Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps
Hello everyone, Recently, I implemented freeradius for our home office. I was able to use the method of editing the user file to add user to authorize them using our network. Now I would like to use mySQL with phpMyAdmin to control and manage other users. So I installed Lamp Stack from here: https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache -mysql-php-lamp-stack-ubuntu-18-04 which basically install Apache server, SQL server and PHP server. I have all 3 up and run OK. Anyway, after that I follow the Guide here to setup the mySQL https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubu ntu After I finished installing the freeradius-mysql module and created the "radius" database, it shows up in the phpMyAdmin windows. I was excited. However, further more in the Guide, I found a lot of difference/discrepancies in term of file names, location of the files like sql (not sure if sql.conf?). It seems that the Guide is now outdated and pending for update to catch up with the new version of Freeradius file organization As a result, when I attempt to use SQL to authorize the users, the server keeps rejecting my username/password I run radtest and it says "No reply from server" Could someone please instruct me how to start from the scratch again with a proper file's names, locations of each required files, what to edit, etc..? I thank you very much indeed for your support. Again, thanks James --- This email has been checked for viruses by AVG. https://www.avg.com
On Sep 28, 2018, at 2:25 AM, <james.ngobui@gmail.com> <james.ngobui@gmail.com> wrote:
Anyway, after that I follow the Guide here to setup the mySQL
https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubu ntu
The guide should be mostly correct. However, Debian has started to re-name / change the location of various FreeRADIUS files. It's a bit annoying.
However, further more in the Guide, I found a lot of difference/discrepancies in term of file names, location of the files like sql (not sure if sql.conf?). It seems that the Guide is now outdated and pending for update to catch up with the new version of Freeradius file organization
It has a few typos, but I don't think it's seriously wrong.
As a result, when I attempt to use SQL to authorize the users, the server keeps rejecting my username/password
There *is* debug output available. All of the documentation says to post that. Including the "welcome" message you received when joining this list.
Could someone please instruct me how to start from the scratch again with a proper file's names, locations of each required files, what to edit, etc..?
Post the debug output as suggested in the list "welcome" message, in the "man" page, on the main web pages, on the wiki, and daily on this list. There's just no excuse for *not* doing that. Alan DeKok.
Hi Alan, You are absolutely right about the log file and I am sorry to be bothering you again. I copy the content of my system log file of the issue below for your reference (My other test user which use the "user" file works OK). I really appreciate your helps. Cheers ------------------------------------------------------------------------------------------------------- FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/sqlite/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/unix including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/debug including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel including configuration file /etc/freeradius/3.0/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client RouterAC { ipaddr = 10.25.25.47 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = digest radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_exec # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql sql { driver = "rlm_sql_null" server = "localhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{User-Name}" logfile = "/var/log/freeradius/sqllog.sql" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } accounting-off { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked Creating attribute SQL-Group # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group instantiate { } # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key" certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:331 } # server inner-tunnel server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on proxy address * port 37475 Listening on proxy address :: port 39335 Ready to process requests (0) Received Access-Request Id 95 from 10.25.25.47:56513 to 10.25.25.45:1812 length 164 (0) User-Name = "testuser1" (0) NAS-IP-Address = 10.25.25.47 (0) NAS-Identifier = "44d9e7fc7b5c" (0) NAS-Port = 0 (0) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (0) Calling-Station-Id = "D0-2B-20-74-5D-BA" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x021c000b016a616d65736e (0) Message-Authenticator = 0x61bb73fc582ff897e3731d7bce1696a8 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 28 length 11 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 29 length 22 (0) eap: EAP session adding &reply:State = 0xc1c3e8f7c1deecb6 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 95 from 10.25.25.45:1812 to 10.25.25.47:56513 length 0 (0) EAP-Message = 0x011d0016041095af2ebcc1e944e426c57b2721bb7e76 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xc1c3e8f7c1deecb69d1d69a30c5f8084 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 96 from 10.25.25.47:56513 to 10.25.25.45:1812 length 179 (1) User-Name = "testuser1" (1) NAS-IP-Address = 10.25.25.47 (1) NAS-Identifier = "44d9e7fc7b5c" (1) NAS-Port = 0 (1) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (1) Calling-Station-Id = "D0-2B-20-74-5D-BA" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x021d00080319152b (1) State = 0xc1c3e8f7c1deecb69d1d69a30c5f8084 (1) Message-Authenticator = 0x651377d33ac47435b8f3e6faeaba7fa8 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 29 length 8 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) sql: EXPAND %{User-Name} (1) sql: --> testuser1 (1) sql: SQL-User-Name set to 'testuser1' rlm_sql (sql): Reserved connection (0) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (1) sql: User not found in any groups rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used (1) [sql] = notfound (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xc1c3e8f7c1deecb6 (1) eap: Finished EAP session with state 0xc1c3e8f7c1deecb6 (1) eap: Previous EAP request found for state 0xc1c3e8f7c1deecb6, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 30 length 6 (1) eap: EAP session adding &reply:State = 0xc1c3e8f7c0ddf1b6 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 96 from 10.25.25.45:1812 to 10.25.25.47:56513 length 0 (1) EAP-Message = 0x011e00061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xc1c3e8f7c0ddf1b69d1d69a30c5f8084 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 97 from 10.25.25.47:56513 to 10.25.25.45:1812 length 332 (2) User-Name = "testuser1" (2) NAS-IP-Address = 10.25.25.47 (2) NAS-Identifier = "44d9e7fc7b5c" (2) NAS-Port = 0 (2) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (2) Calling-Station-Id = "D0-2B-20-74-5D-BA" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x021e00a119800000009716030100920100008e03035bae6013db176ba53c9cb539c85026db21053e4095c700119e56a8ea0813d74d00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00 (2) State = 0xc1c3e8f7c0ddf1b69d1d69a30c5f8084 (2) Message-Authenticator = 0x0380fdc7ee8c6770d48cfc9f74a44460 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 30 length 161 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xc1c3e8f7c0ddf1b6 (2) eap: Finished EAP session with state 0xc1c3e8f7c0ddf1b6 (2) eap: Previous EAP request found for state 0xc1c3e8f7c0ddf1b6, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 151 bytes (2) eap_peap: Got complete TLS record (151 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.2 [length 0092] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02d3] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 31 length 1004 (2) eap: EAP session adding &reply:State = 0xc1c3e8f7c3dcf1b6 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 97 from 10.25.25.45:1812 to 10.25.25.47:56513 length 0 (2) EAP-Message = 0x011f03ec19c000000475160303003d020000390303179a32f952a7317fdc13bdb5dfe98295a42d4bebffa8e9eed6c9d63a789e99c100c030000011ff01000100000b0004030001020017000016030302d30b0002cf0002cc0002c9308202c5308201ada003020102020900e88b749ad3eb6833300d0609 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xc1c3e8f7c3dcf1b69d1d69a30c5f8084 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 98 from 10.25.25.47:56513 to 10.25.25.45:1812 length 177 (3) User-Name = "testuser1" (3) NAS-IP-Address = 10.25.25.47 (3) NAS-Identifier = "44d9e7fc7b5c" (3) NAS-Port = 0 (3) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (3) Calling-Station-Id = "D0-2B-20-74-5D-BA" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x021f00061900 (3) State = 0xc1c3e8f7c3dcf1b69d1d69a30c5f8084 (3) Message-Authenticator = 0x09be0e0049419ec83dd48c595b089d24 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 31 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xc1c3e8f7c3dcf1b6 (3) eap: Finished EAP session with state 0xc1c3e8f7c3dcf1b6 (3) eap: Previous EAP request found for state 0xc1c3e8f7c3dcf1b6, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 32 length 153 (3) eap: EAP session adding &reply:State = 0xc1c3e8f7c2e3f1b6 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 98 from 10.25.25.45:1812 to 10.25.25.47:56513 length 0 (3) EAP-Message = 0x0120009919005cbdd453cb341a378d9b048a324fe35f45f81bd97584a3b61c729cf4d76919ac8ecf02e1147fa210410fd1761c298774dd63e7dfc2c19f52e7990678b1fe00304a18c97e99183b8a4de261d7de7659fb45c0f2790d4110305b35522a2fe0022b07474861efaee4e87ce18af4b7df2ff232 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xc1c3e8f7c2e3f1b69d1d69a30c5f8084 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 99 from 10.25.25.47:56513 to 10.25.25.45:1812 length 307 (4) User-Name = "testuser1" (4) NAS-IP-Address = 10.25.25.47 (4) NAS-Identifier = "44d9e7fc7b5c" (4) NAS-Port = 0 (4) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (4) Calling-Station-Id = "D0-2B-20-74-5D-BA" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x0220008819800000007e16030300461000004241049d1a4835cbbd62469b56dbc30502a184904fd9d4a0c384ff9d2979a1f16fccc84637d23090a08e643b8766506b43759079c3641b15d9b9981e5c1f523c40b42d1403030001011603030028e2847f49511f6d116a6eb2e34c10647b842fd3e5eb3f25 (4) State = 0xc1c3e8f7c2e3f1b69d1d69a30c5f8084 (4) Message-Authenticator = 0x7658c892bd252555cfc398d85153ddc3 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 32 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xc1c3e8f7c2e3f1b6 (4) eap: Finished EAP session with state 0xc1c3e8f7c2e3f1b6 (4) eap: Previous EAP request found for state 0xc1c3e8f7c2e3f1b6, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: TLS_accept: SSLv3/TLS write server done (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS read finished (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS write finished (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 33 length 57 (4) eap: EAP session adding &reply:State = 0xc1c3e8f7c5e2f1b6 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 99 from 10.25.25.45:1812 to 10.25.25.47:56513 length 0 (4) EAP-Message = 0x0121003919001403030001011603030028cbd45d0effda4e06ca594952f497a2345551807cd5fe9d2dedc80e9f60d40f48db30e4445922d008 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xc1c3e8f7c5e2f1b69d1d69a30c5f8084 (4) Finished request Waking up in 3.0 seconds. (5) Received Access-Request Id 100 from 10.25.25.47:56513 to 10.25.25.45:1812 length 177 (5) User-Name = "testuser1" (5) NAS-IP-Address = 10.25.25.47 (5) NAS-Identifier = "44d9e7fc7b5c" (5) NAS-Port = 0 (5) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (5) Calling-Station-Id = "D0-2B-20-74-5D-BA" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x022100061900 (5) State = 0xc1c3e8f7c5e2f1b69d1d69a30c5f8084 (5) Message-Authenticator = 0xcd2271f991bce3a33846812618a9e355 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 33 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xc1c3e8f7c5e2f1b6 (5) eap: Finished EAP session with state 0xc1c3e8f7c5e2f1b6 (5) eap: Previous EAP request found for state 0xc1c3e8f7c5e2f1b6, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 34 length 40 (5) eap: EAP session adding &reply:State = 0xc1c3e8f7c4e1f1b6 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 100 from 10.25.25.45:1812 to 10.25.25.47:56513 length 0 (5) EAP-Message = 0x012200281900170303001dcbd45d0effda4e0754bc06b9d157e873e039d683ec8c44f0afd4442445 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xc1c3e8f7c4e1f1b69d1d69a30c5f8084 (5) Finished request Waking up in 3.0 seconds. (6) Received Access-Request Id 101 from 10.25.25.47:56513 to 10.25.25.45:1812 length 213 (6) User-Name = "testuser1" (6) NAS-IP-Address = 10.25.25.47 (6) NAS-Identifier = "44d9e7fc7b5c" (6) NAS-Port = 0 (6) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (6) Calling-Station-Id = "D0-2B-20-74-5D-BA" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x0222002a1900170303001fe2847f49511f6d12dc5392c52bde8d3acc6cabb3a4b06e7a7c8a48b3b1299f (6) State = 0xc1c3e8f7c4e1f1b69d1d69a30c5f8084 (6) Message-Authenticator = 0xd788105a417e0aadf485b07d511b29bc (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 34 length 42 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xc1c3e8f7c4e1f1b6 (6) eap: Finished EAP session with state 0xc1c3e8f7c4e1f1b6 (6) eap: Previous EAP request found for state 0xc1c3e8f7c4e1f1b6, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - testuser1 (6) eap_peap: Got inner identity 'testuser1' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0222000b016a616d65736e (6) eap_peap: Setting User-Name to testuser1 (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0222000b016a616d65736e (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "testuser1" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0222000b016a616d65736e (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "testuser1" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 34 length 11 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 35 length 43 (6) eap: EAP session adding &reply:State = 0x1e9095f91eb38ffa (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0123002b1a012300261081b472f8cff75544f7283d097332af6d667265657261646975732d332e302e3136 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x1e9095f91eb38ffaeec018a584c469f6 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0123002b1a012300261081b472f8cff75544f7283d097332af6d667265657261646975732d332e302e3136 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x1e9095f91eb38ffaeec018a584c469f6 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0123002b1a012300261081b472f8cff75544f7283d097332af6d667265657261646975732d332e302e3136 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x1e9095f91eb38ffaeec018a584c469f6 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 35 length 74 (6) eap: EAP session adding &reply:State = 0xc1c3e8f7c7e0f1b6 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 101 from 10.25.25.45:1812 to 10.25.25.47:56513 length 0 (6) EAP-Message = 0x0123004a1900170303003fcbd45d0effda4e0839a2f742d7d6ccb9c5ca911cd94a14eab12ec1c18871b2131bf9877af8675be536c7de6d38fb37d45c8e7240f2f89d9ab068d9fd702353 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xc1c3e8f7c7e0f1b69d1d69a30c5f8084 (6) Finished request Waking up in 3.0 seconds. (7) Received Access-Request Id 102 from 10.25.25.47:56513 to 10.25.25.45:1812 length 267 (7) User-Name = "testuser1" (7) NAS-IP-Address = 10.25.25.47 (7) NAS-Identifier = "44d9e7fc7b5c" (7) NAS-Port = 0 (7) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (7) Calling-Station-Id = "D0-2B-20-74-5D-BA" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x0223006019001703030055e2847f49511f6d13e30d4e75be9b7987938eae1713fe29b173be9bef6e0c3b258bdb9040bf6cd438e8085f61c80ee41f3415258a8db220c1a629d43b3b3acf56a8e49e660a487fd7ddbf52fc6dfb952dd555428b35 (7) State = 0xc1c3e8f7c7e0f1b69d1d69a30c5f8084 (7) Message-Authenticator = 0x1bc2b9edcbd26f96e5653f64ae3f288b (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 35 length 96 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x1e9095f91eb38ffa (7) eap: Finished EAP session with state 0xc1c3e8f7c7e0f1b6 (7) eap: Previous EAP request found for state 0xc1c3e8f7c7e0f1b6, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e (7) eap_peap: Setting User-Name to jamesn (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "testuser1" (7) eap_peap: State = 0x1e9095f91eb38ffaeec018a584c469f6 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "testuser1" (7) State = 0x1e9095f91eb38ffaeec018a584c469f6 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 35 length 65 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) sql: EXPAND %{User-Name} (7) sql: --> testuser1 (7) sql: SQL-User-Name set to 'testuser1' rlm_sql (sql): Reserved connection (1) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used (7) [sql] = notfound (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x1e9095f91eb38ffa (7) eap: Finished EAP session with state 0x1e9095f91eb38ffa (7) eap: Previous EAP request found for state 0x1e9095f91eb38ffa, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (7) mschap: Creating challenge hash with username: testuser1 (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) [mschap] = reject (7) } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 35 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) sql: EXPAND .query (7) sql: --> .query (7) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (7) sql: EXPAND %{User-Name} (7) sql: --> testuser1 (7) sql: SQL-User-Name set to 'testuser1' (7) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (7) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser1', '', 'Access-Reject', '2018-09-28 10:08:37') (7) sql: EXPAND /var/log/freeradius/sqllog.sql (7) sql: --> /var/log/freeradius/sqllog.sql (7) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser1', '', 'Access-Reject', '2018-09-28 10:08:37') (7) sql: SQL query returned: success (7) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (7) [sql] = ok (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> testuser1 (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) MS-CHAP-Error = "#E=691 R=1 C=715e3c69c21ce7fd87d05c1a4581ab31 V=3 M=Authentication rejected" (7) EAP-Message = 0x04230004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply code 3 (7) eap_peap: MS-CHAP-Error = "#E=691 R=1 C=715e3c69c21ce7fd87d05c1a4581ab31 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04230004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply RADIUS code 3 (7) eap_peap: MS-CHAP-Error = "#E=691 R=1 C=715e3c69c21ce7fd87d05c1a4581ab31 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04230004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Tunneled authentication was rejected (7) eap_peap: FAILURE (7) eap: Sending EAP Request (code 1) ID 36 length 46 (7) eap: EAP session adding &reply:State = 0xc1c3e8f7c6e7f1b6 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (7) Sent Access-Challenge Id 102 from 10.25.25.45:1812 to 10.25.25.47:56513 length 0 (7) EAP-Message = 0x0124002e19001703030023cbd45d0effda4e09dde2b15a186bc2ba0246d3fe71f9700d4dcb2f50358d7c868e740a (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xc1c3e8f7c6e7f1b69d1d69a30c5f8084 (7) Finished request Waking up in 3.0 seconds. (8) Received Access-Request Id 103 from 10.25.25.47:56513 to 10.25.25.45:1812 length 217 (8) User-Name = "testuser1" (8) NAS-IP-Address = 10.25.25.47 (8) NAS-Identifier = "44d9e7fc7b5c" (8) NAS-Port = 0 (8) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11" (8) Calling-Station-Id = "D0-2B-20-74-5D-BA" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) EAP-Message = 0x0224002e19001703030023e2847f49511f6d14fb667b7c4dedbb44bb1edd3bdea1a3892bdd9918b85dd7c89bdca9 (8) State = 0xc1c3e8f7c6e7f1b69d1d69a30c5f8084 (8) Message-Authenticator = 0x3355720b91ba3932dc2d7d10107706ba (8) Restoring &session-state (8) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "testuser1", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 36 length 46 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xc1c3e8f7c6e7f1b6 (8) eap: Finished EAP session with state 0xc1c3e8f7c6e7f1b6 (8) eap: Previous EAP request found for state 0xc1c3e8f7c6e7f1b6, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv failure (8) eap_peap: Received EAP-TLV response (8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (8) eap_peap: This means you need to read the PREVIOUS messages in the debug output (8) eap_peap: to find out the reason why the user was rejected (8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (8) eap_peap: what went wrong, and how to fix the problem (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 36 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Post-Auth-Type REJECT { (8) sql: EXPAND .query (8) sql: --> .query (8) sql: Using query template 'query' rlm_sql (sql): Reserved connection (3) (8) sql: EXPAND %{User-Name} (8) sql: --> testuser1 (8) sql: SQL-User-Name set to 'testuser1' (8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser1', '', 'Access-Reject', '2018-09-28 10:08:37') (8) sql: EXPAND /var/log/freeradius/sqllog.sql (8) sql: --> /var/log/freeradius/sqllog.sql (8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser1', '', 'Access-Reject', '2018-09-28 10:08:37') (8) sql: SQL query returned: success (8) sql: 1 record(s) updated rlm_sql (sql): Released connection (3) (8) [sql] = ok (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> testuser1 (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) [eap] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # Post-Auth-Type REJECT = updated (8) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (8) Sending delayed response (8) Sent Access-Reject Id 103 from 10.25.25.45:1812 to 10.25.25.47:56513 length 44 (8) EAP-Message = 0x04240004 (8) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.0 seconds. (0) Cleaning up request packet ID 95 with timestamp +46 (1) Cleaning up request packet ID 96 with timestamp +46 (2) Cleaning up request packet ID 97 with timestamp +46 (3) Cleaning up request packet ID 98 with timestamp +46 Waking up in 1.8 seconds. (4) Cleaning up request packet ID 99 with timestamp +48 (5) Cleaning up request packet ID 100 with timestamp +48 (6) Cleaning up request packet ID 101 with timestamp +48 (7) Cleaning up request packet ID 102 with timestamp +48 (8) Cleaning up request packet ID 103 with timestamp +48 Ready to process requests On Fri, Sep 28, 2018 at 3:40 AM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 28, 2018, at 2:25 AM, <james.ngobui@gmail.com> < james.ngobui@gmail.com> wrote:
Anyway, after that I follow the Guide here to setup the mySQL
https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubu
ntu
The guide should be mostly correct. However, Debian has started to re-name / change the location of various FreeRADIUS files. It's a bit annoying.
However, further more in the Guide, I found a lot of difference/discrepancies in term of file names, location of the files like sql (not sure if sql.conf?). It seems that the Guide is now outdated and pending for update to catch up with the new version of Freeradius file organization
It has a few typos, but I don't think it's seriously wrong.
As a result, when I attempt to use SQL to authorize the users, the server keeps rejecting my username/password
There *is* debug output available. All of the documentation says to post that. Including the "welcome" message you received when joining this list.
Could someone please instruct me how to start from the scratch again with a proper file's names, locations of each required files, what to edit, etc..?
Post the debug output as suggested in the list "welcome" message, in the "man" page, on the main web pages, on the wiki, and daily on this list.
There's just no excuse for *not* doing that.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 28, 2018, at 2:12 PM, James Ngo <james.ngobui@gmail.com> wrote:
Hi Alan, You are absolutely right about the log file and I am sorry to be bothering you again. I copy the content of my system log file of the issue below for your reference (My other test user which use the "user" file works OK).
...
(7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e (7) eap_peap: Setting User-Name to jamesn (7) eap_peap: Sending tunneled request to inner-tunnel
That's the MS-CHAP stuff from PEAP, inside of the TLS tunnel.
(7) sql: EXPAND %{User-Name} (7) sql: --> testuser1 (7) sql: SQL-User-Name set to 'testuser1' rlm_sql (sql): Reserved connection (1) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used (7) [sql] = notfound
That's definitive. The "testuser1" isn't in SQL. Run the queries manually to see what they return. Alan DeKok.
This is very strange then... when I query manually using mysql, it shows per below What could have gone wrong? mysql> select * from radcheck; +----+-----------+--------------------+----+-----------+ | id | username | attribute | op | value | +----+-----------+--------------------+----+-----------+ | 2 | testuser1 | Cleartext-Password | := | testuser1 | +----+-----------+--------------------+----+-----------+ 1 row in set (0.01 sec) mysql> On Fri, Sep 28, 2018 at 11:27 AM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 28, 2018, at 2:12 PM, James Ngo <james.ngobui@gmail.com> wrote:
Hi Alan, You are absolutely right about the log file and I am sorry to be
bothering
you again. I copy the content of my system log file of the issue below for your reference (My other test user which use the "user" file works OK).
...
(7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message =
0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e
(7) eap_peap: Setting User-Name to jamesn (7) eap_peap: Sending tunneled request to inner-tunnel
That's the MS-CHAP stuff from PEAP, inside of the TLS tunnel.
(7) sql: EXPAND %{User-Name} (7) sql: --> testuser1 (7) sql: SQL-User-Name set to 'testuser1' rlm_sql (sql): Reserved connection (1) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used (7) [sql] = notfound
That's definitive.
The "testuser1" isn't in SQL.
Run the queries manually to see what they return.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 28, 2018, at 2:54 PM, James Ngo <james.ngobui@gmail.com> wrote:
This is very strange then... when I query manually using mysql, it shows per below What could have gone wrong?
I don't know. But if the database doesn't return anything, you're pretty much stuck. And the later messages make it clear that the databases *don't* return anything:
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
So there's definitely no Cleartext-Password for the user. Alan DeKok.
This is driving my crazy as I can't explain why... What I have just done: Create a new (admin) user for the radius database Add another username using command line Restart the sql Restart the freeradius It still say the same, my password is not correct and won't connect. I checked everything including some config file but did not see anything abnormal... Do you have any pointers? Thanks again -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+james.ngobui=gmail.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: September 28, 2018 12:43 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps
On Sep 28, 2018, at 2:54 PM, James Ngo <james.ngobui@gmail.com> wrote:
This is very strange then... when I query manually using mysql, it shows per below What could have gone wrong?
I don't know. But if the database doesn't return anything, you're pretty much stuck. And the later messages make it clear that the databases *don't* return anything:
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
So there's definitely no Cleartext-Password for the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- This email has been checked for viruses by AVG. https://www.avg.com
On Sep 28, 2018, at 2:12 PM, James Ngo <james.ngobui@gmail.com> wrote:
Hi Alan, You are absolutely right about the log file and I am sorry to be
bothering
you again. I copy the content of my system log file of the issue below for your reference (My other test user which use the "user" file works OK).
...
(7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message =
0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e
(7) eap_peap: Setting User-Name to jamesn (7) eap_peap: Sending tunneled request to inner-tunnel
That's the MS-CHAP stuff from PEAP, inside of the TLS tunnel.
(7) sql: EXPAND %{User-Name} (7) sql: --> testuser1 (7) sql: SQL-User-Name set to 'testuser1' rlm_sql (sql): Reserved connection (1) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used (7) [sql] = notfound
That's definitive.
The "testuser1" isn't in SQL.
Run the queries manually to see what they return.
Alan DeKok.
- List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C5b23721b7dda479accab08d62573f1d4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737577233171781&sdata=4TeBgHVZopEcoq1ulBsSd7qqakK90DSZHEoRbYat5pQ%3D&reserved=0
Hello, Maybe if the MySQL is configured to be case sensitive the correct atribute is ClearText-Password unstead Cleartext-Password. It is just a guess. (note CT in ClearText) Rafael Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de James Ngo <james.ngobui@gmail.com> Enviado: Friday, September 28, 2018 2:54:48 PM Para: freeradius-users@lists.freeradius.org Assunto: Re: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps This is very strange then... when I query manually using mysql, it shows per below What could have gone wrong? mysql> select * from radcheck; +----+-----------+--------------------+----+-----------+ | id | username | attribute | op | value | +----+-----------+--------------------+----+-----------+ | 2 | testuser1 | Cleartext-Password | := | testuser1 | +----+-----------+--------------------+----+-----------+ 1 row in set (0.01 sec) mysql> On Fri, Sep 28, 2018 at 11:27 AM Alan DeKok <aland@deployingradius.com> wrote: - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C5b23721b7dda479accab08d62573f1d4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737577233171781&sdata=4TeBgHVZopEcoq1ulBsSd7qqakK90DSZHEoRbYat5pQ%3D&reserved=0
On Sep 28, 2018, at 2:12 PM, James Ngo <james.ngobui@gmail.com> wrote:
Hi Alan, You are absolutely right about the log file and I am sorry to be
bothering
you again. I copy the content of my system log file of the issue below for your reference (My other test user which use the "user" file works OK).
...
(7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message =
0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e
(7) eap_peap: Setting User-Name to jamesn (7) eap_peap: Sending tunneled request to inner-tunnel
That's the MS-CHAP stuff from PEAP, inside of the TLS tunnel.
(7) sql: EXPAND %{User-Name} (7) sql: --> testuser1 (7) sql: SQL-User-Name set to 'testuser1' rlm_sql (sql): Reserved connection (1) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used (7) [sql] = notfound
That's definitive.
The "testuser1" isn't in SQL.
Run the queries manually to see what they return.
Alan DeKok.
- List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0
Other thing is that RADUSERGROUP is not the same than RADCHECK, you need a row with username in both tables, not just in RADCHECK. The message is explaining that the user do not exist em RADUSERGROUP. (and you show the user in radcheck) Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de Rafael Labiak Olivastro <rolivastro@hotmail.com> Enviado: Friday, September 28, 2018 3:58:07 PM Para: FreeRadius users mailing list Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps Hello, Maybe if the MySQL is configured to be case sensitive the correct atribute is ClearText-Password unstead Cleartext-Password. It is just a guess. (note CT in ClearText) Rafael Enviado do Email<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=f56eWLAAr9nJm%2FdLSSZ44rDh6vBIjhmHkzmr9TCCRlA%3D&reserved=0> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de James Ngo <james.ngobui@gmail.com> Enviado: Friday, September 28, 2018 2:54:48 PM Para: freeradius-users@lists.freeradius.org Assunto: Re: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps This is very strange then... when I query manually using mysql, it shows per below What could have gone wrong? mysql> select * from radcheck; +----+-----------+--------------------+----+-----------+ | id | username | attribute | op | value | +----+-----------+--------------------+----+-----------+ | 2 | testuser1 | Cleartext-Password | := | testuser1 | +----+-----------+--------------------+----+-----------+ 1 row in set (0.01 sec) mysql> On Fri, Sep 28, 2018 at 11:27 AM Alan DeKok <aland@deployingradius.com> wrote: - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0 - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0
On Sep 28, 2018, at 2:12 PM, James Ngo <james.ngobui@gmail.com> wrote:
Hi Alan, You are absolutely right about the log file and I am sorry to be
bothering
you again. I copy the content of my system log file of the issue below for your reference (My other test user which use the "user" file works OK).
...
(7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message =
0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e
(7) eap_peap: Setting User-Name to jamesn (7) eap_peap: Sending tunneled request to inner-tunnel
That's the MS-CHAP stuff from PEAP, inside of the TLS tunnel.
(7) sql: EXPAND %{User-Name} (7) sql: --> testuser1 (7) sql: SQL-User-Name set to 'testuser1' rlm_sql (sql): Reserved connection (1) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used (7) [sql] = notfound
That's definitive.
The "testuser1" isn't in SQL.
Run the queries manually to see what they return.
Alan DeKok.
- List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0
Example: MariaDB [mikrotik_erp]> select * from radcheck; +----+----------+--------------------+----+----------------------------------+------+------------+------------+ | id | UserName | Attribute | op | Value | obs | id_cliente | id_empresa | +----+----------+--------------------+----+----------------------------------+------+------------+------------+ | 1 | rafael | MD5-Password | := | 81dc9bdb52d04dc20036dbd8313ed055 | | 743 | 1 | | 2 | rafael | ClearText-Password | := | 1234 | | 743 | 1 | +----+----------+--------------------+----+----------------------------------+------+------------+------------+ 2 rows in set (0.00 sec) MariaDB [mikrotik_erp]> select * from usergorup; ERROR 1146 (42S02): Table 'mikrotik_erp.usergorup' doesn't exist MariaDB [mikrotik_erp]> select * from radcheck; +----+----------+--------------------+----+----------------------------------+------+------------+------------+ | id | UserName | Attribute | op | Value | obs | id_cliente | id_empresa | +----+----------+--------------------+----+----------------------------------+------+------------+------------+ | 1 | rafael | MD5-Password | := | 81dc9bdb52d04dc20036dbd8313ed055 | | 743 | 1 | | 2 | rafael | ClearText-Password | := | 1234 | | 743 | 1 | +----+----------+--------------------+----+----------------------------------+------+------------+------------+ 2 rows in set (0.00 sec) MariaDB [mikrotik_erp]> select * from radusergroup; +----------+------------------------------------+----------+ | UserName | GroupName | priority | +----------+------------------------------------+----------+ | rafael | (Huawei)Acesso Residencial 2 MEGAS | 1 | +----------+------------------------------------+----------+ 1 row in set (0.00 sec) MariaDB [mikrotik_erp]> select * from radgroupreply; +----+------------------------------------+------------------------------+----+-------------+-----------+----------+ | id | GroupName | Attribute | op | Value | idempresa | tipo | +----+------------------------------------+------------------------------+----+-------------+-----------+----------+ | 1 | Acesso Residencial 2 MEGAS | Mikrotik-Rate-Limit | := | 1024k/2048k | 9999 | MIKROTIK | | 4 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Qos-Profile-Name | := | out-1M | 9999 | HUAWEI | | 5 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Down-QOS-Profile-Name | := | in-2M | 9999 | HUAWEI | | 6 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Policy-Route | := | 192.168.0.1 | 9999 | HUAWEI | +----+------------------------------------+------------------------------+----+-------------+-----------+----------+ 4 rows in set (0.00 sec) MariaDB [mikrotik_erp]> Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10 ________________________________ De: Rafael Labiak Olivastro <rolivastro@hotmail.com> Enviado: Friday, September 28, 2018 4:03:27 PM Para: FreeRadius users mailing list Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps Other thing is that RADUSERGROUP is not the same than RADCHECK, you need a row with username in both tables, not just in RADCHECK. The message is explaining that the user do not exist em RADUSERGROUP. (and you show the user in radcheck) Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de Rafael Labiak Olivastro <rolivastro@hotmail.com> Enviado: Friday, September 28, 2018 3:58:07 PM Para: FreeRadius users mailing list Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps Hello, Maybe if the MySQL is configured to be case sensitive the correct atribute is ClearText-Password unstead Cleartext-Password. It is just a guess. (note CT in ClearText) Rafael Enviado do Email<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=f56eWLAAr9nJm%2FdLSSZ44rDh6vBIjhmHkzmr9TCCRlA%3D&reserved=0> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de James Ngo <james.ngobui@gmail.com> Enviado: Friday, September 28, 2018 2:54:48 PM Para: freeradius-users@lists.freeradius.org Assunto: Re: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps This is very strange then... when I query manually using mysql, it shows per below What could have gone wrong? mysql> select * from radcheck; +----+-----------+--------------------+----+-----------+ | id | username | attribute | op | value | +----+-----------+--------------------+----+-----------+ | 2 | testuser1 | Cleartext-Password | := | testuser1 | +----+-----------+--------------------+----+-----------+ 1 row in set (0.01 sec) mysql> On Fri, Sep 28, 2018 at 11:27 AM Alan DeKok <aland@deployingradius.com> wrote: - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0 - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0
On Sep 28, 2018, at 2:12 PM, James Ngo <james.ngobui@gmail.com> wrote:
Hi Alan, You are absolutely right about the log file and I am sorry to be
bothering
you again. I copy the content of my system log file of the issue below for your reference (My other test user which use the "user" file works OK).
...
(7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message =
0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000 721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e
(7) eap_peap: Setting User-Name to jamesn (7) eap_peap: Sending tunneled request to inner-tunnel
That's the MS-CHAP stuff from PEAP, inside of the TLS tunnel.
(7) sql: EXPAND %{User-Name} (7) sql: --> testuser1 (7) sql: SQL-User-Name set to 'testuser1' rlm_sql (sql): Reserved connection (1) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser1' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser1' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used (7) [sql] = notfound
That's definitive.
The "testuser1" isn't in SQL.
Run the queries manually to see what they return.
Alan DeKok.
- List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f reeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c 285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737 615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3 D&reserved=0
Hello there, Thank you for your helps. As for the mistype, negative. I have all of them configured as Cleartext-Password As for the usergroup, since we do not use any group, I do not need to add usergroup so I don't have it in my config. It is optional and only necessary if you decide to use group though To share what I have done: 1/ create a new (admin) user for the database 2/ add new user by command line --> check and see it populate in the radius server 3/ restart the SQL server 4/ restart the freeradius server I still have the same thing: access reject and server has no response... Any helps would be really appreciated. Thanks -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+james.ngobui=gmail.com@lists.freeradius.org> On Behalf Of Rafael Labiak Olivastro Sent: September 28, 2018 1:16 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps Example: MariaDB [mikrotik_erp]> select * from radcheck; +----+----------+--------------------+----+----------------------------------+------+------------+------------+ | id | UserName | Attribute | op | Value | obs | id_cliente | id_empresa | +----+----------+--------------------+----+----------------------------------+------+------------+------------+ | 1 | rafael | MD5-Password | := | 81dc9bdb52d04dc20036dbd8313ed055 | | 743 | 1 | | 2 | rafael | ClearText-Password | := | 1234 | | 743 | 1 | +----+----------+--------------------+----+----------------------------------+------+------------+------------+ 2 rows in set (0.00 sec) MariaDB [mikrotik_erp]> select * from usergorup; ERROR 1146 (42S02): Table 'mikrotik_erp.usergorup' doesn't exist MariaDB [mikrotik_erp]> select * from radcheck; +----+----------+--------------------+----+----------------------------------+------+------------+------------+ | id | UserName | Attribute | op | Value | obs | id_cliente | id_empresa | +----+----------+--------------------+----+----------------------------------+------+------------+------------+ | 1 | rafael | MD5-Password | := | 81dc9bdb52d04dc20036dbd8313ed055 | | 743 | 1 | | 2 | rafael | ClearText-Password | := | 1234 | | 743 | 1 | +----+----------+--------------------+----+----------------------------------+------+------------+------------+ 2 rows in set (0.00 sec) MariaDB [mikrotik_erp]> select * from radusergroup; +----------+------------------------------------+----------+ | UserName | GroupName | priority | +----------+------------------------------------+----------+ | rafael | (Huawei)Acesso Residencial 2 MEGAS | 1 | +----------+------------------------------------+----------+ 1 row in set (0.00 sec) MariaDB [mikrotik_erp]> select * from radgroupreply; +----+------------------------------------+------------------------------+----+-------------+-----------+----------+ | id | GroupName | Attribute | op | Value | idempresa | tipo | +----+------------------------------------+------------------------------+----+-------------+-----------+----------+ | 1 | Acesso Residencial 2 MEGAS | Mikrotik-Rate-Limit | := | 1024k/2048k | 9999 | MIKROTIK | | 4 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Qos-Profile-Name | := | out-1M | 9999 | HUAWEI | | 5 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Down-QOS-Profile-Name | := | in-2M | 9999 | HUAWEI | | 6 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Policy-Route | := | 192.168.0.1 | 9999 | HUAWEI | +----+------------------------------------+------------------------------+----+-------------+-----------+----------+ 4 rows in set (0.00 sec) MariaDB [mikrotik_erp]> Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10 ________________________________ De: Rafael Labiak Olivastro <rolivastro@hotmail.com> Enviado: Friday, September 28, 2018 4:03:27 PM Para: FreeRadius users mailing list Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps Other thing is that RADUSERGROUP is not the same than RADCHECK, you need a row with username in both tables, not just in RADCHECK. The message is explaining that the user do not exist em RADUSERGROUP. (and you show the user in radcheck) Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de Rafael Labiak Olivastro <rolivastro@hotmail.com> Enviado: Friday, September 28, 2018 3:58:07 PM Para: FreeRadius users mailing list Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps Hello, Maybe if the MySQL is configured to be case sensitive the correct atribute is ClearText-Password unstead Cleartext-Password. It is just a guess. (note CT in ClearText) Rafael Enviado do Email<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=f56eWLAAr9nJm%2FdLSSZ44rDh6vBIjhmHkzmr9TCCRlA%3D&reserved=0> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de James Ngo <james.ngobui@gmail.com> Enviado: Friday, September 28, 2018 2:54:48 PM Para: freeradius-users@lists.freeradius.org Assunto: Re: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps This is very strange then... when I query manually using mysql, it shows per below What could have gone wrong? mysql> select * from radcheck; +----+-----------+--------------------+----+-----------+ | id | username | attribute | op | value | +----+-----------+--------------------+----+-----------+ | 2 | testuser1 | Cleartext-Password | := | testuser1 | +----+-----------+--------------------+----+-----------+ 1 row in set (0.01 sec) mysql> On Fri, Sep 28, 2018 at 11:27 AM Alan DeKok <aland@deployingradius.com> wrote: - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0 - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- This email has been checked for viruses by AVG. https://www.avg.com
Send the debug output when you send an access request, freeradius -X
Uchenna Nebedum
On Fri, Sep 28, 2018, 23:32 <james.ngobui@gmail.com> wrote:
> Hello there,
> Thank you for your helps.
> As for the mistype, negative. I have all of them configured as
> Cleartext-Password
> As for the usergroup, since we do not use any group, I do not need to add
> usergroup so I don't have it in my config. It is optional and only
> necessary if you decide to use group though
> To share what I have done:
> 1/ create a new (admin) user for the database
> 2/ add new user by command line --> check and see it populate in the
> radius server
> 3/ restart the SQL server
> 4/ restart the freeradius server
> I still have the same thing: access reject and server has no response...
> Any helps would be really appreciated.
> Thanks
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+james.ngobui=
> gmail.com@lists.freeradius.org> On Behalf Of Rafael Labiak Olivastro
> Sent: September 28, 2018 1:16 PM
> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
> Subject: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is
> outdated - please helps
>
> Example:
>
> MariaDB [mikrotik_erp]> select * from radcheck;
>
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> | id | UserName | Attribute | op | Value
> | obs | id_cliente | id_empresa |
>
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> | 1 | rafael | MD5-Password | := |
> 81dc9bdb52d04dc20036dbd8313ed055 | | 743 | 1 |
> | 2 | rafael | ClearText-Password | := | 1234
> | | 743 | 1 |
>
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> 2 rows in set (0.00 sec)
>
> MariaDB [mikrotik_erp]> select * from usergorup; ERROR 1146 (42S02): Table
> 'mikrotik_erp.usergorup' doesn't exist MariaDB [mikrotik_erp]> select *
> from radcheck;
>
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> | id | UserName | Attribute | op | Value
> | obs | id_cliente | id_empresa |
>
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> | 1 | rafael | MD5-Password | := |
> 81dc9bdb52d04dc20036dbd8313ed055 | | 743 | 1 |
> | 2 | rafael | ClearText-Password | := | 1234
> | | 743 | 1 |
>
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> 2 rows in set (0.00 sec)
>
> MariaDB [mikrotik_erp]> select * from radusergroup;
> +----------+------------------------------------+----------+
> | UserName | GroupName | priority |
> +----------+------------------------------------+----------+
> | rafael | (Huawei)Acesso Residencial 2 MEGAS | 1 |
> +----------+------------------------------------+----------+
> 1 row in set (0.00 sec)
>
> MariaDB [mikrotik_erp]> select * from radgroupreply;
>
> +----+------------------------------------+------------------------------+----+-------------+-----------+----------+
> | id | GroupName | Attribute |
> op | Value | idempresa | tipo |
>
> +----+------------------------------------+------------------------------+----+-------------+-----------+----------+
> | 1 | Acesso Residencial 2 MEGAS | Mikrotik-Rate-Limit |
> := | 1024k/2048k | 9999 | MIKROTIK |
> | 4 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Qos-Profile-Name |
> := | out-1M | 9999 | HUAWEI |
> | 5 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Down-QOS-Profile-Name |
> := | in-2M | 9999 | HUAWEI |
> | 6 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Policy-Route |
> := | 192.168.0.1 | 9999 | HUAWEI |
>
> +----+------------------------------------+------------------------------+----+-------------+-----------+----------+
> 4 rows in set (0.00 sec)
>
> MariaDB [mikrotik_erp]>
>
> Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para
> Windows 10
>
> ________________________________
> De: Rafael Labiak Olivastro <rolivastro@hotmail.com>
> Enviado: Friday, September 28, 2018 4:03:27 PM
> Para: FreeRadius users mailing list
> Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is
> outdated - please helps
>
>
> Other thing is that RADUSERGROUP is not the same than RADCHECK, you need a
> row with username in both tables, not just in RADCHECK.
>
> The message is explaining that the user do not exist em RADUSERGROUP. (and
> you show the user in radcheck)
>
>
>
> Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para
> Windows 10
>
>
>
> ________________________________
> De: Freeradius-Users <freeradius-users-bounces+rolivastro=
> hotmail.com@lists.freeradius.org> em nome de Rafael Labiak Olivastro <
> rolivastro@hotmail.com>
> Enviado: Friday, September 28, 2018 3:58:07 PM
> Para: FreeRadius users mailing list
> Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is
> outdated - please helps
>
> Hello,
>
>
>
> Maybe if the MySQL is configured to be case sensitive the correct atribute
> is ClearText-Password unstead Cleartext-Password.
>
>
>
> It is just a guess. (note CT in ClearText)
>
>
>
> Rafael
>
>
>
> Enviado do Email<
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=f56eWLAAr9nJm%2FdLSSZ44rDh6vBIjhmHkzmr9TCCRlA%3D&reserved=0>
> para Windows 10
>
>
>
> ________________________________
> De: Freeradius-Users <freeradius-users-bounces+rolivastro=
> hotmail.com@lists.freeradius.org> em nome de James Ngo <
> james.ngobui@gmail.com>
> Enviado: Friday, September 28, 2018 2:54:48 PM
> Para: freeradius-users@lists.freeradius.org
> Assunto: Re: Config FreeRadius (3.0.16) to work with SQL: The Guide is
> outdated - please helps
>
> This is very strange then...
> when I query manually using mysql, it shows per below What could have gone
> wrong?
>
> mysql> select * from radcheck;
> +----+-----------+--------------------+----+-----------+
> | id | username | attribute | op | value |
> +----+-----------+--------------------+----+-----------+
> | 2 | testuser1 | Cleartext-Password | := | testuser1 |
> +----+-----------+--------------------+----+-----------+
> 1 row in set (0.01 sec)
>
> mysql>
>
>
> On Fri, Sep 28, 2018 at 11:27 AM Alan DeKok <aland@deployingradius.com>
> wrote:
>
> > On Sep 28, 2018, at 2:12 PM, James Ngo <james.ngobui@gmail.com> wrote:
> > >
> > > Hi Alan,
> > > You are absolutely right about the log file and I am sorry to be
> > bothering
> > > you again. I copy the content of my system log file of the issue
> > > below
> > for
> > > your reference (My other test user which use the "user" file works OK).
> >
> >
> > ...
> >
> > > (7) eap_peap: Got tunneled request
> > > (7) eap_peap: EAP-Message =
> > >
> > 0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000
> > 721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e
> > > (7) eap_peap: Setting User-Name to jamesn
> > > (7) eap_peap: Sending tunneled request to inner-tunnel
> >
> > That's the MS-CHAP stuff from PEAP, inside of the TLS tunnel.
> >
> > > (7) sql: EXPAND %{User-Name}
> > > (7) sql: --> testuser1
> > > (7) sql: SQL-User-Name set to 'testuser1'
> > > rlm_sql (sql): Reserved connection (1)
> > > (7) sql: EXPAND SELECT id, username, attribute, value, op FROM
> > > radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> > > (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck
> > > WHERE username = 'testuser1' ORDER BY id
> > > (7) sql: Executing select query: SELECT id, username, attribute,
> > > value,
> > op
> > > FROM radcheck WHERE username = 'testuser1' ORDER BY id
> > > (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
> > > '%{SQL-User-Name}' ORDER BY priority
> > > (7) sql: --> SELECT groupname FROM radusergroup WHERE username =
> > > 'testuser1' ORDER BY priority
> > > (7) sql: Executing select query: SELECT groupname FROM radusergroup
> > > WHERE username = 'testuser1' ORDER BY priority
> > > (7) sql: User not found in any groups rlm_sql (sql): Released
> > > connection (1) Need 4 more connections to reach 10 spares rlm_sql
> > > (sql): Opening additional connection (6), 1 of 26 pending slots
> > used
> > > (7) [sql] = notfound
> >
> > That's definitive.
> >
> > The "testuser1" isn't in SQL.
> >
> > Run the queries manually to see what they return.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f
> > reeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c
> > 285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737
> > 615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3
> > D&reserved=0
> -
> List info/subscribe/unsubscribe? See
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0
> -
> List info/subscribe/unsubscribe? See
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ---
> This email has been checked for viruses by AVG.
> https://www.avg.com
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Here it is:
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file
/etc/freeradius/3.0/mods-config/sql/main/sqlite/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/debug
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client RevLodge-UAP-AC {
ipaddr = 10.5.5.47
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_detail
# Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_unpack
# Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_mschap
# Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
sql {
driver = "rlm_sql_null"
server = "localhost"
port = 3306
login = "radiusadmin"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
logfile = "/var/log/freeradius/sqllog.sql"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM
nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol
FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime =
%{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime =
(%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s',
acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= %{integer:Event-Timestamp}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime =
%{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime =
(%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s',
acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= %{integer:Event-Timestamp}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}',
%{%{integer:Event-Timestamp}:-date('now')},
%{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime =
%{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0,
framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets =
%{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0},
acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 |
%{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId =
'%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime =
%{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets =
%{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0},
acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 |
%{%{Acct-Output-Octets}:-0}, acctterminatecause =
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_digest
# Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_linelog
# Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
instantiate {
}
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "sql" from file
/etc/freeradius/3.0/mods-enabled/sql
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
# Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:331
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 41648
Listening on proxy address :: port 47024
Ready to process requests
(0) Received Access-Request Id 168 from 10.25.25.47:56513 to
10.25.25.45:1812 length 170
(0) User-Name = "testuser1"
(0) NAS-IP-Address = 10.25.25.47
(0) NAS-Identifier = "44d9e7fc7b5c"
(0) NAS-Port = 0
(0) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11"
(0) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) EAP-Message = 0x0276000e01746573747573657231
(0) Message-Authenticator = 0xdba519a9ae3f7261293a81134d193436
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 118 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 119 length 22
(0) eap: EAP session adding &reply:State = 0xcdea9f30cd9d9bea
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 168 from 10.5.5.45:1812 to 10.5.5.47:56513
length 0
(0) EAP-Message = 0x017700160410ad9c3c4314f316038ae0fff84d3bb71d
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xcdea9f30cd9d9bead12bb49242b27f0e
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 169 from 10.25.25.47:56513 to
10.25.25.45:1812 length 182
(1) User-Name = "testuser1"
(1) NAS-IP-Address = 10.25.25.47
(1) NAS-Identifier = "44d9e7fc7b5c"
(1) NAS-Port = 0
(1) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11"
(1) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) EAP-Message = 0x027700080319152b
(1) State = 0xcdea9f30cd9d9bead12bb49242b27f0e
(1) Message-Authenticator = 0xb7448a1618b6e5557e2c502150bba9f3
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 119 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) sql: EXPAND %{User-Name}
(1) sql: --> testuser1
(1) sql: SQL-User-Name set to 'testuser1'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser1' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testuser1' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username =
'testuser1' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testuser1' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xcdea9f30cd9d9bea
(1) eap: Finished EAP session with state 0xcdea9f30cd9d9bea
(1) eap: Previous EAP request found for state 0xcdea9f30cd9d9bea, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 120 length 6
(1) eap: EAP session adding &reply:State = 0xcdea9f30cc9286ea
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 169 from 10.5.5.45:1812 to 10.5.5.47:56513
length 0
(1) EAP-Message = 0x017800061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xcdea9f30cc9286ead12bb49242b27f0e
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 170 from 10.25.25.47:56513 to
10.25.25.45:1812 length 335
(2) User-Name = "testuser1"
(2) NAS-IP-Address = 10.25.25.47
(2) NAS-Identifier = "44d9e7fc7b5c"
(2) NAS-Port = 0
(2) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11"
(2) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) EAP-Message =
0x027800a119800000009716030100920100008e03035baeb2b334323c42bfab854b84309e00301bef1786b7837807b9979a7a78068b00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(2) State = 0xcdea9f30cc9286ead12bb49242b27f0e
(2) Message-Authenticator = 0x22de6a9cbc23e3448dd46e1d239f054d
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 120 length 161
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xcdea9f30cc9286ea
(2) eap: Finished EAP session with state 0xcdea9f30cc9286ea
(2) eap: Previous EAP request found for state 0xcdea9f30cc9286ea, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(2) eap_peap: Got complete TLS record (151 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.2 [length 0092]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 02d3]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 121 length 1004
(2) eap: EAP session adding &reply:State = 0xcdea9f30cf9386ea
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 170 from 10.5.5.45:1812 to 10.5.5.47:56513
length 0
(2) EAP-Message =
0x017903ec19c000000475160303003d0200003903031ee42b66e5dbb0376437f77a61f5de616f5b6888e9835ed97072f204acf7c71100c030000011ff01000100000b0004030001020017000016030302d30b0002cf0002cc0002c9308202c5308201ada003020102020900e88b749ad3eb6833300d0609
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xcdea9f30cf9386ead12bb49242b27f0e
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 171 from 10.25.25.47:56513 to
10.25.25.45:1812 length 180
(3) User-Name = "testuser1"
(3) NAS-IP-Address = 10.25.25.47
(3) NAS-Identifier = "44d9e7fc7b5c"
(3) NAS-Port = 0
(3) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11"
(3) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) EAP-Message = 0x027900061900
(3) State = 0xcdea9f30cf9386ead12bb49242b27f0e
(3) Message-Authenticator = 0x00298ff003f45929bc4031ae853f6f4f
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 121 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xcdea9f30cf9386ea
(3) eap: Finished EAP session with state 0xcdea9f30cf9386ea
(3) eap: Previous EAP request found for state 0xcdea9f30cf9386ea, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 122 length 153
(3) eap: EAP session adding &reply:State = 0xcdea9f30ce9086ea
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 171 from 10.5.5.45:1812 to 10.5.5.47:56513
length 0
(3) EAP-Message =
0x017a009919001bc9acc829a06f78c9fa526d9e4ae5f6ec58084cd14e9ce34f2e5220afe425367cf8103e1605d79a0e1817e3a6d67f648917857db5d5b8e5805a89c846433dece8c3b1cbf70d6ac13771c578810ba9d13a53e40f825920238d3075da10c5354a28fb7d5965c13953f1ec449b317debe3a0
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xcdea9f30ce9086ead12bb49242b27f0e
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 172 from 10.25.25.47:56513 to
10.25.25.45:1812 length 310
(4) User-Name = "testuser1"
(4) NAS-IP-Address = 10.25.25.47
(4) NAS-Identifier = "44d9e7fc7b5c"
(4) NAS-Port = 0
(4) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11"
(4) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) EAP-Message =
0x027a008819800000007e16030300461000004241046b3e802f24feae8bbf5181dd0309247878ff20142a7c63f7bcf2d61140679186cca9f61b57c36528e2b3bb70e2006f922a4965fb68c28eeae52df60a76b45afa14030300010116030300282597f67e7230ff207fea8a9e9a42254bcc7e97bc53f7cf
(4) State = 0xcdea9f30ce9086ead12bb49242b27f0e
(4) Message-Authenticator = 0xa731bd4bad4aa296e9fe20bc88daf308
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 122 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xcdea9f30ce9086ea
(4) eap: Finished EAP session with state 0xcdea9f30ce9086ea
(4) eap: Previous EAP request found for state 0xcdea9f30ce9086ea, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 123 length 57
(4) eap: EAP session adding &reply:State = 0xcdea9f30c99186ea
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 172 from 10.5.5.45:1812 to 10.5.5.47:56513
length 0
(4) EAP-Message =
0x017b003919001403030001011603030028be4cc8d652f0ffb5a66985a11d3a5cce04a1258f5458e4d30f357474c11e96f6d7acafdda5b7d964
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xcdea9f30c99186ead12bb49242b27f0e
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 173 from 10.25.25.47:56513 to
10.25.25.45:1812 length 180
(5) User-Name = "testuser1"
(5) NAS-IP-Address = 10.25.25.47
(5) NAS-Identifier = "44d9e7fc7b5c"
(5) NAS-Port = 0
(5) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11"
(5) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) EAP-Message = 0x027b00061900
(5) State = 0xcdea9f30c99186ead12bb49242b27f0e
(5) Message-Authenticator = 0xd06499d1754fe2fc438a9c94e552d4bb
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 123 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xcdea9f30c99186ea
(5) eap: Finished EAP session with state 0xcdea9f30c99186ea
(5) eap: Previous EAP request found for state 0xcdea9f30c99186ea, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 124 length 40
(5) eap: EAP session adding &reply:State = 0xcdea9f30c89686ea
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 173 from 10.5.5.45:1812 to 10.5.5.47:56513
length 0
(5) EAP-Message =
0x017c00281900170303001dbe4cc8d652f0ffb697af1676942b6553b818208ab60812486ee829a78f
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xcdea9f30c89686ead12bb49242b27f0e
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 174 from 10.25.25.47:56513 to
10.25.25.45:1812 length 219
(6) User-Name = "testuser1"
(6) NAS-IP-Address = 10.25.25.47
(6) NAS-Identifier = "44d9e7fc7b5c"
(6) NAS-Port = 0
(6) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11"
(6) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) EAP-Message =
0x027c002d190017030300222597f67e7230ff21609e328bedbdfc07cbbc6d6cea8156df58009fe0c95d70b1950e
(6) State = 0xcdea9f30c89686ead12bb49242b27f0e
(6) Message-Authenticator = 0x28aacba61edc82c08f9cc161df2d628f
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 124 length 45
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xcdea9f30c89686ea
(6) eap: Finished EAP session with state 0xcdea9f30c89686ea
(6) eap: Previous EAP request found for state 0xcdea9f30c89686ea, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - testuser1
(6) eap_peap: Got inner identity 'testuser1'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x027c000e01746573747573657231
(6) eap_peap: Setting User-Name to testuser1
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x027c000e01746573747573657231
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "testuser1"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x027c000e01746573747573657231
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "testuser1"
(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 124 length 14
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 125 length 43
(6) eap: EAP session adding &reply:State = 0xb9b00956b9cd1334
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message =
0x017d002b1a017d002610c60ddbc0e51fe479a6603deaf09bc2ae667265657261646975732d332e302e3136
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xb9b00956b9cd1334255d8030a5c16353
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message =
0x017d002b1a017d002610c60ddbc0e51fe479a6603deaf09bc2ae667265657261646975732d332e302e3136
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xb9b00956b9cd1334255d8030a5c16353
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message =
0x017d002b1a017d002610c60ddbc0e51fe479a6603deaf09bc2ae667265657261646975732d332e302e3136
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xb9b00956b9cd1334255d8030a5c16353
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 125 length 74
(6) eap: EAP session adding &reply:State = 0xcdea9f30cb9786ea
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 174 from 10.5.5.45:1812 to 10.5.5.47:56513
length 0
(6) EAP-Message =
0x017d004a1900170303003fbe4cc8d652f0ffb7816e2d74ad76e451db3db74aaeb886fbe80b5aa8c5416f0c0f0aea69a59ede65bf19afa7ac53229352700e604627cad9fc5a4f9b0fde4a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xcdea9f30cb9786ead12bb49242b27f0e
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 175 from 10.25.25.47:56513 to
10.25.25.45:1812 length 273
(7) User-Name = "testuser1"
(7) NAS-IP-Address = 10.25.25.47
(7) NAS-Identifier = "44d9e7fc7b5c"
(7) NAS-Port = 0
(7) Called-Station-Id = "44-7F-E7-FE-7B-5C:Home11"
(7) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) EAP-Message =
0x027d0063190017030300582597f67e7230ff226d8f37b792ee6d63529d93a77619091f39b66d0cb1e3ff5760590823ad62d281674e6cd7cbbca13d6c6c0e47a5a3f9bb64391e36e99a8bb389973c1cc5dc04aa51eed6a19ca9c9d11f5d51cb0e6b1cd5
(7) State = 0xcdea9f30cb9786ead12bb49242b27f0e
(7) Message-Authenticator = 0x2feac0778c37493c253e0b9044a422dc
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 125 length 99
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xb9b00956b9cd1334
(7) eap: Finished EAP session with state 0xcdea9f30cb9786ea
(7) eap: Previous EAP request found for state 0xcdea9f30cb9786ea, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x027d00441a027d003f319722ba1024242a1de5e57943ecadfb7f0000000000000000fef947816d344910156040b8f7a9a7b983ad54fd7549980900746573747573657231
(7) eap_peap: Setting User-Name to testuser1
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x027d00441a027d003f319722ba1024242a1de5e57943ecadfb7f0000000000000000fef947816d344910156040b8f7a9a7b983ad54fd7549980900746573747573657231
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "testuser1"
(7) eap_peap: State = 0xb9b00956b9cd1334255d8030a5c16353
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x027d00441a027d003f319722ba1024242a1de5e57943ecadfb7f0000000000000000fef947816d344910156040b8f7a9a7b983ad54fd7549980900746573747573657231
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "testuser1"
(7) State = 0xb9b00956b9cd1334255d8030a5c16353
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 125 length 68
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql: --> testuser1
(7) sql: SQL-User-Name set to 'testuser1'
rlm_sql (sql): Reserved connection (1)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser1' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testuser1' ORDER BY id
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(7) sql: --> SELECT groupname FROM radusergroup WHERE username =
'testuser1' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testuser1' ORDER BY priority
(7) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
(7) [sql] = notfound
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0xb9b00956b9cd1334
(7) eap: Finished EAP session with state 0xb9b00956b9cd1334
(7) eap: Previous EAP request found for state 0xb9b00956b9cd1334, released
from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(7) mschap: Creating challenge hash with username: testuser1
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) [mschap] = reject
(7) } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 125 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) sql: EXPAND .query
(7) sql: --> .query
(7) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(7) sql: EXPAND %{User-Name}
(7) sql: --> testuser1
(7) sql: SQL-User-Name set to 'testuser1'
(7) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(7) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'testuser1', '', 'Access-Reject', '2018-09-28 16:01:07')
(7) sql: EXPAND /var/log/freeradius/sqllog.sql
(7) sql: --> /var/log/freeradius/sqllog.sql
(7) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'testuser1', '', 'Access-Reject', '2018-09-28 16:01:07')
(7) sql: SQL query returned: success
(7) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(7) [sql] = ok
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> testuser1
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state {
(7) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(7) } # update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) MS-CHAP-Error = "}E=691 R=1 C=b0c939926d6584ae1db584f157623d43 V=3
M=Authentication rejected"
(7) EAP-Message = 0x047d0004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply code 3
(7) eap_peap: MS-CHAP-Error = "}E=691 R=1
C=b0c939926d6584ae1db584f157623d43 V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x047d0004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply RADIUS code 3
(7) eap_peap: MS-CHAP-Error = "}E=691 R=1
C=b0c939926d6584ae1db584f157623d43 V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x047d0004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Tunneled authentication was rejected
(7) eap_peap: FAILURE
(7) eap: Sending EAP Request (code 1) ID 126 length 46
(7) eap: EAP session adding &reply:State = 0xcdea9f30ca9486ea
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot
perform authentication"
(7) Sent Access-Challenge Id 175 from 10.5.5.45:1812 to 10.5.5.47:56513
length 0
(7) EAP-Message =
0x017e002e19001703030023be4cc8d652f0ffb89f909d30ef542e6ec6cccf95e6d413fd732f694b3ba347b72a5641
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xcdea9f30ca9486ead12bb49242b27f0e
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 176 from 10.5.5.47:56513 to 10.5.5.45:1812
length 220
(8) User-Name = "testuser1"
(8) NAS-IP-Address = 10.5.5.47
(8) NAS-Identifier = "44d9e7fc7b5c"
(8) NAS-Port = 0
(8) Called-Station-Id = "44-D9-E7-FE-7B-5C:Home11"
(8) Calling-Station-Id = "D0-2B-20-74-5D-BA"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) EAP-Message =
0x027e002e190017030300232597f67e7230ff230738e3cb8e293e6957f838be21d4b7380b89d57bab0db7e53d28ca
(8) State = 0xcdea9f30ca9486ead12bb49242b27f0e
(8) Message-Authenticator = 0x1cd0faf5f1929bacc4e8e52f8a1336bc
(8) Restoring &session-state
(8) &session-state:Module-Failure-Message := "mschap: FAILED: No
NT/LM-Password. Cannot perform authentication"
(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 126 length 46
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xcdea9f30ca9486ea
(8) eap: Finished EAP session with state 0xcdea9f30ca9486ea
(8) eap: Previous EAP request found for state 0xcdea9f30ca9486ea, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv failure
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: ERROR: The users session was previously rejected: returning
reject (again.)
(8) eap_peap: This means you need to read the PREVIOUS messages in the
debug output
(8) eap_peap: to find out the reason why the user was rejected
(8) eap_peap: Look for "reject" or "fail". Those earlier messages will
tell you
(8) eap_peap: what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(8) eap: Sending EAP Failure (code 4) ID 126 length 4
(8) eap: Failed in EAP select
(8) [eap] = invalid
(8) } # authenticate = invalid
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Post-Auth-Type REJECT {
(8) sql: EXPAND .query
(8) sql: --> .query
(8) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(8) sql: EXPAND %{User-Name}
(8) sql: --> testuser1
(8) sql: SQL-User-Name set to 'testuser1'
(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'testuser1', '', 'Access-Reject', '2018-09-28 16:01:07')
(8) sql: EXPAND /var/log/freeradius/sqllog.sql
(8) sql: --> /var/log/freeradius/sqllog.sql
(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'testuser1', '', 'Access-Reject', '2018-09-28 16:01:07')
(8) sql: SQL query returned: success
(8) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(8) [sql] = ok
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> testuser1
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) [eap] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 176 from 10.5.5.45:1812 to 10.5.5.47:56513 length
44
(8) EAP-Message = 0x047e0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 168 with timestamp +42
(1) Cleaning up request packet ID 169 with timestamp +42
(2) Cleaning up request packet ID 170 with timestamp +42
(3) Cleaning up request packet ID 171 with timestamp +42
(4) Cleaning up request packet ID 172 with timestamp +42
(5) Cleaning up request packet ID 173 with timestamp +42
(6) Cleaning up request packet ID 174 with timestamp +42
(7) Cleaning up request packet ID 175 with timestamp +42
(8) Cleaning up request packet ID 176 with timestamp +42
Ready to process requests
On Fri, Sep 28, 2018 at 3:35 PM Uchenna Nebedum <nebeduch@gmail.com> wrote:
> Send the debug output when you send an access request, freeradius -X
>
> Uchenna Nebedum
>
> On Fri, Sep 28, 2018, 23:32 <james.ngobui@gmail.com> wrote:
>
> > Hello there,
> > Thank you for your helps.
> > As for the mistype, negative. I have all of them configured as
> > Cleartext-Password
> > As for the usergroup, since we do not use any group, I do not need to add
> > usergroup so I don't have it in my config. It is optional and only
> > necessary if you decide to use group though
> > To share what I have done:
> > 1/ create a new (admin) user for the database
> > 2/ add new user by command line --> check and see it populate in the
> > radius server
> > 3/ restart the SQL server
> > 4/ restart the freeradius server
> > I still have the same thing: access reject and server has no response...
> > Any helps would be really appreciated.
> > Thanks
> >
> > -----Original Message-----
> > From: Freeradius-Users <freeradius-users-bounces+james.ngobui=
> > gmail.com@lists.freeradius.org> On Behalf Of Rafael Labiak Olivastro
> > Sent: September 28, 2018 1:16 PM
> > To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org
> >
> > Subject: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is
> > outdated - please helps
> >
> > Example:
> >
> > MariaDB [mikrotik_erp]> select * from radcheck;
> >
> >
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> > | id | UserName | Attribute | op | Value
> > | obs | id_cliente | id_empresa |
> >
> >
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> > | 1 | rafael | MD5-Password | := |
> > 81dc9bdb52d04dc20036dbd8313ed055 | | 743 | 1 |
> > | 2 | rafael | ClearText-Password | := | 1234
> > | | 743 | 1 |
> >
> >
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> > 2 rows in set (0.00 sec)
> >
> > MariaDB [mikrotik_erp]> select * from usergorup; ERROR 1146 (42S02):
> Table
> > 'mikrotik_erp.usergorup' doesn't exist MariaDB [mikrotik_erp]> select *
> > from radcheck;
> >
> >
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> > | id | UserName | Attribute | op | Value
> > | obs | id_cliente | id_empresa |
> >
> >
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> > | 1 | rafael | MD5-Password | := |
> > 81dc9bdb52d04dc20036dbd8313ed055 | | 743 | 1 |
> > | 2 | rafael | ClearText-Password | := | 1234
> > | | 743 | 1 |
> >
> >
> +----+----------+--------------------+----+----------------------------------+------+------------+------------+
> > 2 rows in set (0.00 sec)
> >
> > MariaDB [mikrotik_erp]> select * from radusergroup;
> > +----------+------------------------------------+----------+
> > | UserName | GroupName | priority |
> > +----------+------------------------------------+----------+
> > | rafael | (Huawei)Acesso Residencial 2 MEGAS | 1 |
> > +----------+------------------------------------+----------+
> > 1 row in set (0.00 sec)
> >
> > MariaDB [mikrotik_erp]> select * from radgroupreply;
> >
> >
> +----+------------------------------------+------------------------------+----+-------------+-----------+----------+
> > | id | GroupName | Attribute
> |
> > op | Value | idempresa | tipo |
> >
> >
> +----+------------------------------------+------------------------------+----+-------------+-----------+----------+
> > | 1 | Acesso Residencial 2 MEGAS | Mikrotik-Rate-Limit
> |
> > := | 1024k/2048k | 9999 | MIKROTIK |
> > | 4 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Qos-Profile-Name
> |
> > := | out-1M | 9999 | HUAWEI |
> > | 5 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Down-QOS-Profile-Name
> |
> > := | in-2M | 9999 | HUAWEI |
> > | 6 | (Huawei)Acesso Residencial 2 MEGAS | Huawei-Policy-Route
> |
> > := | 192.168.0.1 | 9999 | HUAWEI |
> >
> >
> +----+------------------------------------+------------------------------+----+-------------+-----------+----------+
> > 4 rows in set (0.00 sec)
> >
> > MariaDB [mikrotik_erp]>
> >
> > Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para
> > Windows 10
> >
> > ________________________________
> > De: Rafael Labiak Olivastro <rolivastro@hotmail.com>
> > Enviado: Friday, September 28, 2018 4:03:27 PM
> > Para: FreeRadius users mailing list
> > Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is
> > outdated - please helps
> >
> >
> > Other thing is that RADUSERGROUP is not the same than RADCHECK, you need
> a
> > row with username in both tables, not just in RADCHECK.
> >
> > The message is explaining that the user do not exist em RADUSERGROUP.
> (and
> > you show the user in radcheck)
> >
> >
> >
> > Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para
> > Windows 10
> >
> >
> >
> > ________________________________
> > De: Freeradius-Users <freeradius-users-bounces+rolivastro=
> > hotmail.com@lists.freeradius.org> em nome de Rafael Labiak Olivastro <
> > rolivastro@hotmail.com>
> > Enviado: Friday, September 28, 2018 3:58:07 PM
> > Para: FreeRadius users mailing list
> > Assunto: RES: Config FreeRadius (3.0.16) to work with SQL: The Guide is
> > outdated - please helps
> >
> > Hello,
> >
> >
> >
> > Maybe if the MySQL is configured to be case sensitive the correct
> atribute
> > is ClearText-Password unstead Cleartext-Password.
> >
> >
> >
> > It is just a guess. (note CT in ClearText)
> >
> >
> >
> > Rafael
> >
> >
> >
> > Enviado do Email<
> >
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=f56eWLAAr9nJm%2FdLSSZ44rDh6vBIjhmHkzmr9TCCRlA%3D&reserved=0
> >
> > para Windows 10
> >
> >
> >
> > ________________________________
> > De: Freeradius-Users <freeradius-users-bounces+rolivastro=
> > hotmail.com@lists.freeradius.org> em nome de James Ngo <
> > james.ngobui@gmail.com>
> > Enviado: Friday, September 28, 2018 2:54:48 PM
> > Para: freeradius-users@lists.freeradius.org
> > Assunto: Re: Config FreeRadius (3.0.16) to work with SQL: The Guide is
> > outdated - please helps
> >
> > This is very strange then...
> > when I query manually using mysql, it shows per below What could have
> gone
> > wrong?
> >
> > mysql> select * from radcheck;
> > +----+-----------+--------------------+----+-----------+
> > | id | username | attribute | op | value |
> > +----+-----------+--------------------+----+-----------+
> > | 2 | testuser1 | Cleartext-Password | := | testuser1 |
> > +----+-----------+--------------------+----+-----------+
> > 1 row in set (0.01 sec)
> >
> > mysql>
> >
> >
> > On Fri, Sep 28, 2018 at 11:27 AM Alan DeKok <aland@deployingradius.com>
> > wrote:
> >
> > > On Sep 28, 2018, at 2:12 PM, James Ngo <james.ngobui@gmail.com> wrote:
> > > >
> > > > Hi Alan,
> > > > You are absolutely right about the log file and I am sorry to be
> > > bothering
> > > > you again. I copy the content of my system log file of the issue
> > > > below
> > > for
> > > > your reference (My other test user which use the "user" file works
> OK).
> > >
> > >
> > > ...
> > >
> > > > (7) eap_peap: Got tunneled request
> > > > (7) eap_peap: EAP-Message =
> > > >
> > > 0x022300411a0223003c31cc0432c71245051a187bd13655a9e34a0000000000000000
> > > 721615e15d5ae620467f9822441958a6f7be55128b39b716006a616d65736e
> > > > (7) eap_peap: Setting User-Name to jamesn
> > > > (7) eap_peap: Sending tunneled request to inner-tunnel
> > >
> > > That's the MS-CHAP stuff from PEAP, inside of the TLS tunnel.
> > >
> > > > (7) sql: EXPAND %{User-Name}
> > > > (7) sql: --> testuser1
> > > > (7) sql: SQL-User-Name set to 'testuser1'
> > > > rlm_sql (sql): Reserved connection (1)
> > > > (7) sql: EXPAND SELECT id, username, attribute, value, op FROM
> > > > radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> > > > (7) sql: --> SELECT id, username, attribute, value, op FROM
> radcheck
> > > > WHERE username = 'testuser1' ORDER BY id
> > > > (7) sql: Executing select query: SELECT id, username, attribute,
> > > > value,
> > > op
> > > > FROM radcheck WHERE username = 'testuser1' ORDER BY id
> > > > (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
> > > > '%{SQL-User-Name}' ORDER BY priority
> > > > (7) sql: --> SELECT groupname FROM radusergroup WHERE username =
> > > > 'testuser1' ORDER BY priority
> > > > (7) sql: Executing select query: SELECT groupname FROM radusergroup
> > > > WHERE username = 'testuser1' ORDER BY priority
> > > > (7) sql: User not found in any groups rlm_sql (sql): Released
> > > > connection (1) Need 4 more connections to reach 10 spares rlm_sql
> > > > (sql): Opening additional connection (6), 1 of 26 pending slots
> > > used
> > > > (7) [sql] = notfound
> > >
> > > That's definitive.
> > >
> > > The "testuser1" isn't in SQL.
> > >
> > > Run the queries manually to see what they return.
> > >
> > > Alan DeKok.
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f
> > > reeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c
> > > 285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737
> > > 615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3
> > > D&reserved=0
> > -
> > List info/subscribe/unsubscribe? See
> >
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0
> > -
> > List info/subscribe/unsubscribe? See
> >
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C3b7f9e7137f84c285e5408d6257cc667%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636737615161542787&sdata=vhXLdNI79MiBC7DmtofLRgx3Rc6kcRvmE%2BiS2O8zm3c%3D&reserved=0
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > ---
> > This email has been checked for viruses by AVG.
> > https://www.avg.com
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
On Fri, 2018-09-28 at 16:17 -0700, James Ngo wrote:
# Loading module "sql" from file /etc/freeradius/3.0/mods- enabled/sql sql { driver = "rlm_sql_null" server = "localhost" port = 3306 login = "radiusadmin" password = <<< secret >>> radius_db = "radius"
Configure the sql module to use the mysql driver. "null" won't get you anywhere. -- Matthew
STUPID ME!!!! This IS the problem!!! I blindly follow the default config file and just uncommented the sql All working now And one last thing: How do I configure the Freeradius to auto-start when the computer restart? My PC run Ubuntu v.18 Thank you very much Regards -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+james.ngobui=gmail.com@lists.freeradius.org> On Behalf Of Matthew Newton Sent: September 28, 2018 4:33 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Config FreeRadius (3.0.16) to work with SQL: The Guide is outdated - please helps On Fri, 2018-09-28 at 16:17 -0700, James Ngo wrote:
# Loading module "sql" from file /etc/freeradius/3.0/mods- enabled/sql sql { driver = "rlm_sql_null" server = "localhost" port = 3306 login = "radiusadmin" password = <<< secret >>> radius_db = "radius"
Configure the sql module to use the mysql driver. "null" won't get you anywhere. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- This email has been checked for viruses by AVG. https://www.avg.com
hi, And one last thing: How do I configure the Freeradius to auto-start when
the computer restart? My PC run Ubuntu v.18
thats really an Ubuntu question (OS stuff) rather than FreeRADIUS... but you basically need to configure your Ubuntues system startup stuff to run FreeRADIUS ..Ubuntu 18 is systemctl IIRC... so youd just do something like systemctl enable freeradius (or whatever freeradius daemon is called these days on Ubuntu.... note, this will expect that the freeradius daemon script stuff has been copied to the relevant systemd directory systemctl status freeradius will tell you more info. alan
participants (7)
-
Alan Buxey -
Alan DeKok -
James Ngo -
james.ngobui@gmail.com -
Matthew Newton -
Rafael Labiak Olivastro -
Uchenna Nebedum