems support binding to an interface, in addition # to the IP address. This feature isn't strictly necessary, # but for sites with many IP addresses on one interface, # it's useful to say "listen on all addresses for eth0". # # If your system does not support this feature, you will # get an error if you try to use it. # # interface = eth0 # Per-socket lists of clients. This is a very useful feature. # # The name here is a reference to a section elsewhere in # radiusd.conf, or clients.conf. Having the name as # a reference allows multiple sockets to use the same # set of clients. # # If this configuration is used, then the global list of clients # is IGNORED for this "listen" section. Take care configuring # this feature, to ensure you don't accidentally disable a # client you need. # # See clients.conf for the configuration of "per_socket_clients". # # clients = per_socket_clients # # Connection limiting for sockets with "proto = tcp". # # This section is ignored for other kinds of sockets. # limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16. # Setting this to 0 means "no limit" max_connections = 16 # The per-socket "max_requests" option does not exist. # # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0 # # The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30 } } # # This second "listen" section is for listening on the accounting # port, too. # listen { ipaddr = * # ipv6addr = :: port = 0 type = acct # interface = eth0 # clients = per_socket_clients limit { # The number of packets received can be rate limited via the # "max_pps" configuration item. When it is set, the server # tracks the total number of packets received in the previous # second. If the count is greater than "max_pps", then the # new packet is silently discarded. This helps the server # deal with overload situations. # # The packets/s counter is tracked in a sliding window. This # means that the pps calculation is done for the second # before the current packet was received. NOT for the current # wall-clock second, and NOT for the previous wall-clock second. # # Useful values are 0 (no limit), or 100 to 10000. # Values lower than 100 will likely cause the server to ignore # normal traffic. Few systems are capable of handling more than # 10K packets/s. # # It is most useful for accounting systems. Set it to 50% # more than the normal accounting load, and you can be sure that # the server will never get overloaded # # max_pps = 0 # Only for "proto = tcp". These are ignored for "udp" sockets. # # idle_timeout = 0 # lifetime = 0 # max_connections = 0 } } # IPv6 versions of the above - read their full config to understand options listen { type = auth ipv6addr = :: # any. ::1 == localhost port = 0 # interface = eth0 # clients = per_socket_clients limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct # interface = eth0 # clients = per_socket_clients limit { # max_pps = 0 # idle_timeout = 0 # lifetime = 0 # max_connections = 0 } } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # Any changes made here should also be made to the "inner-tunnel" # virtual server. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { # # Take a User-Name, and perform some checks on it, for spaces and other # invalid characters. If the User-Name appears invalid, reject the # request. # # See policy.d/filter for the definition of the filter_username policy. # filter_username # # Some broken equipment sends passwords with embedded zeros. # i.e. the debug output will show # # User-Password = "password\000\000" # # This policy will fix it to just be "password". # # filter_password # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/mods-config/preprocess/hints' # and the 'raddb/mods-config/preprocess/huntgroups' files. preprocess # If you intend to use CUI and you require that the Operator-Name # be set for CUI generation and you want to generate CUI also # for your local clients then uncomment the operator-name # below and set the operator-name for your clients in clients.conf # operator-name # # If you want to generate CUI for some clients that do not # send proper CUI requests, then uncomment the # cui below and set "add_cui = yes" for these clients in clients.conf # cui # # If you want to have a log of authentication requests, # un-comment the following line. # auth_log # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. digest # # The WiMAX specification says that the Calling-Station-Id # is 6 octets of the MAC. This definition conflicts with # RFC 3580, and all common RADIUS practices. Un-commenting # the "wimax" module here means that it will fix the # Calling-Station-Id attribute to the normal format as # specified in RFC 3580 Section 3.21 # wimax # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix # ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # The EAP module returns "ok" if it is not yet ready to # authenticate the user. The configuration below checks for # that code, and stops processing the "authorize" section if # so. # # Any LDAP and/or SQL servers will not be queried for the # initial set of packets that go back and forth to set up # TTLS or PEAP. # eap { ok = return } # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # mods-available/passwd module. # # unix # # Read the 'users' file. In v3, this is located in # raddb/mods-config/files/authorize #files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in mods-available/sql sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'smbpasswd' module. # smbpasswd # # The ldap module reads passwords from the LDAP database. -ldap # # Enforce daily limits on time spent logged in. # daily # expiration logintime # # If no other module has claimed responsibility for # authentication, then try to use PAP. This allows the # other modules listed above to add a "known good" password # to the request, and to do nothing else. The PAP module # will then see that password, and use it to do PAP # authentication. # # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # pap # # If "status_server = yes", then Status-Server messages are passed # through the following section, and ONLY the following section. # This permits you to do DB queries, for example. If the modules # listed here return "fail", then NO response is sent. # # Autz-Type Status-Server { # # } } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the appropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user (Auth-Type := Reject), # or to or forcibly accept the user (Auth-Type := Accept). # # Note that Auth-Type := Accept will NOT work with EAP. # # Please do not put "unlang" configurations into the "authenticate" # section. Put them in the "post-auth" section instead. That's what # the post-auth section is for. # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # For old names, too. # mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest # # Pluggable Authentication Modules. # pam # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # # We do NOT recommend using this. LDAP servers are databases. # They are NOT authentication servers. FreeRADIUS is an # authentication server, and knows what to do with authentication. # LDAP servers do not. # # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap # # The older configurations sent a number of attributes in # Access-Challenge packets, which wasn't strictly correct. # If you want to filter out these attributes, uncomment # the following lines. # # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess # # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets # into a single 64bit counter Acct-[Input|Output]-Octets64. # # acct_counters64 # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends # a start packet, *possibly* with an Acct-Delay-Time. # The server is supposed to conclude that the start time # was "Acct-Delay-Time" seconds in the past. # # The code below creates an explicit start time, which can # then be used in other modules. It will be *mostly* correct. # Any errors are due to the 1-second resolution of RADIUS, # and the possibility that the time on the NAS may be off. # # The start time is: NOW - delay - session_length # # update request { # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # } # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique # # Look for IPASS-style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # # Accounting requests are generally proxied to the same # home server as authentication requests. # IPASS suffix # ntdomain # # Read the 'acct_users' file files } # # Accounting. Log the accounting data. # accounting { # Update accounting packet by adding the CUI attribute # recorded from the corresponding Access-Accept # use it only if your NAS boxes do not support CUI themselves # cui # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily # Update the wtmp file # # If you don't use "radlast", you can delete this line. unix # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There is little we can do about it. #radutmp #sradutmp # Return an address to the IP Pool when we see a stop record. # main_pool # # Log traffic to an SQL database. # # See "Accounting queries" in mods-available/sql sql # # If you receive stop packets with zero session length, # they will NOT be logged in the database. The SQL module # will print a message (only in debugging mode), and will # return "noop". # # You can ignore these packets by uncommenting the following # three lines. Otherwise, the server will not respond to the # accounting request, and the NAS will retransmit. # # if (noop) { # ok # } # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # Cisco VoIP specific bulk accounting # pgsql-voip # For Exec-Program and Exec-Program-Wait exec # Filter attributes from the accounting response. attr_filter.accounting_response # # See "Autz-Type Status-Server" for how this works. # # Acct-Type Status-Server { # # } } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { # radutmp # # See "Simultaneous Use Checking Queries" in mods-available/sql sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # # If you need to have a State attribute, you can # add it here. e.g. for later CoA-Request with # State, and Service-Type = Authorize-Only. # # if (!&reply:State) { # update reply { # State := "0x%{randstr:16h}" # } # } # # For EAP-TTLS and PEAP, add the cached attributes to the reply. # The "session-state" attributes are automatically cached when # an Access-Challenge is sent, and automatically retrieved # when an Access-Request is received. # # The session-state attributes are automatically deleted after # an Access-Reject or Access-Accept is sent. # update { &reply: += &session-state: } # Get an address from the IP Pool. # main_pool # Create the CUI value and add the attribute to Access-Accept. # Uncomment the line below if *returning* the CUI. # cui # # If you want to have a log of authentication replies, # un-comment the following line, and enable the # 'detail reply_log' module. # reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in mods-available/sql sql # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you want to modify the user's object # in LDAP after a successful login. # # ldap # For Exec-Program and Exec-Program-Wait exec # # Calculate the various WiMAX keys. In order for this to work, # you will need to define the WiMAX NAI, usually via # # update request { # WiMAX-MN-NAI = "%{User-Name}" # } # # If you want various keys to be calculated, you will need to # update the reply with "template" values. The module will see # this, and replace the template values with the correct ones # taken from the cryptographic calculations. e.g. # # update reply { # WiMAX-FA-RK-Key = 0x00 # WiMAX-MSK = "%{EAP-MSK}" # } # # You may want to delete the MS-MPPE-*-Keys from the reply, # as some WiMAX clients behave badly when those attributes # are included. See "raddb/modules/wimax", configuration # entry "delete_mppe_keys" for more information. # # wimax # If there is a client certificate (EAP-TLS, sometimes PEAP # and TTLS), then some attributes are filled out after the # certificate verification has been performed. These fields # MAY be available during the authentication, or they may be # available only in the "post-auth" section. # # The first set of attributes contains information about the # issuing certificate which is being used. The second # contains information about the client certificate (if # available). # # update reply { # Reply-Message += "%{TLS-Cert-Serial}" # Reply-Message += "%{TLS-Cert-Expiration}" # Reply-Message += "%{TLS-Cert-Subject}" # Reply-Message += "%{TLS-Cert-Issuer}" # Reply-Message += "%{TLS-Cert-Common-Name}" # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" # # Reply-Message += "%{TLS-Client-Cert-Serial}" # Reply-Message += "%{TLS-Client-Cert-Expiration}" # Reply-Message += "%{TLS-Client-Cert-Subject}" # Reply-Message += "%{TLS-Client-Cert-Issuer}" # Reply-Message += "%{TLS-Client-Cert-Common-Name}" # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" # } # Insert class attribute (with unique value) into response, # aids matching auth and acct records, and protects against duplicate # Acct-Session-Id. Note: Only works if the NAS has implemented # RFC 2865 behaviour for the class attribute, AND if the NAS # supports long Class attributes. Many older or cheap NASes # only support 16-octet Class attributes. # insert_acct_class # MacSEC requires the use of EAP-Key-Name. However, we don't # want to send it for all EAP sessions. Therefore, the EAP # modules put required data into the EAP-Session-Id attribute. # This attribute is never put into a request or reply packet. # # Uncomment the next few lines to copy the required data into # the EAP-Key-Name attribute # if (&reply:EAP-Session-Id) { # update reply { # EAP-Key-Name := &reply:EAP-Session-Id # } # } # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # # The "session-state" attributes are not available here. # Post-Auth-Type REJECT { # log failed authentications in SQL, too. sql attr_filter.access_reject # Insert EAP-Failure message if the request was # rejected by policy instead of because of an # authentication failure eap # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # Before proxing the request add an Operator-Name attribute identifying # if the operator-name is found for this client. # No need to uncomment this if you have already enabled this in # the authorize section. # operator-name # The client requests the CUI by sending a CUI attribute # containing one zero byte. # Uncomment the line below if *requesting* the CUI. # cui # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. # post_proxy_log # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap # # If the server tries to proxy a request and fails, then the # request is processed through the modules in this section. # # The main use of this section is to permit robust proxying # of accounting packets. The server can be configured to # proxy accounting packets as part of normal processing. # Then, if the home server goes down, accounting packets can # be logged to a local "detail" file, for processing with # radrelay. When the home server comes back up, radrelay # will read the detail file, and send the packets to the # home server. # # With this configuration, the server always responds to # Accounting-Requests from the NAS, but only writes # accounting packets to disk if the home server is down. # # Post-Proxy-Type Fail-Accounting { # detail # } } } #################################################################################################################################### # -*- text -*- ###################################################################### # # This is a virtual server that handles *only* inner tunnel # requests for EAP-TTLS and PEAP types. # # $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $ # ###################################################################### server inner-tunnel { # # This next section is here to allow testing of the "inner-tunnel" # authentication methods, independently from the "default" server. # It is listening on "localhost", so that it can only be used from # the same machine. # # $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 # # If it works, you have configured the inner tunnel correctly. To check # if PEAP will work, use: # # $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 # # If that works, PEAP should work. If that command doesn't work, then # # FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. # # Do NOT do any PEAP tests. It won't help. Instead, concentrate # on fixing the inner tunnel configuration. DO NOTHING ELSE. # listen { ipaddr = 127.0.0.1 port = 18120 type = auth } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { # # Take a User-Name, and perform some checks on it, for spaces and other # invalid characters. If the User-Name appears invalid, reject the # request. # # See policy.d/filter for the definition of the filter_username policy. # filter_username # # Do checks on outer / inner User-Name, so that users # can't spoof us by using incompatible identities # # filter_inner_identity # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module, above. # # unix # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # # Note that proxying the inner tunnel authentication means # that the user MAY use one identity in the outer session # (e.g. "anonymous", and a different one here # (e.g. "user@example.com"). The inner session will then be # proxied elsewhere for authentication. If you are not # careful, this means that the user can cause you to forward # the authentication to another RADIUS server, and have the # accounting logs *not* sent to the other server. This makes # it difficult to bill people for their network activity. # suffix # ntdomain # # The "suffix" module takes care of stripping the domain # (e.g. "@example.com") from the User-Name attribute, and the # next few lines ensure that the request is not proxied. # # If you want the inner tunnel request to be proxied, delete # the next few lines. # update control { &Proxy-To-Realm := LOCAL } # # This module takes care of EAP-MSCHAPv2 authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # eap { ok = return } # # Read the 'users' file #files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # enable the "smbpasswd" module. # smbpasswd # # The ldap module reads passwords from the LDAP database. -ldap # # Enforce daily limits on time spent logged in. # daily expiration logintime # # If no other module has claimed responsibility for # authentication, then try to use PAP. This allows the # other modules listed above to add a "known good" password # to the request, and to do nothing else. The PAP module # will then see that password, and use it to do PAP # authentication. # # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # pap } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the appropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user, or forcibly accept him. # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # For old names, too. # mschap # # Pluggable Authentication Modules. # pam # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # # We do NOT recommend using this. LDAP servers are databases. # They are NOT authentication servers. FreeRADIUS is an # authentication server, and knows what to do with authentication. # LDAP servers do not. # # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap } ###################################################################### # # There are no accounting requests inside of EAP-TTLS or PEAP # tunnels. # ###################################################################### # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { #radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. # # Note that the last packet of the inner-tunnel authentication # MAY NOT BE the last packet of the outer session. So updating # the outer reply MIGHT work, and sometimes MIGHT NOT. The # exact functionality depends on both the inner and outer # authentication methods. # # If you need to send a reply attribute in the outer session, # the ONLY safe way is to set "use_tunneled_reply = yes", and # then update the inner-tunnel reply. post-auth { # If you want privacy to remain, see the # Chargeable-User-Identity attribute from RFC 4372. # If you want to use it just uncomment the line below. # cui-inner # # If you want to have a log of authentication replies, # un-comment the following line, and enable the # 'detail reply_log' module. # reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf sql # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap # # Un-comment the following if you want to generate Moonshot (ABFAB) TargetedIds # IMPORTANT: This requires the UUID package to be installed! # # moonshot_host_tid # moonshot_realm_tid # moonshot_coi_tid # # Instead of "use_tunneled_reply", uncomment the # next two "update" blocks. # # update { # &outer.session-state: += &reply: # } # # These attributes are for the inner session only. # They MUST NOT be sent in the outer reply. # # If you uncomment the previous block and leave # this one commented out, WiFi WILL NOT WORK, # because the client will get two MS-MPPE-keys # # update outer.session-state { # MS-MPPE-Encryption-Policy !* ANY # MS-MPPE-Encryption-Types !* ANY # MS-MPPE-Send-Key !* ANY # MS-MPPE-Recv-Key !* ANY # Message-Authenticator !* ANY # EAP-Message !* ANY # Proxy-State !* ANY # } # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { # log failed authentications in SQL, too. -sql attr_filter.access_reject # # Let the outer session know which module failed, and why. # update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. # post_proxy_log # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap } } # inner-tunnel server block #################################################################################################################################### Any help would be gretly appreciated Thanks Ryan