I have ran through the tutorial of freeradius setup at the following site and am sharing my debug file as at this point I’m not sure where I’m supposed to go? We’re trying to setup wireless authentication using a mikrotik router as our NAS to authenticate to our radius server. https://docs.beamnetworks.dev/en/linux/networking/freeradius-daloradius below is my debug log after running $ freeradius -X 2>&1 | tee debugfile FreeRADIUS Version 3.0.26 Copyright (C) 1999-2021 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 0.0.0.0/0 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 0.0.0.0/0. Please fix your configuration Support for old-style clients will be removed in a future release client ::/0 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client ::/0. Please fix your configuration Support for old-style clients will be removed in a future release client mikrotik-router { ipaddr = 10.108.21.198 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Autz-Type = New-TLS-Connection radiusd: #### Instantiating modules #### modules { # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_exec # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" auto_escape = no accounting { reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctsessiontime = '%{%{integer:Event-Timestamp}:-%l}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctsessiontime = '%{%{integer:Event-Timestamp}:-%l}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix ) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}' )" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctinterval = %{%{integer:Event-Timestamp}:-%l} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 instantiate { } # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key" certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = http://127.0.0.1/ocsp/ use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql rlm_sql_mysql: libmysql version: 8.0.37 mysql { tls { tls_required = no check_cert = no check_cert_cn = no } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client XX.XXX.XX.XXX (IT Office Mikrotik) to global clients list Failed to add duplicate client IT Office Mikrotik Failed to add client, possible duplicate? rlm_sql (sql): Released connection (0) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) Compiling Autz-Type New-TLS-Connection for attr Autz-Type # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type Compiling Post-Auth-Type Challenge for attr Post-Auth-Type Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type } # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 55131 Listening on proxy address :: port 46542 ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ----------------------------
On Tue, 2024-07-09 at 20:31 +0000, Ryan McGuire via Freeradius-Users wrote:
I have ran through the tutorial of freeradius setup at the following site and am sharing my debug file as at this point I’m not sure where I’m supposed to go? We’re trying to setup wireless authentication using a mikrotik router as our NAS to authenticate to our radius server.
https://docs.beamnetworks.dev/en/linux/networking/freeradius-daloradius
below is my debug log after running
-----------------8<---------------------- Ryan I'm no expert but Alan and co are probably tied up with BlastRadius. I can't see an actual authentication attempt in your debug log. It would be nice to see how things actually fail 8) Redact any passwords or create some simple throwaway ones for the logs. If you do set a simple secret etc make sure you set it everywhere it is needed. There are a few errors in there that are probably cosmetic. A possible duplicate definition of your Mikrotik (another one called IT office Mikrotik) You might like to try out this sort of testing, with radclient. Here's a reasonably well documented effort: https://support.secureauth.com/hc/en-us/articles/21005845034772-How-to-test-... What sort of Mikrotik are you using? They tend to come with the kitchen sink installed. Routeros comes with a FreeRADIUS installed. A few more short notes on what you are trying to achieve and a debug of what happens when it fails and I'm sure you'll get over the line. Cheers Jon
Thanks for the reply Jon, Cam you point me in the direction of a tutorial to set up freeradius from start to finish? Seems like the ones I've found are missing pieces here and there vs others Keep in mind I'm completely new to this and the ultimate goal is using the freeradius server to authenticate users for wireless authentication with a mikrotik router which would be our NAS thanks for any help provided Sent from my Verizon, Samsung Galaxy smartphone ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- -------- Original message -------- From: Jon Gerdes <gerdesj@blueloop.net> Date: 7/9/24 4:11 PM (GMT-07:00) To: freeradius-users@lists.freeradius.org Cc: Ryan McGuire <rmcguire@cgtmt.com> Subject: Re: debug log On Tue, 2024-07-09 at 20: 31 +0000, Ryan McGuire via Freeradius-Users wrote: > I have ran through the tutorial of freeradius setup at the following > site and am sharing my debug file as at this point I’m not sure where > I’m supposed On Tue, 2024-07-09 at 20:31 +0000, Ryan McGuire via Freeradius-Users wrote:
I have ran through the tutorial of freeradius setup at the following site and am sharing my debug file as at this point I’m not sure where I’m supposed to go? We’re trying to setup wireless authentication using a mikrotik router as our NAS to authenticate to our radius server.
https://urldefense.com/v3/__https://docs.beamnetworks.dev/en/linux/networkin...
below is my debug log after running
-----------------8<---------------------- Ryan I'm no expert but Alan and co are probably tied up with BlastRadius. I can't see an actual authentication attempt in your debug log. It would be nice to see how things actually fail 8) Redact any passwords or create some simple throwaway ones for the logs. If you do set a simple secret etc make sure you set it everywhere it is needed. There are a few errors in there that are probably cosmetic. A possible duplicate definition of your Mikrotik (another one called IT office Mikrotik) You might like to try out this sort of testing, with radclient. Here's a reasonably well documented effort: https://urldefense.com/v3/__https://support.secureauth.com/hc/en-us/articles... What sort of Mikrotik are you using? They tend to come with the kitchen sink installed. Routeros comes with a FreeRADIUS installed. A few more short notes on what you are trying to achieve and a debug of what happens when it fails and I'm sure you'll get over the line. Cheers Jon
On Jul 9, 2024, at 6:59 PM, Ryan McGuire via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Cam you point me in the direction of a tutorial to set up freeradius from start to finish?
RADIUS is complicated enough that there is no "one stop" guide to do everything you want. The best approach is to understand how things work, and to put the pieces together.
Seems like the ones I've found are missing pieces here and there vs others
Most third-party docs are wrong, incomplete, misleading, et.
Keep in mind I'm completely new to this and the ultimate goal is using the freeradius server to authenticate users for wireless authentication with a mikrotik router which would be our NAS
See http://deployingradius.com It has detailed guides for getting WiFi (802.1) working. It *will* work. If you have specific problems with that guide, then ask detailed questions. The more information you give, the easier it is to help you. Alan DeKok.
Thanks Alan, Doing this in Linux(Ubuntu) also Sent from my Verizon, Samsung Galaxy smartphone ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- -------- Original message -------- From: Alan DeKok <aland@deployingradius.com> Date: 7/9/24 5:08 PM (GMT-07:00) To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Jon Gerdes <gerdesj@blueloop.net>, Ryan McGuire <rmcguire@cgtmt.com> Subject: Re: debug log On Jul 9, 2024, at 6: 59 PM, Ryan McGuire via Freeradius-Users <freeradius-users@ lists. freeradius. org> wrote: > Cam you point me in the direction of a tutorial to set up freeradius from start to finish? RADIUS is complicated enough On Jul 9, 2024, at 6:59 PM, Ryan McGuire via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Cam you point me in the direction of a tutorial to set up freeradius from start to finish?
RADIUS is complicated enough that there is no "one stop" guide to do everything you want. The best approach is to understand how things work, and to put the pieces together.
Seems like the ones I've found are missing pieces here and there vs others
Most third-party docs are wrong, incomplete, misleading, et.
Keep in mind I'm completely new to this and the ultimate goal is using the freeradius server to authenticate users for wireless authentication with a mikrotik router which would be our NAS
See https://urldefense.com/v3/__http://deployingradius.com__;!!OpwIkcY!g4XNP8ITj... It has detailed guides for getting WiFi (802.1) working. It *will* work. If you have specific problems with that guide, then ask detailed questions. The more information you give, the easier it is to help you. Alan DeKok.
On Tue, 2024-07-09 at 19:08 -0400, Alan DeKok wrote:
On Jul 9, 2024, at 6:59 PM, Ryan McGuire via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Cam you point me in the direction of a tutorial to set up freeradius from start to finish?
8< Ryan As Mr DeKok said, RADIUS is sodding complicated. I found that using tools like radclient and running the server in debug mode really gets things into perspective. Read the output carefully. Run the job and grab the logs. Now leave your computer and go and grab a cup of tea/smoke a fag/say a mantra or whatever: You do you! Pass the logs through something like lnav or notepad++ or whatever gets some colour and context into them on your OS. Take a deep breathe and start reading critically. There are a lot of moving parts with RADIUS and you need to eliminate silly things. such as a miss typed/pasted secret or a complete miss understanding of what on earth is going on! There is no easy tutorial for all eventualities but your use case is pretty standard as far as I can tell. Bon chance Cheers Jon PS A debug log with an auth attempt in it might help us to help you
The link below is what I followed to setup my freeradius server https://docs.beamnetworks.dev/en/linux/networking/freeradius-install I believe I followed this all correctly, from here what would be my next step as far as sharing the debug logs and trying to authenticate with my mikrotik router? Thank you ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Jon Gerdes <gerdesj@blueloop.net> Sent: Tuesday, July 9, 2024 6:06 PM To: aland@deployingradius.com; freeradius-users@lists.freeradius.org Cc: Ryan McGuire <rmcguire@cgtmt.com> Subject: Re: debug log On Tue, 2024-07-09 at 19: 08 -0400, Alan DeKok wrote: > On Jul 9, 2024, at 6: 59 PM, Ryan McGuire via Freeradius-Users > <freeradius-users@ lists. freeradius. org> wrote: > > Cam you point me in the direction of a tutorial to set On Tue, 2024-07-09 at 19:08 -0400, Alan DeKok wrote:
On Jul 9, 2024, at 6:59 PM, Ryan McGuire via Freeradius-Users
<freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> wrote:
Cam you point me in the direction of a tutorial to set up
freeradius from start to finish?
8< Ryan As Mr DeKok said, RADIUS is sodding complicated. I found that using tools like radclient and running the server in debug mode really gets things into perspective. Read the output carefully. Run the job and grab the logs. Now leave your computer and go and grab a cup of tea/smoke a fag/say a mantra or whatever: You do you! Pass the logs through something like lnav or notepad++ or whatever gets some colour and context into them on your OS. Take a deep breathe and start reading critically. There are a lot of moving parts with RADIUS and you need to eliminate silly things. such as a miss typed/pasted secret or a complete miss understanding of what on earth is going on! There is no easy tutorial for all eventualities but your use case is pretty standard as far as I can tell. Bon chance Cheers Jon PS A debug log with an auth attempt in it might help us to help you
On Jul 10, 2024, at 9:33 AM, Ryan McGuire <rmcguire@cgtmt.com> wrote:
The link below is what I followed to setup my freeradius server
The server does come with documentation. While that particular page isn't bad, most third-party documentation is terrible, wrong, insecure, outdated, etc.
https://docs.beamnetworks.dev/en/linux/networking/freeradius-install
I believe I followed this all correctly, from here what would be my next step as far as sharing the debug logs and trying to authenticate with my mikrotik router?
When you join the list, you get an email telling you how to post to the list. i.e. what information we need, and how to get it. Again, all of this is extensively documented. http://wiki.freeradius.org/list-help Alan DeKok.
I ran my authentication request using NTRadPing to my radius server with one of users had added. Attached is the log when running Radius -X Its stating Failed to add duplicate client IT Office Mikrotik Failed to add client, possible duplicate? Where that is one of the NAS clients I have added, where would I see that there is a duplicate listed? ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Alan DeKok <aland@deployingradius.com> Sent: Wednesday, July 10, 2024 7:44 AM To: Ryan McGuire <rmcguire@cgtmt.com> Cc: Jon Gerdes <gerdesj@blueloop.net>; freeradius-users@lists.freeradius.org Subject: Re: debug log On Jul 10, 2024, at 9: 33 AM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > The link below is what I followed to setup my freeradius server The server does come with documentation. While that particular page isn't bad, most third-party On Jul 10, 2024, at 9:33 AM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
The link below is what I followed to setup my freeradius server
The server does come with documentation. While that particular page isn't bad, most third-party documentation is terrible, wrong, insecure, outdated, etc.
I believe I followed this all correctly, from here what would be my next step as far as sharing the debug logs and trying to authenticate with my mikrotik router?
When you join the list, you get an email telling you how to post to the list. i.e. what information we need, and how to get it. Again, all of this is extensively documented. https://urldefense.com/v3/__http://wiki.freeradius.org/list-help__;!!OpwIkcY!hdngrh_RsvgMyEW5C_3mR5boqdHLiK123EfjCsFV9yuEWOSTOsIfebS_SkESBHxyLq7E1b2t8hejP8mkomE$<https://urldefense.com/v3/__http:/wiki.freeradius.org/list-help__;!!OpwIkcY!hdngrh_RsvgMyEW5C_3mR5boqdHLiK123EfjCsFV9yuEWOSTOsIfebS_SkESBHxyLq7E1b2t8hejP8mkomE$> Alan DeKok.
Removed the NAS Client from daloradius and not getting the duplicate client message now ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Ryan McGuire Sent: Wednesday, July 10, 2024 10:34 AM To: Alan DeKok <aland@deployingradius.com> Cc: Jon Gerdes <gerdesj@blueloop.net>; freeradius-users@lists.freeradius.org Subject: RE: debug log I ran my authentication request using NTRadPing to my radius server with one of users had added. Attached is the log when running Radius -X Its stating Failed to add duplicate client IT Office Mikrotik Failed to add client, possible duplicate? Where that is one of the NAS clients I have added, where would I see that there is a duplicate listed? From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 7:44 AM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 9: 33 AM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > The link below is what I followed to setup my freeradius server The server does come with documentation. While that particular page isn't bad, most third-party On Jul 10, 2024, at 9:33 AM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
The link below is what I followed to setup my freeradius server
The server does come with documentation. While that particular page isn't bad, most third-party documentation is terrible, wrong, insecure, outdated, etc.
I believe I followed this all correctly, from here what would be my next step as far as sharing the debug logs and trying to authenticate with my mikrotik router?
When you join the list, you get an email telling you how to post to the list. i.e. what information we need, and how to get it. Again, all of this is extensively documented. https://urldefense.com/v3/__http://wiki.freeradius.org/list-help__;!!OpwIkcY!hdngrh_RsvgMyEW5C_3mR5boqdHLiK123EfjCsFV9yuEWOSTOsIfebS_SkESBHxyLq7E1b2t8hejP8mkomE$<https://urldefense.com/v3/__http:/wiki.freeradius.org/list-help__;!!OpwIkcY!hdngrh_RsvgMyEW5C_3mR5boqdHLiK123EfjCsFV9yuEWOSTOsIfebS_SkESBHxyLq7E1b2t8hejP8mkomE$> Alan DeKok.
Attached is my log when running ntradping ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Ryan McGuire Sent: Wednesday, July 10, 2024 12:35 PM To: Alan DeKok <aland@deployingradius.com> Cc: Jon Gerdes <gerdesj@blueloop.net>; freeradius-users@lists.freeradius.org Subject: RE: debug log Removed the NAS Client from daloradius and not getting the duplicate client message now From: Ryan McGuire Sent: Wednesday, July 10, 2024 10:34 AM To: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log I ran my authentication request using NTRadPing to my radius server with one of users had added. Attached is the log when running Radius -X Its stating Failed to add duplicate client IT Office Mikrotik Failed to add client, possible duplicate? Where that is one of the NAS clients I have added, where would I see that there is a duplicate listed? From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 7:44 AM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 9: 33 AM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > The link below is what I followed to setup my freeradius server The server does come with documentation. While that particular page isn't bad, most third-party On Jul 10, 2024, at 9:33 AM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
The link below is what I followed to setup my freeradius server
The server does come with documentation. While that particular page isn't bad, most third-party documentation is terrible, wrong, insecure, outdated, etc.
I believe I followed this all correctly, from here what would be my next step as far as sharing the debug logs and trying to authenticate with my mikrotik router?
When you join the list, you get an email telling you how to post to the list. i.e. what information we need, and how to get it. Again, all of this is extensively documented. https://urldefense.com/v3/__http://wiki.freeradius.org/list-help__;!!OpwIkcY!hdngrh_RsvgMyEW5C_3mR5boqdHLiK123EfjCsFV9yuEWOSTOsIfebS_SkESBHxyLq7E1b2t8hejP8mkomE$<https://urldefense.com/v3/__http:/wiki.freeradius.org/list-help__;!!OpwIkcY!hdngrh_RsvgMyEW5C_3mR5boqdHLiK123EfjCsFV9yuEWOSTOsIfebS_SkESBHxyLq7E1b2t8hejP8mkomE$> Alan DeKok.
On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Alan DeKok <aland@deployingradius.com> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com> Cc: Jon Gerdes <gerdesj@blueloop.net>; freeradius-users@lists.freeradius.org Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
On Jul 10, 2024, at 5:29 PM, Ryan McGuire via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
This is what I get when I do a radtest
That isn't what I asked for. I asked for the full debug output of the server, and a description of what you're doing. This message doesn't do either.
Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up
Since you don't say what you want to do, it's impossible to give you a tutorial for setting it up. This is like asking someone for directions. When they ask "where to?" Your answer is "I want directions". At which point, it's impossible to help you. Sorry, but I don't think I can help you. Read the docs, follow instructions, and you will solve problems. Don't read the docs, and don't follow instructions... you will get nowhere. Alan DeKok.
Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image551308.jpg@7564E3CF.B9C55594] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com> Cc: Jon Gerdes <gerdesj@blueloop.net>; freeradius-users@lists.freeradius.org Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Jon Gerdes <gerdesj@blueloop.net> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com; Ryan McGuire <rmcguire@cgtmt.com> Cc: freeradius-users@lists.freeradius.org Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image001.jpg@01DAD368.EC4ED5E0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
Hi Jon, Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux. Thank you for your help ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net>; aland@deployingradius.com Cc: freeradius-users@lists.freeradius.org Subject: RE: debug log Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image001.jpg@01DAD434.6C0F7070] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https://sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS%20VM... Cheers Jon On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote: Hi Jon, Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux. Thank you for your help ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image681112.jpg@1B058E70.6A912963] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net>; aland@deployingradius.com Cc: freeradius-users@lists.freeradius.org Subject: RE: debug log Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image001.jpg@01DAD434.6C0F7070] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
Isn’t daloradius just a gui form of freeradius? But yes, I have daloradius loaded….sorry to sound dumb but what do I open the daloradiusvm.ova file with? Thanks Jon ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Jon Gerdes <gerdesj@blueloop.net> Sent: Friday, July 12, 2024 9:32 AM To: aland@deployingradius.com; Ryan McGuire <rmcguire@cgtmt.com> Cc: freeradius-users@lists.freeradius.org Subject: Re: debug log Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https: //sourceforge. net/projects/daloradius/files/daloradius/daloRADIUS%20VM/ Cheers Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https://sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS%20VM/<https://urldefense.com/v3/__https:/sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS*20VM/__;JQ!!OpwIkcY!gdGXPUNnmY2XrEUhyyK2hHmMy8W2K35wy6fXsOfy944Me_K_oNi8TgEjjQoX6Zsw7NqPbRvO4q2Sud53$> Cheers Jon On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote: Hi Jon, Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux. Thank you for your help ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image001.jpg@01DAD43E.F5A51AB0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; aland@deployingradius.com<mailto:aland@deployingradius.com> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image001.jpg@01DAD43E.F5A51AB0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
Hey Ryan, daloRadius is a GUI but works with a database and configures freeradius to use database for couple things. This way it is able to do some (limited) configuration of freeradius. I started with freeradius the same way like you, but ended up installing freeradius directly on the host - clean ubuntu + official freeradius (not from ubuntu package repo - that one is old). Then as Alan repeats relentlessly :) I went to read the configs which document all the stuff. It takes time, but getting to understand how it works really pays off in the end. It would also help you to get a bit more familiar with the RADIUS protocol, especially which packets are sent by client and what packets are returned in which situation AND what attributes they carry. This is essential to configure your freeradius installation and your NAS the way you need it and the freeradius configs will start making a lot more sense to you. Ludo On 7/12/24 17:36, Ryan McGuire via Freeradius-Users wrote:
Isn’t daloradius just a gui form of freeradius? But yes, I have daloradius loaded….sorry to sound dumb but what do I open the daloradiusvm.ova file with?
Thanks Jon
---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Jon Gerdes <gerdesj@blueloop.net> Sent: Friday, July 12, 2024 9:32 AM To: aland@deployingradius.com; Ryan McGuire <rmcguire@cgtmt.com> Cc: freeradius-users@lists.freeradius.org Subject: Re: debug log
Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https: //sourceforge. net/projects/daloradius/files/daloradius/daloRADIUS%20VM/ Cheers
Ryan
What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual:
Cheers Jon
On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote: Hi Jon,
Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux.
Thank you for your help
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138
Billings , MT
59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image001.jpg@01DAD43E.F5A51AB0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; aland@deployingradius.com<mailto:aland@deployingradius.com> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log
Hi Jon,
I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at).
Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius.
The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11.
Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still.
Let me know if you need any additional information
Thank you
From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log
Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan
"Received Access-Accept" means that RADIUS is happy and has authenticated the request.
I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs.
Something like:
I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc
Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong.
Cheers Jon
On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest
Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88"
Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up
Thanks for any help provided
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138
Billings , MT
59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image001.jpg@01DAD43E.F5A51AB0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log
On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding
On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help.
And you don't need to use nradping. The server comes with test tools: radclient / radtest.
As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*.
For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else?
What, exactly, is the problem you need help with? Can you describe it?
I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Ľudovít Mikula Mikori s.r.o ------------------------ Fatranská 3100/4 01008 Žilina Slovenská Republika ------------------------ ... aby korenie chutilo, ako má ... ------------------------ Web: https://www.mikori.sk/ E-Shop: https://www.cerstvekorenie.sk/ E-mail: ludovit.mikula@mikori.sk Facebook: https://www.facebook.com/mikori.korenie/
Thanks for the reply…appreciate it. With Free Radius installed and having daloradius setup, are my next steps then to try and wireless authenticate with my mikrotik(NAS client) and read through the debug logs on warnings/failures, etc. Just trying to have a roadmap as far as the process goes Thanks again. ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Freeradius-Users <freeradius-users-bounces+rmcguire=cgtmt.com@lists.freeradius.org> On Behalf Of Ludovít Mikula Sent: Friday, July 12, 2024 10:13 AM To: freeradius-users@lists.freeradius.org Subject: Re: debug log Hey Ryan, daloRadius is a GUI but works with a database and configures freeradius to use database for couple things. This way it is able to do some (limited) configuration of freeradius. I started with freeradius the same way like you, but Hey Ryan, daloRadius is a GUI but works with a database and configures freeradius to use database for couple things. This way it is able to do some (limited) configuration of freeradius. I started with freeradius the same way like you, but ended up installing freeradius directly on the host - clean ubuntu + official freeradius (not from ubuntu package repo - that one is old). Then as Alan repeats relentlessly :) I went to read the configs which document all the stuff. It takes time, but getting to understand how it works really pays off in the end. It would also help you to get a bit more familiar with the RADIUS protocol, especially which packets are sent by client and what packets are returned in which situation AND what attributes they carry. This is essential to configure your freeradius installation and your NAS the way you need it and the freeradius configs will start making a lot more sense to you. Ludo On 7/12/24 17:36, Ryan McGuire via Freeradius-Users wrote:
Isn’t daloradius just a gui form of freeradius? But yes, I have daloradius loaded….sorry to sound dumb but what do I open the daloradiusvm.ova file with?
Thanks Jon
----------------------------
Ryan McGuire | Systems Administrator
Century Gaming Technologies - Billings
PO Box 21138 Billings, MT 59101
C: 406-860-1299
E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>
Confidentiality Statement:
This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it.
----------------------------
From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>
Sent: Friday, July 12, 2024 9:32 AM
To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>>
Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>
Subject: Re: debug log
Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https: //sourceforge. net/projects/daloradius/files/daloradius/daloRADIUS%20VM/ Cheers
Ryan
What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual:
Cheers
Jon
On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote:
Hi Jon,
Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux.
Thank you for your help
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Ryan McGuire
|
Systems Administrator
Century Gaming Technologies
‑
Billings
PO Box 21138
Billings
,
MT
59101
C: 406-860-1299<tel:406-860-1299>
E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>
W: http://www.cgtmt.com<http://www.cgtmt.com/<http://www.cgtmt.com%3chttp:/www.cgtmt.com/>>
[cid:image001.jpg@01DAD43E.F5A51AB0]
Confidentiality Statement:
This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it.
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
From: Ryan McGuire
Sent: Thursday, July 11, 2024 8:27 AM
To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net<mailto:gerdesj@blueloop.net%3cmailto:gerdesj@blueloop.net>>>; aland@deployingradius.com<mailto:aland@deployingradius.com<mailto:aland@deployingradius.com%3cmailto:aland@deployingradius.com>>
Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org%3cmailto:freeradius-users@lists.freeradius.org>>
Subject: RE: debug log
Hi Jon,
I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at).
Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius.
The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11.
Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still.
Let me know if you need any additional information
Thank you
From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net<mailto:gerdesj@blueloop.net%3cmailto:gerdesj@blueloop.net>>>
Sent: Wednesday, July 10, 2024 4:36 PM
To: aland@deployingradius.com<mailto:aland@deployingradius.com<mailto:aland@deployingradius.com%3cmailto:aland@deployingradius.com>>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>>
Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org%3cmailto:freeradius-users@lists.freeradius.org>>
Subject: Re: debug log
Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need
Ryan
"Received Access-Accept" means that RADIUS is happy and has authenticated the request.
I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs.
Something like:
I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc
Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong.
Cheers
Jon
On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote:
This is what I get when I do a radtest
Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78
User-Name = "rmcguire"
User-Password = "password123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "password123"
Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "88"
Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up
Thanks for any help provided
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Ryan McGuire
|
Systems Administrator
Century Gaming Technologies
‑
Billings
PO Box 21138
Billings
,
MT
59101
C: 406-860-1299<tel:406-860-1299>
E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>
W: http://www.cgtmt.com<http://www.cgtmt.com/<http://www.cgtmt.com%3chttp:/www.cgtmt.com/>>
[cid:image001.jpg@01DAD43E.F5A51AB0]
Confidentiality Statement:
This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it.
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com<mailto:aland@deployingradius.com%3cmailto:aland@deployingradius.com>>>
Sent: Wednesday, July 10, 2024 2:32 PM
To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>>
Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net<mailto:gerdesj@blueloop.net%3cmailto:gerdesj@blueloop.net>>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>
Subject: Re: debug log
On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding
On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help.
And you don't need to use nradping. The server comes with test tools: radclient / radtest.
As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*.
For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else?
What, exactly, is the problem you need help with? Can you describe it?
I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try.
Alan DeKok.
-
-- Ľudovít Mikula Mikori s.r.o ------------------------ Fatranská 3100/4 01008 Žilina Slovenská Republika ------------------------ ... aby korenie chutilo, ako má ... ------------------------ Web: https://urldefense.com/v3/__https://www.mikori.sk/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgUrWuKvGw$<https://urldefense.com/v3/__https:/www.mikori.sk/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgUrWuKvGw$> E-Shop: https://urldefense.com/v3/__https://www.cerstvekorenie.sk/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgVeeiattQ$<https://urldefense.com/v3/__https:/www.cerstvekorenie.sk/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgVeeiattQ$> E-mail: ludovit.mikula@mikori.sk<mailto:ludovit.mikula@mikori.sk> Facebook: https://urldefense.com/v3/__https://www.facebook.com/mikori.korenie/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgXJ31jRuw$<https://urldefense.com/v3/__https:/www.facebook.com/mikori.korenie/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgXJ31jRuw$> - List info/subscribe/unsubscribe? See https://urldefense.com/v3/__http://www.freeradius.org/list/users.html__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgVerhDnJQ$<https://urldefense.com/v3/__http:/www.freeradius.org/list/users.html__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgVerhDnJQ$>
What should my tunnel-private-group-id be set to? ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Freeradius-Users <freeradius-users-bounces+rmcguire=cgtmt.com@lists.freeradius.org> On Behalf Of Ludovít Mikula Sent: Friday, July 12, 2024 10:13 AM To: freeradius-users@lists.freeradius.org Subject: Re: debug log Hey Ryan, daloRadius is a GUI but works with a database and configures freeradius to use database for couple things. This way it is able to do some (limited) configuration of freeradius. I started with freeradius the same way like you, but Hey Ryan, daloRadius is a GUI but works with a database and configures freeradius to use database for couple things. This way it is able to do some (limited) configuration of freeradius. I started with freeradius the same way like you, but ended up installing freeradius directly on the host - clean ubuntu + official freeradius (not from ubuntu package repo - that one is old). Then as Alan repeats relentlessly :) I went to read the configs which document all the stuff. It takes time, but getting to understand how it works really pays off in the end. It would also help you to get a bit more familiar with the RADIUS protocol, especially which packets are sent by client and what packets are returned in which situation AND what attributes they carry. This is essential to configure your freeradius installation and your NAS the way you need it and the freeradius configs will start making a lot more sense to you. Ludo On 7/12/24 17:36, Ryan McGuire via Freeradius-Users wrote:
Isn’t daloradius just a gui form of freeradius? But yes, I have daloradius loaded….sorry to sound dumb but what do I open the daloradiusvm.ova file with?
Thanks Jon
----------------------------
Ryan McGuire | Systems Administrator
Century Gaming Technologies - Billings
PO Box 21138 Billings, MT 59101
C: 406-860-1299
E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>
Confidentiality Statement:
This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it.
----------------------------
From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>
Sent: Friday, July 12, 2024 9:32 AM
To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>>
Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>
Subject: Re: debug log
Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https: //sourceforge. net/projects/daloradius/files/daloradius/daloRADIUS%20VM/ Cheers
Ryan
What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual:
Cheers
Jon
On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote:
Hi Jon,
Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux.
Thank you for your help
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Ryan McGuire
|
Systems Administrator
Century Gaming Technologies
‑
Billings
PO Box 21138
Billings
,
MT
59101
C: 406-860-1299<tel:406-860-1299>
E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>
W: http://www.cgtmt.com<http://www.cgtmt.com/<http://www.cgtmt.com%3chttp:/www.cgtmt.com/>>
[cid:image001.jpg@01DAD43E.F5A51AB0]
Confidentiality Statement:
This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it.
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
From: Ryan McGuire
Sent: Thursday, July 11, 2024 8:27 AM
To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net<mailto:gerdesj@blueloop.net%3cmailto:gerdesj@blueloop.net>>>; aland@deployingradius.com<mailto:aland@deployingradius.com<mailto:aland@deployingradius.com%3cmailto:aland@deployingradius.com>>
Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org%3cmailto:freeradius-users@lists.freeradius.org>>
Subject: RE: debug log
Hi Jon,
I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at).
Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius.
The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11.
Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still.
Let me know if you need any additional information
Thank you
From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net<mailto:gerdesj@blueloop.net%3cmailto:gerdesj@blueloop.net>>>
Sent: Wednesday, July 10, 2024 4:36 PM
To: aland@deployingradius.com<mailto:aland@deployingradius.com<mailto:aland@deployingradius.com%3cmailto:aland@deployingradius.com>>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>>
Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org%3cmailto:freeradius-users@lists.freeradius.org>>
Subject: Re: debug log
Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need
Ryan
"Received Access-Accept" means that RADIUS is happy and has authenticated the request.
I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs.
Something like:
I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc
Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong.
Cheers
Jon
On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote:
This is what I get when I do a radtest
Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78
User-Name = "rmcguire"
User-Password = "password123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "password123"
Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "88"
Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up
Thanks for any help provided
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Ryan McGuire
|
Systems Administrator
Century Gaming Technologies
‑
Billings
PO Box 21138
Billings
,
MT
59101
C: 406-860-1299<tel:406-860-1299>
E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>
W: http://www.cgtmt.com<http://www.cgtmt.com/<http://www.cgtmt.com%3chttp:/www.cgtmt.com/>>
[cid:image001.jpg@01DAD43E.F5A51AB0]
Confidentiality Statement:
This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it.
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com<mailto:aland@deployingradius.com%3cmailto:aland@deployingradius.com>>>
Sent: Wednesday, July 10, 2024 2:32 PM
To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>>
Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net<mailto:gerdesj@blueloop.net%3cmailto:gerdesj@blueloop.net>>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>
Subject: Re: debug log
On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding
On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com%3cmailto:rmcguire@cgtmt.com>>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help.
And you don't need to use nradping. The server comes with test tools: radclient / radtest.
As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*.
For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else?
What, exactly, is the problem you need help with? Can you describe it?
I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try.
Alan DeKok.
-
-- Ľudovít Mikula Mikori s.r.o ------------------------ Fatranská 3100/4 01008 Žilina Slovenská Republika ------------------------ ... aby korenie chutilo, ako má ... ------------------------ Web: https://urldefense.com/v3/__https://www.mikori.sk/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgUrWuKvGw$<https://urldefense.com/v3/__https:/www.mikori.sk/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgUrWuKvGw$> E-Shop: https://urldefense.com/v3/__https://www.cerstvekorenie.sk/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgVeeiattQ$<https://urldefense.com/v3/__https:/www.cerstvekorenie.sk/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgVeeiattQ$> E-mail: ludovit.mikula@mikori.sk<mailto:ludovit.mikula@mikori.sk> Facebook: https://urldefense.com/v3/__https://www.facebook.com/mikori.korenie/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgXJ31jRuw$<https://urldefense.com/v3/__https:/www.facebook.com/mikori.korenie/__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgXJ31jRuw$> - List info/subscribe/unsubscribe? See https://urldefense.com/v3/__http://www.freeradius.org/list/users.html__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgVerhDnJQ$<https://urldefense.com/v3/__http:/www.freeradius.org/list/users.html__;!!OpwIkcY!i0iPvNo7RiKw59OVwUijMVM4n6U0frisZ472DFbAfUeVQTTIslrFAUxt7OcL0w4zgDgvvWCpFpp8GL64WgVerhDnJQ$>
When running radiusd -X should the freeradius service need to be stopped before running this? If I don’t have the freeradius service stopped I receive the following: [cid:image002.png@01DAD467.94F44F50] ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Jon Gerdes <gerdesj@blueloop.net> Sent: Friday, July 12, 2024 9:32 AM To: aland@deployingradius.com; Ryan McGuire <rmcguire@cgtmt.com> Cc: freeradius-users@lists.freeradius.org Subject: Re: debug log Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https: //sourceforge. net/projects/daloradius/files/daloradius/daloRADIUS%20VM/ Cheers Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https://sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS%20VM/<https://urldefense.com/v3/__https:/sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS*20VM/__;JQ!!OpwIkcY!gdGXPUNnmY2XrEUhyyK2hHmMy8W2K35wy6fXsOfy944Me_K_oNi8TgEjjQoX6Zsw7NqPbRvO4q2Sud53$> Cheers Jon On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote: Hi Jon, Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux. Thank you for your help ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image003.jpg@01DAD467.94F44F50] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; aland@deployingradius.com<mailto:aland@deployingradius.com> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image003.jpg@01DAD467.94F44F50] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
From here running NTRadPin Test,
https://draculaservers.com/tutorials/install-freeradius-daloradius-debian-9-... What does that actually do? Here are my results: (0) Received Access-Request Id 0 from 10.108.21.198:50766 to 10.108.15.25:1812 length 49 (0) User-Name = "rmcguire" (0) CHAP-Password = 0xb1a04c4c233130aef7ab8045d0c2a09063 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./<mailto:/@\./>) { (0) if (&User-Name =~ /@\./<mailto:/@\./>) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "rmcguire", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> rmcguire (0) sql: SQL-User-Name set to 'rmcguire' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "password123" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (0) sql: User found in the group table (0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (0) sql: Group "admin": Conditional check items matched (0) sql: Group "admin": Merging assignment check items (0) sql: Auth-Type := Accept (0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (0) sql: Group "admin": Merging reply items (0) sql: Tunnel-Medium-Type = IEEE-802 (0) sql: Tunnel-Type = VLAN (0) sql: Tunnel-Private-Group-Id = "88" rlm_sql (sql): Released connection (1) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> rmcguire (0) sql: SQL-User-Name set to 'rmcguire' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' ) (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '0xb1a04c4c233130aef7ab8045d0c2a09063', 'Access-Accept', '2024-07-12 20:48:57.445087' ) (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '0xb1a04c4c233130aef7ab8045d0c2a09063', 'Access-Accept', '2024-07-12 20:48:57.445087' ) (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) if (EAP-Key-Name && &reply:EAP-Session-Id) { (0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 10.108.15.25:1812 to 10.108.21.198:50766 length 36 (0) Tunnel-Medium-Type = IEEE-802 (0) Tunnel-Type = VLAN (0) Tunnel-Private-Group-Id = "88" (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +57 due to cleanup_delay was reached Ready to process requests ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Ryan McGuire Sent: Friday, July 12, 2024 2:27 PM To: Jon Gerdes <gerdesj@blueloop.net>; aland@deployingradius.com Cc: freeradius-users@lists.freeradius.org Subject: RE: debug log When running radiusd -X should the freeradius service need to be stopped before running this? If I don’t have the freeradius service stopped I receive the following: [cid:image001.png@01DAD46B.0A6F5AB0] From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Friday, July 12, 2024 9:32 AM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https: //sourceforge. net/projects/daloradius/files/daloradius/daloRADIUS%20VM/ Cheers Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https://sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS%20VM/<https://urldefense.com/v3/__https:/sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS*20VM/__;JQ!!OpwIkcY!gdGXPUNnmY2XrEUhyyK2hHmMy8W2K35wy6fXsOfy944Me_K_oNi8TgEjjQoX6Zsw7NqPbRvO4q2Sud53$> Cheers Jon On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote: Hi Jon, Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux. Thank you for your help ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image002.jpg@01DAD46B.0A6F5AB0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; aland@deployingradius.com<mailto:aland@deployingradius.com> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image002.jpg@01DAD46B.0A6F5AB0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
I’ve ran my debug after attempting wireless authentication, when trying to connect I also receive the following message: [cid:image003.png@01DAD6A4.46C9ECB0] (74) Received Access-Request Id 116 from 10.108.21.198:60463 to 10.108.15.25:1812 length 153 (74) Service-Type = Framed-User (74) Framed-MTU = 1400 (74) User-Name = "rmcguire" (74) NAS-Port-Id = "wlan1" (74) NAS-Port-Type = Wireless-802.11 (74) Calling-Station-Id = "04-7B-CB-C6-1C-E8" (74) Called-Station-Id = "74-4D-28-67-06-9F:freeradius" (74) EAP-Message = 0x0201000d01726d636775697265 (74) Message-Authenticator = 0xf95217ceee686ad83ac8633e2019e7a9 (74) NAS-Identifier = "MikroTik" (74) NAS-IP-Address = 10.108.21.198 (74) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (74) authorize { (74) policy filter_username { (74) if (&User-Name) { (74) if (&User-Name) -> TRUE (74) if (&User-Name) { (74) if (&User-Name =~ / /) { (74) if (&User-Name =~ / /) -> FALSE (74) if (&User-Name =~ /@[^@]*@/ ) { (74) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (74) if (&User-Name =~ /\.\./ ) { (74) if (&User-Name =~ /\.\./ ) -> FALSE (74) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) { (74) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE (74) if (&User-Name =~ /\.$/) { (74) if (&User-Name =~ /\.$/) -> FALSE (74) if (&User-Name =~ /@\./<mailto:/@\./>) { (74) if (&User-Name =~ /@\./<mailto:/@\./>) -> FALSE (74) } # if (&User-Name) = notfound (74) } # policy filter_username = notfound (74) [preprocess] = ok (74) [chap] = noop (74) [mschap] = noop (74) [digest] = noop (74) suffix: Checking for suffix after "@" (74) suffix: No '@' in User-Name = "rmcguire", looking up realm NULL (74) suffix: No such realm "NULL" (74) [suffix] = noop (74) eap: Peer sent EAP Response (code 2) ID 1 length 13 (74) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (74) [eap] = ok (74) } # authorize = ok (74) Found Auth-Type = eap (74) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (74) authenticate { (74) eap: Peer sent packet with method EAP Identity (1) (74) eap: Calling submodule eap_md5 to process data (74) eap_md5: Issuing MD5 Challenge (74) eap: Sending EAP Request (code 1) ID 2 length 22 (74) eap: EAP session adding &reply:State = 0xde3a9147de38956c (74) [eap] = handled (74) } # authenticate = handled (74) Using Post-Auth-Type Challenge (74) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (74) Challenge { ... } # empty sub-section is ignored (74) Sent Access-Challenge Id 116 from 10.108.15.25:1812 to 10.108.21.198:60463 length 80 (74) EAP-Message = 0x010200160410c324609b663fe10b1572532fdbf7e3e9 (74) Message-Authenticator = 0x00000000000000000000000000000000 (74) State = 0xde3a9147de38956cc3d44c0587e63b17 (74) Finished request Waking up in 4.9 seconds. (75) Received Access-Request Id 117 from 10.108.21.198:35245 to 10.108.15.25:1812 length 165 (75) Service-Type = Framed-User (75) Framed-MTU = 1400 (75) User-Name = "rmcguire" (75) State = 0xde3a9147de38956cc3d44c0587e63b17 (75) NAS-Port-Id = "wlan1" (75) NAS-Port-Type = Wireless-802.11 (75) Calling-Station-Id = "04-7B-CB-C6-1C-E8" (75) Called-Station-Id = "74-4D-28-67-06-9F:freeradius" (75) EAP-Message = 0x02020007031915 (75) Message-Authenticator = 0x584a48ecbdea8d026726ae3d288b4c95 (75) NAS-Identifier = "MikroTik" (75) NAS-IP-Address = 10.108.21.198 (75) session-state: No cached attributes (75) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (75) authorize { (75) policy filter_username { (75) if (&User-Name) { (75) if (&User-Name) -> TRUE (75) if (&User-Name) { (75) if (&User-Name =~ / /) { (75) if (&User-Name =~ / /) -> FALSE (75) if (&User-Name =~ /@[^@]*@/ ) { (75) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (75) if (&User-Name =~ /\.\./ ) { (75) if (&User-Name =~ /\.\./ ) -> FALSE (75) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) { (75) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE (75) if (&User-Name =~ /\.$/) { (75) if (&User-Name =~ /\.$/) -> FALSE (75) if (&User-Name =~ /@\./<mailto:/@\./>) { (75) if (&User-Name =~ /@\./<mailto:/@\./>) -> FALSE (75) } # if (&User-Name) = notfound (75) } # policy filter_username = notfound (75) [preprocess] = ok (75) [chap] = noop (75) [mschap] = noop (75) [digest] = noop (75) suffix: Checking for suffix after "@" (75) suffix: No '@' in User-Name = "rmcguire", looking up realm NULL (75) suffix: No such realm "NULL" (75) [suffix] = noop (75) eap: Peer sent EAP Response (code 2) ID 2 length 7 (75) eap: No EAP Start, assuming it's an on-going EAP conversation (75) [eap] = updated (75) files: users: Matched entry rmcguire at line 5 (75) [files] = ok (75) sql: EXPAND %{User-Name} (75) sql: --> rmcguire (75) sql: SQL-User-Name set to 'rmcguire' rlm_sql (sql): Reserved connection (3) (75) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (75) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (75) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (75) sql: User found in radcheck table (75) sql: Conditional check items matched, merging assignment check items (75) sql: Cleartext-Password := "password123" (75) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (75) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (75) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (75) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (75) sql: --> SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (75) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (75) sql: User found in the group table (75) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (75) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (75) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (75) sql: Group "admin": Conditional check items matched (75) sql: Group "admin": Merging assignment check items (75) sql: Auth-Type := Accept (75) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (75) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (75) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (75) sql: Group "admin": Merging reply items (75) sql: Tunnel-Medium-Type = IEEE-802 (75) sql: Tunnel-Type = VLAN (75) sql: Tunnel-Private-Group-Id = "88" rlm_sql (sql): Released connection (3) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (20), 1 of 24 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 (75) [sql] = ok (75) [expiration] = noop (75) [logintime] = noop (75) pap: WARNING: Auth-Type already set. Not setting to PAP (75) [pap] = noop (75) } # authorize = updated (75) Found Auth-Type = Accept (75) Auth-Type = Accept, accepting the user (75) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (75) post-auth { (75) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (75) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (75) update { (75) No attributes updated for RHS &session-state: (75) } # update = noop (75) sql: EXPAND .query (75) sql: --> .query (75) sql: Using query template 'query' rlm_sql (sql): Reserved connection (14) (75) sql: EXPAND %{User-Name} (75) sql: --> rmcguire (75) sql: SQL-User-Name set to 'rmcguire' (75) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' ) (75) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '', 'Access-Accept', '2024-07-15 16:45:48.325716' ) (75) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '', 'Access-Accept', '2024-07-15 16:45:48.325716' ) (75) sql: SQL query returned: success (75) sql: 1 record(s) updated rlm_sql (sql): Released connection (14) (75) [sql] = ok (75) [exec] = noop (75) policy remove_reply_message_if_eap { (75) if (&reply:EAP-Message && &reply:Reply-Message) { (75) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (75) else { (75) [noop] = noop (75) } # else = noop (75) } # policy remove_reply_message_if_eap = noop (75) if (EAP-Key-Name && &reply:EAP-Session-Id) { (75) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (75) } # post-auth = ok (75) Sent Access-Accept Id 117 from 10.108.15.25:1812 to 10.108.21.198:35245 length 49 (75) Mikrotik-Group = "write" (75) Tunnel-Medium-Type = IEEE-802 (75) Tunnel-Type = VLAN (75) Tunnel-Private-Group-Id = "88" (75) Finished request Waking up in 4.9 seconds. (74) Cleaning up request packet ID 116 with timestamp +410 due to cleanup_delay was reached (75) Cleaning up request packet ID 117 with timestamp +410 due to cleanup_delay was reached Ready to process requests ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Ryan McGuire Sent: Friday, July 12, 2024 2:53 PM To: 'Jon Gerdes' <gerdesj@blueloop.net>; 'ludovit.mikula@mikori.sk' <ludovit.mikula@mikori.sk> Cc: 'freeradius-users@lists.freeradius.org' <freeradius-users@lists.freeradius.org> Subject: RE: debug log
From here running NTRadPin Test,
https://draculaservers.com/tutorials/install-freeradius-daloradius-debian-9-... What does that actually do? Here are my results: (0) Received Access-Request Id 0 from 10.108.21.198:50766 to 10.108.15.25:1812 length 49 (0) User-Name = "rmcguire" (0) CHAP-Password = 0xb1a04c4c233130aef7ab8045d0c2a09063 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./<mailto:/@\./>) { (0) if (&User-Name =~ /@\./<mailto:/@\./>) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "rmcguire", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> rmcguire (0) sql: SQL-User-Name set to 'rmcguire' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "password123" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (0) sql: User found in the group table (0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (0) sql: Group "admin": Conditional check items matched (0) sql: Group "admin": Merging assignment check items (0) sql: Auth-Type := Accept (0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (0) sql: Group "admin": Merging reply items (0) sql: Tunnel-Medium-Type = IEEE-802 (0) sql: Tunnel-Type = VLAN (0) sql: Tunnel-Private-Group-Id = "88" rlm_sql (sql): Released connection (1) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> rmcguire (0) sql: SQL-User-Name set to 'rmcguire' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' ) (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '0xb1a04c4c233130aef7ab8045d0c2a09063', 'Access-Accept', '2024-07-12 20:48:57.445087' ) (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '0xb1a04c4c233130aef7ab8045d0c2a09063', 'Access-Accept', '2024-07-12 20:48:57.445087' ) (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) if (EAP-Key-Name && &reply:EAP-Session-Id) { (0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 10.108.15.25:1812 to 10.108.21.198:50766 length 36 (0) Tunnel-Medium-Type = IEEE-802 (0) Tunnel-Type = VLAN (0) Tunnel-Private-Group-Id = "88" (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +57 due to cleanup_delay was reached Ready to process requests From: Ryan McGuire Sent: Friday, July 12, 2024 2:27 PM To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; aland@deployingradius.com<mailto:aland@deployingradius.com> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log When running radiusd -X should the freeradius service need to be stopped before running this? If I don’t have the freeradius service stopped I receive the following: [cid:image004.png@01DAD6A4.46C9ECB0] From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Friday, July 12, 2024 9:32 AM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https: //sourceforge. net/projects/daloradius/files/daloradius/daloRADIUS%20VM/ Cheers Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https://sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS%20VM/<https://urldefense.com/v3/__https:/sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS*20VM/__;JQ!!OpwIkcY!gdGXPUNnmY2XrEUhyyK2hHmMy8W2K35wy6fXsOfy944Me_K_oNi8TgEjjQoX6Zsw7NqPbRvO4q2Sud53$> Cheers Jon On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote: Hi Jon, Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux. Thank you for your help ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image005.jpg@01DAD6A4.46C9ECB0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; aland@deployingradius.com<mailto:aland@deployingradius.com> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image005.jpg@01DAD6A4.46C9ECB0] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
Attached is the image getting when initially connecting to wireless ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Ryan McGuire Sent: Monday, July 15, 2024 10:47 AM To: 'Jon Gerdes' <gerdesj@blueloop.net>; 'ludovit.mikula@mikori.sk' <ludovit.mikula@mikori.sk> Cc: 'freeradius-users@lists.freeradius.org' <freeradius-users@lists.freeradius.org> Subject: RE: debug log I’ve ran my debug after attempting wireless authentication, when trying to connect I also receive the following message: [cid:image001.png@01DAD6A8.7FC0EA10] (74) Received Access-Request Id 116 from 10.108.21.198:60463 to 10.108.15.25:1812 length 153 (74) Service-Type = Framed-User (74) Framed-MTU = 1400 (74) User-Name = "rmcguire" (74) NAS-Port-Id = "wlan1" (74) NAS-Port-Type = Wireless-802.11 (74) Calling-Station-Id = "04-7B-CB-C6-1C-E8" (74) Called-Station-Id = "74-4D-28-67-06-9F:freeradius" (74) EAP-Message = 0x0201000d01726d636775697265 (74) Message-Authenticator = 0xf95217ceee686ad83ac8633e2019e7a9 (74) NAS-Identifier = "MikroTik" (74) NAS-IP-Address = 10.108.21.198 (74) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (74) authorize { (74) policy filter_username { (74) if (&User-Name) { (74) if (&User-Name) -> TRUE (74) if (&User-Name) { (74) if (&User-Name =~ / /) { (74) if (&User-Name =~ / /) -> FALSE (74) if (&User-Name =~ /@[^@]*@/ ) { (74) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (74) if (&User-Name =~ /\.\./ ) { (74) if (&User-Name =~ /\.\./ ) -> FALSE (74) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) { (74) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE (74) if (&User-Name =~ /\.$/) { (74) if (&User-Name =~ /\.$/) -> FALSE (74) if (&User-Name =~ /@\./<mailto:/@\./>) { (74) if (&User-Name =~ /@\./<mailto:/@\./>) -> FALSE (74) } # if (&User-Name) = notfound (74) } # policy filter_username = notfound (74) [preprocess] = ok (74) [chap] = noop (74) [mschap] = noop (74) [digest] = noop (74) suffix: Checking for suffix after "@" (74) suffix: No '@' in User-Name = "rmcguire", looking up realm NULL (74) suffix: No such realm "NULL" (74) [suffix] = noop (74) eap: Peer sent EAP Response (code 2) ID 1 length 13 (74) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (74) [eap] = ok (74) } # authorize = ok (74) Found Auth-Type = eap (74) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (74) authenticate { (74) eap: Peer sent packet with method EAP Identity (1) (74) eap: Calling submodule eap_md5 to process data (74) eap_md5: Issuing MD5 Challenge (74) eap: Sending EAP Request (code 1) ID 2 length 22 (74) eap: EAP session adding &reply:State = 0xde3a9147de38956c (74) [eap] = handled (74) } # authenticate = handled (74) Using Post-Auth-Type Challenge (74) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (74) Challenge { ... } # empty sub-section is ignored (74) Sent Access-Challenge Id 116 from 10.108.15.25:1812 to 10.108.21.198:60463 length 80 (74) EAP-Message = 0x010200160410c324609b663fe10b1572532fdbf7e3e9 (74) Message-Authenticator = 0x00000000000000000000000000000000 (74) State = 0xde3a9147de38956cc3d44c0587e63b17 (74) Finished request Waking up in 4.9 seconds. (75) Received Access-Request Id 117 from 10.108.21.198:35245 to 10.108.15.25:1812 length 165 (75) Service-Type = Framed-User (75) Framed-MTU = 1400 (75) User-Name = "rmcguire" (75) State = 0xde3a9147de38956cc3d44c0587e63b17 (75) NAS-Port-Id = "wlan1" (75) NAS-Port-Type = Wireless-802.11 (75) Calling-Station-Id = "04-7B-CB-C6-1C-E8" (75) Called-Station-Id = "74-4D-28-67-06-9F:freeradius" (75) EAP-Message = 0x02020007031915 (75) Message-Authenticator = 0x584a48ecbdea8d026726ae3d288b4c95 (75) NAS-Identifier = "MikroTik" (75) NAS-IP-Address = 10.108.21.198 (75) session-state: No cached attributes (75) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (75) authorize { (75) policy filter_username { (75) if (&User-Name) { (75) if (&User-Name) -> TRUE (75) if (&User-Name) { (75) if (&User-Name =~ / /) { (75) if (&User-Name =~ / /) -> FALSE (75) if (&User-Name =~ /@[^@]*@/ ) { (75) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (75) if (&User-Name =~ /\.\./ ) { (75) if (&User-Name =~ /\.\./ ) -> FALSE (75) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) { (75) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE (75) if (&User-Name =~ /\.$/) { (75) if (&User-Name =~ /\.$/) -> FALSE (75) if (&User-Name =~ /@\./<mailto:/@\./>) { (75) if (&User-Name =~ /@\./<mailto:/@\./>) -> FALSE (75) } # if (&User-Name) = notfound (75) } # policy filter_username = notfound (75) [preprocess] = ok (75) [chap] = noop (75) [mschap] = noop (75) [digest] = noop (75) suffix: Checking for suffix after "@" (75) suffix: No '@' in User-Name = "rmcguire", looking up realm NULL (75) suffix: No such realm "NULL" (75) [suffix] = noop (75) eap: Peer sent EAP Response (code 2) ID 2 length 7 (75) eap: No EAP Start, assuming it's an on-going EAP conversation (75) [eap] = updated (75) files: users: Matched entry rmcguire at line 5 (75) [files] = ok (75) sql: EXPAND %{User-Name} (75) sql: --> rmcguire (75) sql: SQL-User-Name set to 'rmcguire' rlm_sql (sql): Reserved connection (3) (75) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (75) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (75) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (75) sql: User found in radcheck table (75) sql: Conditional check items matched, merging assignment check items (75) sql: Cleartext-Password := "password123" (75) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (75) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (75) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (75) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (75) sql: --> SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (75) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (75) sql: User found in the group table (75) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (75) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (75) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (75) sql: Group "admin": Conditional check items matched (75) sql: Group "admin": Merging assignment check items (75) sql: Auth-Type := Accept (75) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (75) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (75) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (75) sql: Group "admin": Merging reply items (75) sql: Tunnel-Medium-Type = IEEE-802 (75) sql: Tunnel-Type = VLAN (75) sql: Tunnel-Private-Group-Id = "88" rlm_sql (sql): Released connection (3) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (20), 1 of 24 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 (75) [sql] = ok (75) [expiration] = noop (75) [logintime] = noop (75) pap: WARNING: Auth-Type already set. Not setting to PAP (75) [pap] = noop (75) } # authorize = updated (75) Found Auth-Type = Accept (75) Auth-Type = Accept, accepting the user (75) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (75) post-auth { (75) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (75) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (75) update { (75) No attributes updated for RHS &session-state: (75) } # update = noop (75) sql: EXPAND .query (75) sql: --> .query (75) sql: Using query template 'query' rlm_sql (sql): Reserved connection (14) (75) sql: EXPAND %{User-Name} (75) sql: --> rmcguire (75) sql: SQL-User-Name set to 'rmcguire' (75) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' ) (75) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '', 'Access-Accept', '2024-07-15 16:45:48.325716' ) (75) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '', 'Access-Accept', '2024-07-15 16:45:48.325716' ) (75) sql: SQL query returned: success (75) sql: 1 record(s) updated rlm_sql (sql): Released connection (14) (75) [sql] = ok (75) [exec] = noop (75) policy remove_reply_message_if_eap { (75) if (&reply:EAP-Message && &reply:Reply-Message) { (75) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (75) else { (75) [noop] = noop (75) } # else = noop (75) } # policy remove_reply_message_if_eap = noop (75) if (EAP-Key-Name && &reply:EAP-Session-Id) { (75) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (75) } # post-auth = ok (75) Sent Access-Accept Id 117 from 10.108.15.25:1812 to 10.108.21.198:35245 length 49 (75) Mikrotik-Group = "write" (75) Tunnel-Medium-Type = IEEE-802 (75) Tunnel-Type = VLAN (75) Tunnel-Private-Group-Id = "88" (75) Finished request Waking up in 4.9 seconds. (74) Cleaning up request packet ID 116 with timestamp +410 due to cleanup_delay was reached (75) Cleaning up request packet ID 117 with timestamp +410 due to cleanup_delay was reached Ready to process requests From: Ryan McGuire Sent: Friday, July 12, 2024 2:53 PM To: 'Jon Gerdes' <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; 'ludovit.mikula@mikori.sk' <ludovit.mikula@mikori.sk<mailto:ludovit.mikula@mikori.sk>> Cc: 'freeradius-users@lists.freeradius.org' <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> Subject: RE: debug log
From here running NTRadPin Test,
https://draculaservers.com/tutorials/install-freeradius-daloradius-debian-9-... What does that actually do? Here are my results: (0) Received Access-Request Id 0 from 10.108.21.198:50766 to 10.108.15.25:1812 length 49 (0) User-Name = "rmcguire" (0) CHAP-Password = 0xb1a04c4c233130aef7ab8045d0c2a09063 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./<mailto:/@\./>) { (0) if (&User-Name =~ /@\./<mailto:/@\./>) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "rmcguire", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> rmcguire (0) sql: SQL-User-Name set to 'rmcguire' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rmcguire' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "password123" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rmcguire' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'rmcguire' ORDER BY priority (0) sql: User found in the group table (0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id (0) sql: Group "admin": Conditional check items matched (0) sql: Group "admin": Merging assignment check items (0) sql: Auth-Type := Accept (0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id (0) sql: Group "admin": Merging reply items (0) sql: Tunnel-Medium-Type = IEEE-802 (0) sql: Tunnel-Type = VLAN (0) sql: Tunnel-Private-Group-Id = "88" rlm_sql (sql): Released connection (1) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.6.18-MariaDB-0ubuntu0.22.04.1, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> rmcguire (0) sql: SQL-User-Name set to 'rmcguire' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' ) (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '0xb1a04c4c233130aef7ab8045d0c2a09063', 'Access-Accept', '2024-07-12 20:48:57.445087' ) (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rmcguire', '0xb1a04c4c233130aef7ab8045d0c2a09063', 'Access-Accept', '2024-07-12 20:48:57.445087' ) (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) if (EAP-Key-Name && &reply:EAP-Session-Id) { (0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 10.108.15.25:1812 to 10.108.21.198:50766 length 36 (0) Tunnel-Medium-Type = IEEE-802 (0) Tunnel-Type = VLAN (0) Tunnel-Private-Group-Id = "88" (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +57 due to cleanup_delay was reached Ready to process requests From: Ryan McGuire Sent: Friday, July 12, 2024 2:27 PM To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; aland@deployingradius.com<mailto:aland@deployingradius.com> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log When running radiusd -X should the freeradius service need to be stopped before running this? If I don’t have the freeradius service stopped I receive the following: [cid:image002.png@01DAD6A8.7FC0EA10] From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Friday, July 12, 2024 9:32 AM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https: //sourceforge. net/projects/daloradius/files/daloradius/daloRADIUS%20VM/ Cheers Ryan What about going all in on daloRADIUS? Getting used to Linux and RADIUS all in one go is quite a challenge. This is an OVA based appliance with a manual: https://sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS%20VM/<https://urldefense.com/v3/__https:/sourceforge.net/projects/daloradius/files/daloradius/daloRADIUS*20VM/__;JQ!!OpwIkcY!gdGXPUNnmY2XrEUhyyK2hHmMy8W2K35wy6fXsOfy944Me_K_oNi8TgEjjQoX6Zsw7NqPbRvO4q2Sud53$> Cheers Jon On Fri, 2024-07-12 at 14:20 +0000, Ryan McGuire wrote: Hi Jon, Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux. Thank you for your help ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image003.jpg@01DAD6A8.7FC0EA10] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; aland@deployingradius.com<mailto:aland@deployingradius.com> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: RE: debug log Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image003.jpg@01DAD6A8.7FC0EA10] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>;freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
When trying to authenticate user from Mikrotik to Radius Server receiving the following, which file do I need to check on my shared secret? Thank you (0) Received Access-Request Id 11 from 10.108.21.198:50870 to 10.108.15.25:1812 length 191 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (0) Ignoring duplicate packet from client mikrotik-router port 50870 - ID: 11 due to unfinished request in component <REQUEST_DONE> module (0) Cleaning up request packet ID 11 with timestamp +18 due to done Ready to process requests (1) Received Access-Request Id 11 from 10.108.21.198:50870 to 10.108.15.25:1812 length 191 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (1) Cleaning up request packet ID 11 with timestamp +19 due to done Ready to process requests (2) Received Access-Request Id 12 from 10.108.21.198:45981 to 10.108.15.25:1812 length 191 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (2) Ignoring duplicate packet from client mikrotik-router port 45981 - ID: 12 due to unfinished request in component <REQUEST_DONE> module (2) Cleaning up request packet ID 12 with timestamp +19 due to done Ready to process requests (3) Received Access-Request Id 12 from 10.108.21.198:45981 to 10.108.15.25:1812 length 191 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (3) Cleaning up request packet ID 12 with timestamp +20 due to done Ready to process requests (4) Received Access-Request Id 13 from 10.108.21.198:34731 to 10.108.15.25:1812 length 191 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (4) Ignoring duplicate packet from client mikrotik-router port 34731 - ID: 13 due to unfinished request in component <REQUEST_DONE> module (4) Cleaning up request packet ID 13 with timestamp +20 due to done Ready to process requests (5) Received Access-Request Id 13 from 10.108.21.198:34731 to 10.108.15.25:1812 length 191 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (5) Cleaning up request packet ID 13 with timestamp +21 due to done Ready to process requests (6) Received Access-Request Id 14 from 10.108.21.198:33815 to 10.108.15.25:1812 length 191 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (6) Ignoring duplicate packet from client mikrotik-router port 33815 - ID: 14 due to unfinished request in component <REQUEST_DONE> module (6) Cleaning up request packet ID 14 with timestamp +21 due to done Ready to process requests (7) Received Access-Request Id 14 from 10.108.21.198:33815 to 10.108.15.25:1812 length 191 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (7) Cleaning up request packet ID 14 with timestamp +22 due to done Ready to process requests (8) Received Access-Request Id 15 from 10.108.21.198:38303 to 10.108.15.25:1812 length 143 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (8) Ignoring duplicate packet from client mikrotik-router port 38303 - ID: 15 due to unfinished request in component <REQUEST_DONE> module (8) Cleaning up request packet ID 15 with timestamp +50 due to done Ready to process requests (9) Received Access-Request Id 15 from 10.108.21.198:38303 to 10.108.15.25:1812 length 143 Dropping packet without response because of error: Received packet from 10.108.21.198 with invalid Message-Authenticator! (Shared secret is incorrect.) Waking up in 0.3 seconds. (9) Cleaning up request packet ID 15 with timestamp +51 due to done ---------------------------- Ryan McGuire | Systems Administrator Century Gaming Technologies - Billings PO Box 21138 Billings, MT 59101 C: 406-860-1299 E: rmcguire@cgtmt.com W: www.cgtmt.com Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ---------------------------- From: Ryan McGuire Sent: Friday, July 12, 2024 8:21 AM To: Jon Gerdes <gerdesj@blueloop.net>; aland@deployingradius.com Cc: freeradius-users@lists.freeradius.org Subject: RE: debug log Hi Jon, Just seeing what other information you would need from me. Once again, really new to this and just started setting up freeradius with linux. Thank you for your help From: Ryan McGuire Sent: Thursday, July 11, 2024 8:27 AM To: Jon Gerdes <gerdesj@blueloop.net>; aland@deployingradius.com Cc: freeradius-users@lists.freeradius.org Subject: RE: debug log Hi Jon, I have a Linux Server setup with Ubuntu 22.04.4….initially we had setup radius using a windows server that was our Certificate Authority, Network Policy Server, with all of our different routers at different locations as radius clients(we have multiple locations 10 or so, where we want to dictate the devices which are allowed to connect to our wireless in those locations but say someone visits from one location to another have them automatically authenticate to the new location they’re at). Problem is we cannot go the route of Windows based now and had come across using first user manager but we don’t want to authenticate via mac address which lead me to free radius. The mikrotik’s would all be my NAS clients I believe, the one I’m testing on is v6.49.8. All laptops connecting would be either Windows 10 or 11. Had setup daloradius as well for a GUI to use as for myself this works better as I’m learning linux still. Let me know if you need any additional information Thank you From: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>> Sent: Wednesday, July 10, 2024 4:36 PM To: aland@deployingradius.com<mailto:aland@deployingradius.com>; Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need Ryan "Received Access-Accept" means that RADIUS is happy and has authenticated the request. I get the impression that we have hit a blockage of some sort here. Perhaps a quick overview of what you are trying to do might help. No need for configs. Something like: I am trying to do username/password authentication with a Windows 11 (version) laptop (model) connected via wifi to a Mikrotik (something) using (standard name). The Mikrotik authenticates and authorises access using RADIUS. The RADIUS server is a etc etc Model numbers, versions etc will be helpful. Given that, we might be able to work back through your debug logs and hopefully find out what is going wrong. Cheers Jon On Wed, 2024-07-10 at 21:29 +0000, Ryan McGuire wrote: This is what I get when I do a radtest Sent Access-Request Id 27 from 0.0.0.0:41113 to 10.108.15.25:1812 length 78 User-Name = "rmcguire" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password123" Received Access-Accept Id 27 from 10.108.15.25:1812 to 10.108.15.25:41113 length 36 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "88" Basically, wanting to know what should I be looking for? Next steps to confirm things are working and then to get my router authentication working for wireless, sorry for all the dumb questions, this is my first time doing this and was hoping that there would be a straight forward tutorial for setting this up Thanks for any help provided ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ Ryan McGuire | Systems Administrator Century Gaming Technologies ‑ Billings PO Box 21138 Billings , MT 59101 C: 406-860-1299<tel:406-860-1299> E: rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com> W: www.cgtmt.com<http://www.cgtmt.com/> [cid:image001.jpg@01DAD43E.61DEC060] Confidentiality Statement: This e-mail contains confidential information which also may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not copy, use, disclose or distribute the e-mail message or any information contained in the message. If you have received this e-mail message in error, please advise the sender by replying to this message or by telephone and then promptly delete it. ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ From: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> Sent: Wednesday, July 10, 2024 2:32 PM To: Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> Cc: Jon Gerdes <gerdesj@blueloop.net<mailto:gerdesj@blueloop.net>>; freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: debug log On Jul 10, 2024, at 3: 05 PM, Ryan McGuire <rmcguire@ cgtmt. com> wrote: > Attached is my log when running ntradping Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding On Jul 10, 2024, at 3:05 PM, Ryan McGuire <rmcguire@cgtmt.com<mailto:rmcguire@cgtmt.com>> wrote:
Attached is my log when running ntradping
Please just paste the message into the email. That makes it easier to reply in-line, and quote the debug output. Adding it as an attachment just makes it more difficult to help you, which makes it less likely that you will get help. And you don't need to use nradping. The server comes with test tools: radclient / radtest. As for the debug output, it doesn't show anything useful. For one, you've removed almost everything from it, which the documentation says *don't do*. For another, the debug output shows it sending an Access-Accept. OK... what's wrong? Is there an error? Do you expect the server to do something else? What, exactly, is the problem you need help with? Can you describe it? I really only have limited patience for this kind of "20 questions" game. If it's clear that I can't help you, then there's no reason for me to try. Alan DeKok.
On Jul 9, 2024, at 4:31 PM, Ryan McGuire via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have ran through the tutorial of freeradius setup at the following site and am sharing my debug file as at this point I’m not sure where I’m supposed to go? We’re trying to setup wireless authentication using a mikrotik router as our NAS to authenticate to our radius server.
https://docs.beamnetworks.dev/en/linux/networking/freeradius-daloradius
I'd ignore daloradius. It's a UI, it's not FreeRADIUS.
below is my debug log after running
$ freeradius -X 2>&1 | tee debugfile
That doesn't show the server receiving packets. We can't debug what the server does when it receives packets, if the debug output doesn't show the server receiving packets, http://wiki.freeradius.org/list-help Alan DeKok.
participants (4)
-
Alan DeKok -
Jon Gerdes -
Ryan McGuire -
Ľudovít Mikula