Hello, I'm using EAP-TTLS + LDAP with okta, all is working fine. But I would like to use the cache system of freeradius in case the internet goes down, if no internet access to contact the ldap server is it possible to use a cache? (21) Received Access-Request Id 117 from 192.168.31.239:32773 to 192.168.31.183:1812 length 294 (21) User-Name = "leon.wolf@domain.local" (21) Chargeable-User-Identity = 0x00 (21) Location-Capable = Civic-Location (21) Calling-Station-Id = "90-78-41-4f-dd-73" (21) Called-Station-Id = "00-b7-71-86-b8-80:testrd" (21) NAS-Port = 1 (21) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e" (21) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979" (21) NAS-IP-Address = 192.168.31.239 (21) NAS-Identifier = "WLC1" (21) Airespace-Wlan-Id = 3 (21) Service-Type = Framed-User (21) Framed-MTU = 1300 (21) NAS-Port-Type = Wireless-802.11 (21) Tunnel-Type:0 = VLAN (21) Tunnel-Medium-Type:0 = IEEE-802 (21) Tunnel-Private-Group-Id:0 = "96" (21) EAP-Message = 0x020500061500 (21) State = 0xcab4fefcc8b1eb3813f65861255465ba (21) Message-Authenticator = 0x29f8146d52be66b41004b4ed9a6d1296 (21) session-state: No cached attributes (21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (21) authorize { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = notfound (21) } # policy filter_username = notfound (21) [preprocess] = ok (21) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (21) auth_log: --> /var/log/freeradius/radacct/ 192.168.31.239/auth-detail-20210114 (21) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114 (21) auth_log: EXPAND %t (21) auth_log: --> Thu Jan 14 12:58:17 2021 (21) [auth_log] = ok (21) eap: Peer sent EAP Response (code 2) ID 5 length 6 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # authorize = ok (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) Auth-Type eap { (21) eap: Expiring EAP session with state 0xcab4fefcc8b1eb38 (21) eap: Finished EAP session with state 0xcab4fefcc8b1eb38 (21) eap: Previous EAP request found for state 0xcab4fefcc8b1eb38, released from the list (21) eap: Peer sent packet with method EAP TTLS (21) (21) eap: Calling submodule eap_ttls to process data (21) eap_ttls: Authenticate (21) eap_ttls: Continuing EAP-TLS (21) eap_ttls: Peer ACKed our handshake fragment (21) eap_ttls: [eaptls verify] = request (21) eap_ttls: [eaptls process] = handled (21) eap: Sending EAP Request (code 1) ID 6 length 957 (21) eap: EAP session adding &reply:State = 0xcab4fefcc9b2eb38 (21) [eap] = handled (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) EXPAND Response-Packet-Type (21) --> Access-Challenge (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) attr_filter.access_challenge: EXPAND %{User-Name} (21) attr_filter.access_challenge: --> leon.wolf@domain.local (21) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (21) [attr_filter.access_challenge.post-auth] = updated (21) [handled] = handled (21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (21) } # Auth-Type eap = handled (21) Using Post-Auth-Type Challenge (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) Post-Auth-Type Challenge { (21) policy remove_reply_message_if_eap { (21) if (&reply:EAP-Message && &reply:Reply-Message) { (21) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (21) else { (21) [noop] = noop (21) } # else = noop (21) } # policy remove_reply_message_if_eap = noop (21) attr_filter.access_challenge: EXPAND %{User-Name} (21) attr_filter.access_challenge: --> leon.wolf@domain.local (21) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (21) [attr_filter.access_challenge.post-auth] = updated (21) } # Post-Auth-Type Challenge = updated (21) Sent Access-Challenge Id 117 from 192.168.31.183:1812 to 192.168.31.239:32773 length 0 (21) EAP-Message = 0x010603bd158000000b9f03020186304b06082b06010505070101043f303d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100d94ce0c9f584883731dbbb13e2b3fc8b6b62126c58 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0xcab4fefcc9b2eb3813f65861255465ba (21) Finished request Waking up in 4.9 seconds. (22) Received Access-Request Id 118 from 192.168.31.239:32773 to 192.168.31.183:1812 length 424 (22) User-Name = "leon.wolf@domain.local" (22) Chargeable-User-Identity = 0x00 (22) Location-Capable = Civic-Location (22) Calling-Station-Id = "90-78-41-4f-dd-73" (22) Called-Station-Id = "00-b7-71-86-b8-80:testrd" (22) NAS-Port = 1 (22) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e" (22) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979" (22) NAS-IP-Address = 192.168.31.239 (22) NAS-Identifier = "WLC1" (22) Airespace-Wlan-Id = 3 (22) Service-Type = Framed-User (22) Framed-MTU = 1300 (22) NAS-Port-Type = Wireless-802.11 (22) Tunnel-Type:0 = VLAN (22) Tunnel-Medium-Type:0 = IEEE-802 (22) Tunnel-Private-Group-Id:0 = "96" (22) EAP-Message = 0x0206008815800000007e160303004610000042410436fe757ae06837679e32e33eef46449bfb57126ab725fbc270219624e528203360ee7521080563eb18d57ed754f7079e1bf3c4423f5975e1d2aedd7597251c87140303000101160303002800000000000000009b5217d1d18538b885d7f88ff00291a7d352e5b47e9b660c263b64b9f36067dd (22) State = 0xcab4fefcc9b2eb3813f65861255465ba (22) Message-Authenticator = 0x6e609bd8d4caf0c99454c818de75af99 (22) session-state: No cached attributes (22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [preprocess] = ok (22) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (22) auth_log: --> /var/log/freeradius/radacct/ 192.168.31.239/auth-detail-20210114 (22) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114 (22) auth_log: EXPAND %t (22) auth_log: --> Thu Jan 14 12:58:17 2021 (22) [auth_log] = ok (22) eap: Peer sent EAP Response (code 2) ID 6 length 136 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) Auth-Type eap { (22) eap: Expiring EAP session with state 0xcab4fefcc9b2eb38 (22) eap: Finished EAP session with state 0xcab4fefcc9b2eb38 (22) eap: Previous EAP request found for state 0xcab4fefcc9b2eb38, released from the list (22) eap: Peer sent packet with method EAP TTLS (21) (22) eap: Calling submodule eap_ttls to process data (22) eap_ttls: Authenticate (22) eap_ttls: Continuing EAP-TLS (22) eap_ttls: Peer indicated complete TLS record size will be 126 bytes (22) eap_ttls: Got complete TLS record (126 bytes) (22) eap_ttls: [eaptls verify] = length included (22) eap_ttls: TLS_accept: SSLv3/TLS write server done (22) eap_ttls: <<< recv TLS 1.2 [length 0046] (22) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (22) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (22) eap_ttls: <<< recv TLS 1.2 [length 0010] (22) eap_ttls: TLS_accept: SSLv3/TLS read finished (22) eap_ttls: >>> send TLS 1.2 [length 0001] (22) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (22) eap_ttls: >>> send TLS 1.2 [length 0010] (22) eap_ttls: TLS_accept: SSLv3/TLS write finished (22) eap_ttls: Serialising session 36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f, and storing in cache (22) eap_ttls: WARNING: Wrote session 36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f to /var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1 (139 bytes) (22) eap_ttls: (other): SSL negotiation finished successfully (22) eap_ttls: TLS - Connection Established (22) eap_ttls: Attr-156.7 = 0x45434448452d5253412d4145533235362d47434d2d534841333834 (22) eap_ttls: Attr-155.7 = 0x544c5320312e32 (22) eap_ttls: TLS - got 51 bytes of data (22) eap_ttls: [eaptls process] = handled (22) eap: Sending EAP Request (code 1) ID 7 length 61 (22) eap: EAP session adding &reply:State = 0xcab4fefcceb3eb38 (22) [eap] = handled (22) if (handled && (Response-Packet-Type == Access-Challenge)) { (22) EXPAND Response-Packet-Type (22) --> Access-Challenge (22) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (22) if (handled && (Response-Packet-Type == Access-Challenge)) { (22) attr_filter.access_challenge: EXPAND %{User-Name} (22) attr_filter.access_challenge: --> leon.wolf@domain.local (22) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (22) [attr_filter.access_challenge.post-auth] = updated (22) [handled] = handled (22) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (22) } # Auth-Type eap = handled (22) Using Post-Auth-Type Challenge (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) Post-Auth-Type Challenge { (22) policy remove_reply_message_if_eap { (22) if (&reply:EAP-Message && &reply:Reply-Message) { (22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (22) else { (22) [noop] = noop (22) } # else = noop (22) } # policy remove_reply_message_if_eap = noop (22) attr_filter.access_challenge: EXPAND %{User-Name} (22) attr_filter.access_challenge: --> leon.wolf@domain.local (22) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (22) [attr_filter.access_challenge.post-auth] = updated (22) } # Post-Auth-Type Challenge = updated (22) session-state: Saving cached attributes (22) TLS-Cache-Filename = "/var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1" (22) Attr-156.7 = 0x45434448452d5253412d4145533235362d47434d2d534841333834 (22) Attr-155.7 = 0x544c5320312e32 (22) Sent Access-Challenge Id 118 from 192.168.31.183:1812 to 192.168.31.239:32773 length 0 (22) EAP-Message = 0x0107003d158000000033140303000101160303002836d8a1ff6b2afaae621fc261218f4483f1c4545f86a9b8fe41deae7225f2324e15c977fd19b170a0 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0xcab4fefcceb3eb3813f65861255465ba (22) Finished request Waking up in 4.9 seconds. (23) Received Access-Request Id 119 from 192.168.31.239:32773 to 192.168.31.183:1812 length 387 (23) User-Name = "leon.wolf@domain.local" (23) Chargeable-User-Identity = 0x00 (23) Location-Capable = Civic-Location (23) Calling-Station-Id = "90-78-41-4f-dd-73" (23) Called-Station-Id = "00-b7-71-86-b8-80:testrd" (23) NAS-Port = 1 (23) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e" (23) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979" (23) NAS-IP-Address = 192.168.31.239 (23) NAS-Identifier = "WLC1" (23) Airespace-Wlan-Id = 3 (23) Service-Type = Framed-User (23) Framed-MTU = 1300 (23) NAS-Port-Type = Wireless-802.11 (23) Tunnel-Type:0 = VLAN (23) Tunnel-Medium-Type:0 = IEEE-802 (23) Tunnel-Private-Group-Id:0 = "96" (23) EAP-Message = 0x0207006315800000005917030300540000000000000001e70b56177cd34eacf86e9bd90e8fe557e020b9f6d814adddf9bde349e67f3e9a1dda72f8fd14224098f24cae3410220287d1814b3984a577db30a8289bd48a898a69c25b4667f3cc93b0ab0b (23) State = 0xcab4fefcceb3eb3813f65861255465ba (23) Message-Authenticator = 0x19e54adcb4aeb90d8bcb07f5984056ec (23) Restoring &session-state (23) &session-state:TLS-Cache-Filename = "/var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1" (23) &session-state:Attr-156.7 = 0x45434448452d5253412d4145533235362d47434d2d534841333834 (23) &session-state:Attr-155.7 = 0x544c5320312e32 (23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (23) auth_log: --> /var/log/freeradius/radacct/ 192.168.31.239/auth-detail-20210114 (23) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114 (23) auth_log: EXPAND %t (23) auth_log: --> Thu Jan 14 12:58:17 2021 (23) [auth_log] = ok (23) eap: Peer sent EAP Response (code 2) ID 7 length 99 (23) eap: Continuing tunnel setup (23) [eap] = ok (23) } # authorize = ok (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Auth-Type eap { (23) eap: Expiring EAP session with state 0xcab4fefcceb3eb38 (23) eap: Finished EAP session with state 0xcab4fefcceb3eb38 (23) eap: Previous EAP request found for state 0xcab4fefcceb3eb38, released from the list (23) eap: Peer sent packet with method EAP TTLS (21) (23) eap: Calling submodule eap_ttls to process data (23) eap_ttls: Authenticate (23) eap_ttls: Continuing EAP-TLS (23) eap_ttls: Peer indicated complete TLS record size will be 89 bytes (23) eap_ttls: Got complete TLS record (89 bytes) (23) eap_ttls: [eaptls verify] = length included (23) eap_ttls: [eaptls process] = ok (23) eap_ttls: Session established. Proceeding to decode tunneled attributes (23) eap_ttls: Got tunneled request (23) eap_ttls: User-Name = "leon.wolf@domain.local" (23) eap_ttls: User-Password = "scN3VXa4XZvm7N4!" (23) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (23) eap_ttls: Sending tunneled request (23) Virtual server default received request (23) User-Name = "leon.wolf@domain.local" (23) User-Password = "scN3VXa4XZvm7N4!" (23) FreeRADIUS-Proxied-To = 127.0.0.1 (23) Chargeable-User-Identity = 0x00 (23) Location-Capable = Civic-Location (23) Calling-Station-Id = "90-78-41-4f-dd-73" (23) Called-Station-Id = "00-b7-71-86-b8-80:testrd" (23) NAS-Port = 1 (23) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e" (23) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979" (23) NAS-IP-Address = 192.168.31.239 (23) NAS-Identifier = "WLC1" (23) Airespace-Wlan-Id = 3 (23) Service-Type = Framed-User (23) Framed-MTU = 1300 (23) NAS-Port-Type = Wireless-802.11 (23) Tunnel-Type:0 = VLAN (23) Tunnel-Medium-Type:0 = IEEE-802 (23) Tunnel-Private-Group-Id:0 = "96" (23) Event-Timestamp = "Jan 14 2021 12:58:17 WET" (23) WARNING: Outer and inner identities are the same. User privacy is compromised. (23) server default { (23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (23) auth_log: --> /var/log/freeradius/radacct/ 192.168.31.239/auth-detail-20210114 (23) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114 (23) auth_log: EXPAND %t (23) auth_log: --> Thu Jan 14 12:58:17 2021 (23) [auth_log] = ok (23) eap: No EAP-Message, not doing EAP (23) [eap] = noop (23) [expiration] = noop (23) [logintime] = noop (23) update control { (23) Cache-Status-Only = yes (23) } # update control = noop (23) cache: EXPAND %{User-Name} (23) cache: --> leon.wolf@domain.local (23) cache: Found entry for "leon.wolf@domain.local" (23) [cache] = ok (23) if (notfound) { (23) if (notfound) -> FALSE (23) if (User-Password) { (23) if (User-Password) -> TRUE (23) if (User-Password) { (23) update control { (23) Auth-Type := LDAP (23) } # update control = noop (23) } # if (User-Password) = noop (23) cache: EXPAND %{User-Name} (23) cache: --> leon.wolf@domain.local (23) cache: Found entry for "leon.wolf@domain.local" (23) cache: Merging cache entry into request (23) cache: &reply:Reply-Message += "Cache last updated at Thu Jan 14 11:57:02 2021" (23) cache: &reply:Class := 0x4b703872434c46586d6c6c6953624238735a644a42746459576945614b2e4e65 (23) [cache] = ok (23) } # authorize = ok (23) Found Auth-Type = LDAP (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Auth-Type LDAP { rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 162 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (10): Hit idle_timeout, was idle for 160 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (11), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://jumia.ldap.idp.com:389 rlm_ldap (ldap): Could not start TLS: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (11) (23) [ldap] = fail (23) } # Auth-Type LDAP = fail (23) Failed to authenticate the user (23) Using Post-Auth-Type Reject (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Post-Auth-Type REJECT { (23) attr_filter.access_reject: EXPAND %{User-Name} (23) attr_filter.access_reject: --> leon.wolf@domain.local (23) attr_filter.access_reject: Matched entry DEFAULT at line 11 (23) [attr_filter.access_reject] = updated (23) [eap] = noop (23) policy remove_reply_message_if_eap { (23) if (&reply:EAP-Message && &reply:Reply-Message) { (23) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (23) else { (23) [noop] = noop (23) } # else = noop (23) } # policy remove_reply_message_if_eap = noop (23) } # Post-Auth-Type REJECT = updated (23) } # server default (23) Virtual server sending reply (23) Reply-Message = "Cache last updated at Thu Jan 14 11:57:02 2021" (23) eap_ttls: Got tunneled Access-Reject tls: Removing session 36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f from the cache (23) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (23) eap: Sending EAP Failure (code 4) ID 7 length 4 (23) eap: Failed in EAP select (23) [eap] = invalid (23) } # Auth-Type eap = invalid (23) Failed to authenticate the user (23) Using Post-Auth-Type Reject (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Post-Auth-Type REJECT { (23) attr_filter.access_reject: EXPAND %{User-Name} (23) attr_filter.access_reject: --> leon.wolf@domain.local (23) attr_filter.access_reject: Matched entry DEFAULT at line 11 (23) [attr_filter.access_reject] = updated (23) [eap] = noop (23) policy remove_reply_message_if_eap { (23) if (&reply:EAP-Message && &reply:Reply-Message) { (23) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (23) else { (23) [noop] = noop (23) } # else = noop (23) } # policy remove_reply_message_if_eap = noop (23) } # Post-Auth-Type REJECT = updated (23) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (23) Sending delayed response (23) Sent Access-Reject Id 119 from 192.168.31.183:1812 to 192.168.31.239:32773 length 44 (23) EAP-Message = 0x04070004 (23) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (18) Cleaning up request packet ID 114 with timestamp +3690 (19) Cleaning up request packet ID 115 with timestamp +3690 (20) Cleaning up request packet ID 116 with timestamp +3690 (21) Cleaning up request packet ID 117 with timestamp +3690 (22) Cleaning up request packet ID 118 with timestamp +3690 (23) Cleaning up request packet ID 119 with timestamp +3690 Ready to process requests ***** Config for sites-enabled/default ****** server default { listen { type = auth ipaddr = 192.168.31.183 port = 0 limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16. # Setting this to 0 means "no limit" max_connections = 16 # The per-socket "max_requests" option does not exist. # # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0 # # The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { # Only for "proto = tcp". These are ignored for "udp" sockets. # } } listen { type = auth ipv6addr = :: # any. ::1 == localhost port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { filter_username preprocess auth_log eap { ok = return updated = return } expiration logintime update control { Cache-Status-Only = 'yes' } cache if (notfound) { ldap } if (User-Password) { # <- when using cache this it's here with True update control { Auth-Type := ldap } } cache } authenticate { Auth-Type PAP { #pap ldap # eap-ttls comes here for authentication } Auth-Type LDAP { ldap } Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { attr_filter.access_challenge.post-auth handled # override the "updated" code from attr_filter } } } preacct { preprocess acct_unique suffix } accounting { detail -sql attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } remove_reply_message_if_eap Post-Auth-Type REJECT { # log failed authentications in SQL, too. -sql attr_filter.access_reject # Insert EAP-Failure message if the request was # rejected by policy instead of because of an # authentication failure eap # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } Post-Auth-Type Challenge { remove_reply_message_if_eap attr_filter.access_challenge.post-auth } } pre-proxy { } post-proxy { eap } } ****** eap config **** eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_file = /etc/freeradius/3.0/certs/rsa/fullchain2.key certificate_file = /etc/freeradius/3.0/certs/rsa/fullchain2.pem ca_file = /etc/ssl/certs/ca-certificates.crt ca_file = /etc/freeradius/3.0/certs/rsa/rootDSTX3.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" ecdh_curve = "prime256v1" cache { enable = yes name = "EAP module" persist_dir = "${logdir}/tlscache" } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "default" } virtual_server = default }