Hello, I'll be trying the latest Freeradius on Ubuntu 19.10 and I can't seem to be able to connect. Can someone please help me? Something seems to have changed. Many Thanks, (4) Received Access-Request Id 128 from 127.0.0.1:48822 to 127.0.0.1:1812 length 157 (4) User-Name = "houman" (4) NAS-Port-Type = Virtual (4) Service-Type = Framed-User (4) NAS-Port = 3 (4) NAS-Port-Id = "X-1" (4) NAS-IP-Address = 172.31.20.12 (4) Called-Station-Id = "172.31.20.12[4500]" (4) Calling-Station-Id = "185.76.230.248[38823]" (4) Acct-Session-Id = "1576757594-3" (4) EAP-Message = 0x0200000b01686f756d616e (4) NAS-Identifier = "strongSwan" (4) Message-Authenticator = 0x7e6d9c86703eecf1dc78e34980d98a68 (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) update control { (4) EXPAND %l (4) --> 1576757818 (4) &Current-Timestamp := 1576757818 (4) } # update control = noop (4) update request { rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 90 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 90 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 90 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 90 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 90 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 90 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 90 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (7), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius_db' on xx.xxx.xx.xx via TCP/IP, server version 8.0.18, protocol version 10 rlm_sql (sql): Reserved connection (7) rlm_sql (sql): Released connection (7) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (8), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius_db' on xx.xxx.xx.xx via TCP/IP, server version 8.0.18, protocol version 10 (4) EXPAND %{User-Name} (4) --> houman (4) SQL-User-Name set to 'houman' rlm_sql (sql): Reserved connection (7) (4) Executing select query: SELECT UNIX_TIMESTAMP(expires_at) FROM main_db.`user` WHERE main_db.`user`.username ='houman' rlm_sql (sql): Released connection (7) (4) EXPAND %{sql:SELECT UNIX_TIMESTAMP(expires_at) FROM main_db.`user` WHERE main_db.`user`.username ='%{User-Name}'} (4) --> 1735689600 (4) &Expires-Timestamp := 1735689600 (4) } # update request = noop (4) if (&control:Current-Timestamp > &request:Expires-Timestamp) { (4) if (&control:Current-Timestamp > &request:Expires-Timestamp) -> FALSE (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = noop (4) } # policy filter_username = noop (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "houman", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 0 length 11 (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Peer sent packet with method EAP Identity (1) (4) eap: Calling submodule eap_md5 to process data (4) eap_md5: Issuing MD5 Challenge (4) eap: Sending EAP Request (code 1) ID 1 length 22 (4) eap: EAP session adding &reply:State = 0xa17deb22a17ceffe (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 128 from 127.0.0.1:1812 to 127.0.0.1:48822 length 0 (4) EAP-Message = 0x0101001604103a8af45976daf8a272f4e1044cbca4ea (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xa17deb22a17ceffef01faedaf7cde45b (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 129 from 127.0.0.1:48822 to 127.0.0.1:1812 length 170 (5) User-Name = "houman" (5) NAS-Port-Type = Virtual (5) Service-Type = Framed-User (5) NAS-Port = 3 (5) NAS-Port-Id = "X-1" (5) NAS-IP-Address = 172.31.20.12 (5) Called-Station-Id = "172.31.20.12[4500]" (5) Calling-Station-Id = "185.76.230.248[38823]" (5) Acct-Session-Id = "1576757594-3" (5) EAP-Message = 0x02010006031a (5) NAS-Identifier = "strongSwan" (5) State = 0xa17deb22a17ceffef01faedaf7cde45b (5) Message-Authenticator = 0x72dac90f5d0d96fc8992a391980d751b (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) update control { (5) EXPAND %l (5) --> 1576757818 (5) &Current-Timestamp := 1576757818 (5) } # update control = noop (5) update request { rlm_sql (sql): Reserved connection (8) rlm_sql (sql): Released connection (8) (5) EXPAND %{User-Name} (5) --> houman (5) SQL-User-Name set to 'houman' rlm_sql (sql): Reserved connection (7) (5) Executing select query: SELECT UNIX_TIMESTAMP(expires_at) FROM main_db.`user` WHERE main_db.`user`.username ='houman' rlm_sql (sql): Released connection (7) (5) EXPAND %{sql:SELECT UNIX_TIMESTAMP(expires_at) FROM main_db.`user` WHERE main_db.`user`.username ='%{User-Name}'} (5) --> 1735689600 (5) &Expires-Timestamp := 1735689600 (5) } # update request = noop (5) if (&control:Current-Timestamp > &request:Expires-Timestamp) { (5) if (&control:Current-Timestamp > &request:Expires-Timestamp) -> FALSE (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = noop (5) } # policy filter_username = noop (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "houman", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 1 length 6 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) sql: EXPAND %{User-Name} (5) sql: --> houman (5) sql: SQL-User-Name set to 'houman' rlm_sql (sql): Reserved connection (8) (5) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (5) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'houman' ORDER BY id (5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'houman' ORDER BY id (5) sql: User found in radcheck table (5) sql: Conditional check items matched, merging assignment check items (5) sql: Cleartext-Password := "houman@lovesyou" (5) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (5) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'houman' ORDER BY id (5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'houman' ORDER BY id rlm_sql (sql): Reserved connection (7) rlm_sql (sql): Released connection (7) (5) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (5) sql: --> SELECT groupname FROM radusergroup WHERE username = 'houman' ORDER BY priority (5) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'houman' ORDER BY priority (5) sql: User not found in any groups rlm_sql (sql): Released connection (8) (5) [sql] = ok (5) [expiration] = noop (5) [logintime] = noop (5) pap: WARNING: Auth-Type already set. Not setting to PAP (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xa17deb22a17ceffe (5) eap: Finished EAP session with state 0xa17deb22a17ceffe (5) eap: Previous EAP request found for state 0xa17deb22a17ceffe, released from the list (5) eap: Peer sent packet with method EAP NAK (3) (5) eap: Found mutually acceptable type MSCHAPv2 (26) (5) eap: Calling submodule eap_mschapv2 to process data (5) eap_mschapv2: Issuing Challenge (5) eap: Sending EAP Request (code 1) ID 2 length 43 (5) eap: EAP session adding &reply:State = 0xa17deb22a07ff1fe (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 129 from 127.0.0.1:1812 to 127.0.0.1:48822 length 0 (5) EAP-Message = 0x0102002b1a01020026109ea8499d23b221fe286e0553b2afd879667265657261646975732d332e302e3139 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xa17deb22a07ff1fef01faedaf7cde45b (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 130 from 127.0.0.1:48822 to 127.0.0.1:1812 length 229 (6) User-Name = "houman" (6) NAS-Port-Type = Virtual (6) Service-Type = Framed-User (6) NAS-Port = 3 (6) NAS-Port-Id = "X-1" (6) NAS-IP-Address = 172.31.20.12 (6) Called-Station-Id = "172.31.20.12[4500]" (6) Calling-Station-Id = "185.76.230.248[38823]" (6) Acct-Session-Id = "1576757594-3" (6) EAP-Message = 0x020200411a0202003c316473cdfd9ba7577369c536ec1a3732170000000000000000bdd8d54efc713f6c117e2db89759acfa868367fc3920267200686f756d616e (6) NAS-Identifier = "strongSwan" (6) State = 0xa17deb22a07ff1fef01faedaf7cde45b (6) Message-Authenticator = 0xe167fa7a298b2393526a662c1298ce92 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) update control { (6) EXPAND %l (6) --> 1576757818 (6) &Current-Timestamp := 1576757818 (6) } # update control = noop (6) update request { rlm_sql (sql): Reserved connection (8) rlm_sql (sql): Released connection (8) (6) EXPAND %{User-Name} (6) --> houman (6) SQL-User-Name set to 'houman' rlm_sql (sql): Reserved connection (7) (6) Executing select query: SELECT UNIX_TIMESTAMP(expires_at) FROM main_db.`user` WHERE main_db.`user`.username ='houman' rlm_sql (sql): Released connection (7) (6) EXPAND %{sql:SELECT UNIX_TIMESTAMP(expires_at) FROM main_db.`user` WHERE main_db.`user`.username ='%{User-Name}'} (6) --> 1735689600 (6) &Expires-Timestamp := 1735689600 (6) } # update request = noop (6) if (&control:Current-Timestamp > &request:Expires-Timestamp) { (6) if (&control:Current-Timestamp > &request:Expires-Timestamp) -> FALSE (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = noop (6) } # policy filter_username = noop (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "houman", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 2 length 65 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) sql: EXPAND %{User-Name} (6) sql: --> houman (6) sql: SQL-User-Name set to 'houman' rlm_sql (sql): Reserved connection (8) (6) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (6) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'houman' ORDER BY id (6) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'houman' ORDER BY id (6) sql: User found in radcheck table (6) sql: Conditional check items matched, merging assignment check items (6) sql: Cleartext-Password := "houman@lovesyou" (6) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (6) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'houman' ORDER BY id (6) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'houman' ORDER BY id rlm_sql (sql): Reserved connection (7) rlm_sql (sql): Released connection (7) (6) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (6) sql: --> SELECT groupname FROM radusergroup WHERE username = 'houman' ORDER BY priority (6) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'houman' ORDER BY priority (6) sql: User not found in any groups rlm_sql (sql): Released connection (8) (6) [sql] = ok (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xa17deb22a07ff1fe (6) eap: Finished EAP session with state 0xa17deb22a07ff1fe (6) eap: Previous EAP request found for state 0xa17deb22a07ff1fe, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) eap_mschapv2: authenticate { (6) mschap: Found Cleartext-Password, hashing to create NT-Password (6) mschap: Found Cleartext-Password, hashing to create LM-Password (6) mschap: Creating challenge hash with username: houman (6) mschap: Client is using MS-CHAPv2 (6) mschap: Adding MS-CHAPv2 MPPE keys (6) eap_mschapv2: [mschap] = ok (6) eap_mschapv2: } # authenticate = ok (6) eap_mschapv2: MSCHAP Success (6) eap: Sending EAP Request (code 1) ID 3 length 51 (6) eap: EAP session adding &reply:State = 0xa17deb22a37ef1fe (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 130 from 127.0.0.1:1812 to 127.0.0.1:48822 length 0 (6) EAP-Message = 0x010300331a0302002e533d33303232453237443943444437313237423132413042323041304536444630314333323741323538 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xa17deb22a37ef1fef01faedaf7cde45b (6) Finished request Waking up in 4.7 seconds. (7) Received Access-Request Id 131 from 127.0.0.1:48822 to 127.0.0.1:1812 length 170 (7) User-Name = "houman" (7) NAS-Port-Type = Virtual (7) Service-Type = Framed-User (7) NAS-Port = 3 (7) NAS-Port-Id = "X-1" (7) NAS-IP-Address = 172.31.20.12 (7) Called-Station-Id = "172.31.20.12[4500]" (7) Calling-Station-Id = "185.76.230.248[38823]" (7) Acct-Session-Id = "1576757594-3" (7) EAP-Message = 0x020300061a03 (7) NAS-Identifier = "strongSwan" (7) State = 0xa17deb22a37ef1fef01faedaf7cde45b (7) Message-Authenticator = 0x23f98c032ec4bbd63d42cd63c25f36f7 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) update control { (7) EXPAND %l (7) --> 1576757818 (7) &Current-Timestamp := 1576757818 (7) } # update control = noop (7) update request { rlm_sql (sql): Reserved connection (8) rlm_sql (sql): Released connection (8) (7) EXPAND %{User-Name} (7) --> houman (7) SQL-User-Name set to 'houman' rlm_sql (sql): Reserved connection (7) (7) Executing select query: SELECT UNIX_TIMESTAMP(expires_at) FROM main_db.`user` WHERE main_db.`user`.username ='houman' rlm_sql (sql): Released connection (7) (7) EXPAND %{sql:SELECT UNIX_TIMESTAMP(expires_at) FROM main_db.`user` WHERE main_db.`user`.username ='%{User-Name}'} (7) --> 1735689600 (7) &Expires-Timestamp := 1735689600 (7) } # update request = noop (7) if (&control:Current-Timestamp > &request:Expires-Timestamp) { (7) if (&control:Current-Timestamp > &request:Expires-Timestamp) -> FALSE (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "houman", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 3 length 6 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) sql: EXPAND %{User-Name} (7) sql: --> houman (7) sql: SQL-User-Name set to 'houman' rlm_sql (sql): Reserved connection (8) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'houman' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'houman' ORDER BY id (7) sql: User found in radcheck table (7) sql: Conditional check items matched, merging assignment check items (7) sql: Cleartext-Password := "houman@lovesyou" (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'houman' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'houman' ORDER BY id rlm_sql (sql): Reserved connection (7) rlm_sql (sql): Released connection (7) Need 1 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (9), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius_db' on xx.xxx.xx.xx via TCP/IP, server version 8.0.18, protocol version 10 (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'houman' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'houman' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (8) (7) [sql] = ok (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xa17deb22a37ef1fe (7) eap: Finished EAP session with state 0xa17deb22a37ef1fe (7) eap: Previous EAP request found for state 0xa17deb22a37ef1fe, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap: Sending EAP Success (code 3) ID 3 length 4 (7) eap: Freeing handler (7) [eap] = ok (7) } # authenticate = ok (7) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (7) post-auth { (7) update reply { (7) Acct-Interim-Interval = 300 (7) } # update reply = noop (7) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (7) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (7) update { (7) No attributes updated for RHS &session-state: (7) } # update = noop (7) policy sql_session_start.post-auth { (7) policy acct_unique { (7) update request { (7) &Tmp-String-9 := "ai:" (7) } # update request = noop (7) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (7) EXPAND %{hex:&Class} (7) --> (7) EXPAND ^%{hex:&Tmp-String-9} (7) --> ^61693a (7) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (7) else { (7) update request { (7) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (7) --> 4777c724ef84c2fd714218f9256dac76 (7) &Acct-Unique-Session-Id := 4777c724ef84c2fd714218f9256dac76 (7) } # update request = noop (7) } # else = noop (7) } # policy acct_unique = noop (7) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query} (7) sql: --> type.post-auth.query (7) sql: Using query template 'query' rlm_sql (sql): Reserved connection (8) (7) sql: EXPAND %{User-Name} (7) sql: --> houman (7) sql: SQL-User-Name set to 'houman' (7) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, NULL, 0, '', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', NULL, '', '', '', '', '') (7) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES('1576757594-3', '4777c724ef84c2fd714218f9256dac76', 'houman', '', '172.31.20.12', NULLIF('X-1', ''), 'Virtual', FROM_UNIXTIME(1576757818), NULL, NULL, 0, '', '', NULL, 0, 0, '172.31.20.12=5B4500=5D', '185.76.230.248=5B38823=5D', NULL, 'Framed-User', NULL, '', '', '', '', '') (7) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES('1576757594-3', '4777c724ef84c2fd714218f9256dac76', 'houman', '', '172.31.20.12', NULLIF('X-1', ''), 'Virtual', FROM_UNIXTIME(1576757818), NULL, NULL, 0, '', '', NULL, 0, 0, '172.31.20.12=5B4500=5D', '185.76.230.248=5B38823=5D', NULL, 'Framed-User', NULL, '', '', '', '', '') (7) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'framedipv6address' in 'field list'): 42S22 (7) sql: SQL query returned: server error rlm_sql (sql): Released connection (8) (7) [sql.accounting] = fail (7) } # policy sql_session_start.post-auth = fail (7) } # post-auth = fail (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) sql: EXPAND .query (7) sql: --> .query (7) sql: Using query template 'query' rlm_sql (sql): Reserved connection (7) (7) sql: EXPAND %{User-Name} (7) sql: --> houman (7) sql: SQL-User-Name set to 'houman' (7) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (7) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'houman', '', 'Access-Reject', '2019-12-19 12:16:58') (7) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'houman', '', 'Access-Reject', '2019-12-19 12:16:58') (7) sql: SQL query returned: success (7) sql: 1 record(s) updated rlm_sql (sql): Released connection (7) (7) [sql] = ok (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> houman (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.1 seconds. Waking up in 0.8 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 131 from 127.0.0.1:1812 to 127.0.0.1:48822 length 44 (7) EAP-Message = 0x03030004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. (4) Cleaning up request packet ID 128 with timestamp +95 Waking up in 0.1 seconds. (5) Cleaning up request packet ID 129 with timestamp +95 Waking up in 0.1 seconds. (6) Cleaning up request packet ID 130 with timestamp +95 Waking up in 0.2 seconds. (7) Cleaning up request packet ID 131 with timestamp +95 Ready to process requests
On 19 December 2019 12:23:09 GMT, Houman <houmie@gmail.com> wrote:
I'll be trying the latest Freeradius on Ubuntu 19.10 and I can't seem to be able to connect.
Can someone please help me? Something seems to have changed.
You used the new config and didn't update your database schema. Either update the database or use the old config with the previous queries.
(7) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'framedipv6address' in 'field list'): 42S22
(7) sql: SQL query returned: server error rlm_sql (sql): Released connection (8) (7) [sql.accounting] = fail (7) } # policy sql_session_start.post-auth = fail (7) } # post-auth = fail (7) Using Post-Auth-Type Reject
-- Matthew
Hello Matthew, I'm not allowed to change the central database schema. May you elaborate please a bit more about the old config and using the previous queries? Which of these configs should I replace with the old one? /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/sites-available/default /etc/freeradius/3.0/sites-available/inner-tunnel /etc/freeradius/3.0/clients.conf /etc/freeradius/3.0/radiusd.conf Many Thanks, Houman On Thu, 19 Dec 2019 at 12:30, Matthew Newton <mcn@freeradius.org> wrote:
On 19 December 2019 12:23:09 GMT, Houman <houmie@gmail.com> wrote:
I'll be trying the latest Freeradius on Ubuntu 19.10 and I can't seem to be able to connect.
Can someone please help me? Something seems to have changed.
You used the new config and didn't update your database schema.
Either update the database or use the old config with the previous queries.
(7) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'framedipv6address' in 'field list'): 42S22
(7) sql: SQL query returned: server error rlm_sql (sql): Released connection (8) (7) [sql.accounting] = fail (7) } # policy sql_session_start.post-auth = fail (7) } # post-auth = fail (7) Using Post-Auth-Type Reject
-- Matthew
On Dec 19, 2019, at 8:34 AM, Houman <houmie@gmail.com> wrote:
I'm not allowed to change the central database schema. May you elaborate please a bit more about the old config and using the previous queries? Which of these configs should I replace with the old one?
The ones related to SQL.
/etc/freeradius/3.0/mods-available/sql
Read that. It has documentation. Alan DeKok.
Ah I understand now. So I have to replace /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql and /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf with the previous version. I couldn't see anything else in the config itself that has to be changed. Did I understand that correctly? Thanks, On Thu, 19 Dec 2019 at 13:45, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 19, 2019, at 8:34 AM, Houman <houmie@gmail.com> wrote:
I'm not allowed to change the central database schema. May you elaborate please a bit more about the old config and using the previous queries? Which of these configs should I replace with the old one?
The ones related to SQL.
/etc/freeradius/3.0/mods-available/sql
Read that. It has documentation.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 19, 2019, at 9:26 AM, Houman <houmie@gmail.com> wrote:
Ah I understand now.
So I have to replace /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
You don't need to change the schema. It's just an example.
and /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf with the previous version.
You can't "replace" the file. You need to edit the queries to match your schema. The v2 sql.conf file and queries *cannot* be copied to a v3 configuration. They *will not* work.
I couldn't see anything else in the config itself that has to be changed.
Yes. That's why we hide the SQL complexity in "queries.conf" file. So nothing else needs to change when you change the queries.
Did I understand that correctly?
Pretty much. Alan DeKok.
Thanks for your answer. I should have been more specific with what I mean by the previous version. My previous version was Freeradius 3.0.16 (Ubuntu 18.04). So what I just did was to copy both queries.conf and schema.sql from 3.0.16 and copied them in the same place on a Freeradius 3.0.19 (Ubuntu 19.04). I have restarted Freeradius and I can connect now. Is this approach ok? Thanks, On Thu, 19 Dec 2019 at 14:43, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 19, 2019, at 9:26 AM, Houman <houmie@gmail.com> wrote:
Ah I understand now.
So I have to replace /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
You don't need to change the schema. It's just an example.
and /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf with the previous version.
You can't "replace" the file. You need to edit the queries to match your schema.
The v2 sql.conf file and queries *cannot* be copied to a v3 configuration. They *will not* work.
I couldn't see anything else in the config itself that has to be changed.
Yes. That's why we hide the SQL complexity in "queries.conf" file. So nothing else needs to change when you change the queries.
Did I understand that correctly?
Pretty much.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 19, 2019, at 9:58 AM, Houman <houmie@gmail.com> wrote:
Thanks for your answer.
I should have been more specific with what I mean by the previous version.
My previous version was Freeradius 3.0.16 (Ubuntu 18.04). So what I just did was to copy both queries.conf and schema.sql
As I said, the schema file is informational. It's not actually used by FreeRADIUS for anything,
from 3.0.16 and copied them in the same place on a Freeradius 3.0.19 (Ubuntu 19.04). I have restarted Freeradius and I can connect now.
Is this approach ok?
If it works... But the schema and queries really haven't changed that much from 3.0.16 to 3.0.19. So this copying shouldn't be necessary. Which makes me wonder what else is going on here. Alan DeKok.
Sorry yes, you are right. the schema.sql is only informational. All I really needed was queries.conf. I have shared the Freeradius -X output in my first email (with 3.0.19 queries.conf on 3.0.16 database schema) if it helps to see what the issue could be. Thanks, On Thu, 19 Dec 2019 at 15:03, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 19, 2019, at 9:58 AM, Houman <houmie@gmail.com> wrote:
Thanks for your answer.
I should have been more specific with what I mean by the previous
version.
My previous version was Freeradius 3.0.16 (Ubuntu 18.04). So what I just did was to copy both queries.conf and schema.sql
As I said, the schema file is informational. It's not actually used by FreeRADIUS for anything,
from 3.0.16 and copied them in the same place on a Freeradius 3.0.19 (Ubuntu 19.04). I have restarted Freeradius and I can connect now.
Is this approach ok?
If it works...
But the schema and queries really haven't changed that much from 3.0.16 to 3.0.19. So this copying shouldn't be necessary.
Which makes me wonder what else is going on here.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 19, 2019, at 10:23 AM, Houman <houmie@gmail.com> wrote:
Sorry yes, you are right. the schema.sql is only informational. All I really needed was queries.conf. I have shared the Freeradius -X output in my first email (with 3.0.19 queries.conf on 3.0.16 database schema) if it helps to see what the issue could be.
It doesn't. The mysql auth queries didn't change from 3.0.16 to 3.0.19. Alan DeKok.
On Thu, 2019-12-19 at 10:32 -0500, Alan DeKok wrote:
On Dec 19, 2019, at 10:23 AM, Houman <houmie@gmail.com> wrote:
Sorry yes, you are right. the schema.sql is only informational. All I really needed was queries.conf. I have shared the Freeradius -X output in my first email (with 3.0.19 queries.conf on 3.0.16 database schema) if it helps to see what the issue could be.
It doesn't.
The mysql auth queries didn't change from 3.0.16 to 3.0.19.
Yeah, but the accounting schema/queries got IPv6 attributes added (framedipv6address etc). The query that's failing is the post-auth "pre-create accounting record" one. Upgrading FreeRADIUS and keeping the same config in place wouldn't affect this, as the new version will continue to use the same queries. So something else has gone on: queries.conf /has/ been changed for some reason, but the new schema from schema.conf hasn't been used. The options are to take queries.conf back to the previous one they were using before or upgrade the database to the new schema (add the four new IPv6 related fields to the radacct table). -- Matthew
Hi Mathew, Thanks for the detailed explanation. If the new schema is just adding four new fields only, then I could as well get away with upgrading the schema after all and using the new config on this server. This is of course as long as the other FreeRadius 3.0.16 can still use the same DB with 3.0.19 schema. As long as new fields are added and nothing has been renamed or changed, I think it should be fine. What are your thoughts? On Thu, 19 Dec 2019 at 16:31, Matthew Newton <mcn@freeradius.org> wrote:
On Thu, 2019-12-19 at 10:32 -0500, Alan DeKok wrote:
On Dec 19, 2019, at 10:23 AM, Houman <houmie@gmail.com> wrote:
Sorry yes, you are right. the schema.sql is only informational. All I really needed was queries.conf. I have shared the Freeradius -X output in my first email (with 3.0.19 queries.conf on 3.0.16 database schema) if it helps to see what the issue could be.
It doesn't.
The mysql auth queries didn't change from 3.0.16 to 3.0.19.
Yeah, but the accounting schema/queries got IPv6 attributes added (framedipv6address etc). The query that's failing is the post-auth "pre-create accounting record" one.
Upgrading FreeRADIUS and keeping the same config in place wouldn't affect this, as the new version will continue to use the same queries. So something else has gone on: queries.conf /has/ been changed for some reason, but the new schema from schema.conf hasn't been used.
The options are to take queries.conf back to the previous one they were using before or upgrade the database to the new schema (add the four new IPv6 related fields to the radacct table).
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, 2019-12-19 at 16:43 +0000, Houman wrote:
Thanks for the detailed explanation. If the new schema is just adding four new fields only, then I could as well get away with upgrading the schema after all and using the new config on this server. This is of course as long as the other FreeRadius 3.0.16 can still use the same DB with 3.0.19 schema. As long as new fields are added and nothing has been renamed or changed, I think it should be fine.
What are your thoughts?
If you use IPv6 and want the data, update the schema with the new fields. If you don't care or it's too much risk, use the old queries. The changes are easy enough to find https://github.com/FreeRADIUS/freeradius-server/commit/d5022d0f92d457c8d3726... -- Matthew
participants (3)
-
Alan DeKok -
Houman -
Matthew Newton