Proxying between RADIUS servers using TLS
Hi, Since FR now supports TLS, how should I configure proxy.conf to specify that I want a specific realm to be handled over TLS (instead of the default UDP)? I can't find anything in the online docs (am happy to submit patches to improve this in 3.0.8 and later once I've tested that here). Alan(x2)? Arran? Any ideas? Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Apr 1, 2015, at 7:19 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
Since FR now supports TLS, how should I configure proxy.conf to specify that I want a specific realm to be handled over TLS (instead of the default UDP)? I can't find anything in the online docs (am happy to submit patches to improve this in 3.0.8 and later once I've tested that here).
You configure only TLS home servers for that realm. Realms are not home servers... Aan DeKok.
You configure only TLS home servers for that realm. Realms are not home servers...
Ok, let me rephrase (and run through it)... Feel free to correct: I have a TLS-only FR service at realm1, and a TLS-only FR service at realm2 (they are *not* the same machine). When FR at realm1 receives a request for realm2, I need an entry for realm2 in proxy.conf to forward the request to realm2, correct? This is unchanged, yes? How do I configure the realm entry for realm2? With UDP it was simple: realm realm2 { authhost = ip.address:port secret = RADIUS secret } So for TLS it should look how? realm realm2 { ??? } Or do I ignore proxy.conf for that and define that somewhere else? I apologise if this is really obvious for you and not for me... I'm only used to ABFAB-based TLS home server resolution at this point. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Apr 1, 2015, at 9:11 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
So for TLS it should look how?
Home server pools, and home servers. This has been in the server since v2.0.0. The realm "accthost" config has been deprecated since 2008. :( And see raddb/sites-available/tls. There's complete documentation there. Alan DeKok.
Sanitized tls.conf from a working Radius TLS Proxy on the latest FR 3.x from GIT. Alan did push out an update which enabled Radius Accounting over TLS a week or two ago. Alan thanks for your assistance getting this feature working. ================================================== home_server remote_endpoint1 { ipaddr = %ip_addr% port = 2083 type = auth+acct secret = secret proto = tcp status_check = none tls { private_key_file = ${certdir}/cert.key certificate_file = ${certdir}/cert.csrb64.cer ca_file = /usr/local/etc/raddb/certs/ca.crt dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 8192 ca_path = ${cadir} cipher_list = "DEFAULT" } } home_server_pool proxy_endpoint { type = fail-over home_server = remote_endpoint1 } home_server_pool tls { type = fail-over home_server = tls } realm %realm% { auth_pool = proxy_endpoint acct_pool = proxy_endpoint } ================================================= Chris Teague -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+chris.teague=mybrighthouse.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 01, 2015 9:31 AM To: FreeRadius users mailing list Subject: Re: Proxying between RADIUS servers using TLS On Apr 1, 2015, at 9:11 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
So for TLS it should look how?
Home server pools, and home servers. This has been in the server since v2.0.0. The realm "accthost" config has been deprecated since 2008. :( And see raddb/sites-available/tls. There's complete documentation there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. **If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.
On Apr 1, 2015, at 9:11 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
So for TLS it should look how?
Home server pools, and home servers. This has been in the server since v2.0.0. The realm "accthost" config has been deprecated since 2008. :(
Ok, I've just raised something where not having a secret with the realm definition blows up FR, even though the home_server definition has it. :-/ Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Apr 1, 2015, at 9:48 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
Ok, I've just raised something where not having a secret with the realm definition blows up FR, even though the home_server definition has it. :-/
Uh... you should NOT be using "authhost" and "auth_pool" at the same time. Alan DeKok.
Uh... you should NOT be using "authhost" and "auth_pool" at the same time.
I wasn't... I defined a home_server with TLS info. Then I defined the realm, set authhost to the defined home_server. Since the home_server already had the secret, I didn't expect to have to have a secret entry in the realm definition, but... It blew up. So I defined it again. :-/ And by the way... Damn you for putting the proxy.conf reference for TLS in there before I was able to! :-D Thanks again, Alan, as always, much appreciated. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Apr 1, 2015, at 10:44 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
I wasn't... I defined a home_server with TLS info. Then I defined the realm, set authhost to the defined home_server.
"authhost" is a DNS name. It's not a reference to a "home_server".
Since the home_server already had the secret, I didn't expect to have to have a secret entry in the realm definition, but... It blew up.
Now it won't blow up.
So I defined it again. :-/
Not again. FR ignored the home server, because it wasn't being used.
And by the way... Damn you for putting the proxy.conf reference for TLS in there before I was able to! :-D
I'm fast. That's not always a good thing. Alan DeKok.
"authhost" is a DNS name. It's not a reference to a "home_server".
Well, it took the reference to the home_server ok... So that might need to be tweaked/fixed.
Now it won't blow up.
Whoo!
Not again. FR ignored the home server, because it wasn't being used.
Very odd... That's not what I saw when I did an auth request... It may have ignored the secret entry in the home_server definition, but it connected with TLS ok (albeit with wrong client.pem and ca.pem at the time).
I'm fast. That's not always a good thing.
Hahaha. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Apr 1, 2015, at 11:19 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
"authhost" is a DNS name. It's not a reference to a "home_server".
Well, it took the reference to the home_server ok... So that might need to be tweaked/fixed.
Probably because the home server name you used is a valid DNS name,
Very odd... That's not what I saw when I did an auth request... It may have ignored the secret entry in the home_server definition, but it connected with TLS ok (albeit with wrong client.pem and ca.pem at the time).
Then it was doing something else.. like using the home server IP for proxying, instead of Proxy-To-Realm. Alan DeKok.
Probably because the home server name you used is a valid DNS name,
I ive you the output of this cnfiguration (authhost set to the home_server). You'll notice that authhost willhappily accept the home_server entry and then do its thing... Provided a secret has been provided in the 'realm' entry. The home_server entry contains an underscore (not a dot): Copyright (C) 1999-2015 The FreeRADIUS erver project and contributors There is NO warranty; not even for MERCANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file namd COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec incluing configuration file /etc/raddb/mods-enabled/alway including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mds-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/chapincluding configuration ile /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/realm including configuration file /etcraddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/abfab_psk_sql including configuration file /etc/raddb/mods-enabled/eap inluding configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/uni including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/cache_eap including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/cui including configuration file /etc/radb/policy.d/dhcp including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/abfab-tr including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/polic.d/debug including configuration file /etc/raddb/policy.d/operator-name including files in directory /etc/raddb/sites-enabled/ including configuration ile /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/abfab-tr-idp including configuration file /etc/raddb/sites-enabled/channel_bindings including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/lund-server including configuration file /etc/raddb/sites-enabled/abfab-tls main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "yes" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connetions = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server main-idp65x64_localdomain { ipaddr = 192.168.213.24 port = 2083 type = "auth" proto = "tcp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombe_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } tls { rsa_ky_exchange = no dh_key_exhange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/main-idp-client.pem" certificate_file = "/etc/raddb/certs/main-idp-client.pem" ca_file = "/etc/raddb/certs/main-idp-capem" private_key_password = <<< secret >>> dh_file = "/etc/radd/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 8192 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" } realm main-rp65x4.localdomain { } realm LOCAL { } realm main-idp65x64.localdomain { nostrip authhost = main-idp65x64_localdomain secret = radsec } home_server_pool my_auth_failover { type = fail-over home_server = localhost } home_server_pool main-idp65x64_localdomain_authpool { home_server = main-idp65x64_localdomain } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limi { max_connections = 16 lifetime = 0 idle_tmeout = 30 } } Debugger not attached # Creating Auth-Type = digest radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_exec # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = es program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_always # Instantiatng module "reject" from ile /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/rddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/radd/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = n } # Loaded module rlm_radutmp # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/ar/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/acounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_digest # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest # Loaded modue rlm_unpack # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_lients # Loaded module rlm_logintime # Instantiating module "logintime" from file /et/raddb/mods-enabled/logintim logintime { minimum_timeout = 60 } # Loaded module rlm_preprocess #Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_scend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack= no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_pap # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_dhcp # Instantiating module "dhcp" from file /tc/raddb/mods-enabled/dhcp # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { flename = "/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{Packet-Type}:-default}" } # Instantiating module "log_accounting" from file /etc/raddb/modsenabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_expr # Instantiating module "expr" rom file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Instantiating module "ntlm_auth" from file /etc/raddb/mods-enaled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-ntkey --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_stron = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no default_community = "none" rp_realm = "none" trust_router = "none" tr_port = 0 } Warning: dh_check failed with 8 : the g value is not a generator # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter= "@" ignore_default = no ignore_null = no default_community = "none" rp_realm = "none" trust_router = "none" tr_port = 0 } # Instantiating module "realmpercent" frm file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no default_community = "none" rp_realm = "none" trust_router = "none" tr_port = 0 } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no default_community = "none" rp_realm = "none" trust_router = "none" tr_port = 0 } # Loaded module rlm_passwd # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Loaded module rlm_sql # Instantiating module "psksql" from file /etc/raddb/mods-enabled/abfab_psk_sql sql psksql { driver = "rlm_sql_sqlite" server = "localhost" port = "" login = "" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "" default_user_profile = "" client_query = "SELECT id,nasname,shortname,type,secret FROM nas" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = ".query" type { accounting-on { } accounting-off { } start { } interim-update { } stop { } } } post-auth { reference = ".query" } } rlm_sql (psksql): Creating new attribute psksql-SQL-Group rlm_sql_sqlite: libsqlite version: 3.6.20 sqlite { filename = "/var/lib/trust_router/keys" } rlm_sql (psksql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (psksql): Attempting to connect to database "radius" rlm_sql (psksql): Initialising connection pool pool { start = 5 min = 5 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_sql (psksql): Opening additional connection (0), 1 of 10 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys" rlm_sql (psksql): Opening additional connection (1), 1 of 9 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys" rlm_sql (psksql): Opening additional connection (2), 1 of 8 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys" rlm_sql (psksql): Opening additional connection (3), 1 of 7 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys" rlm_sql (psksql): Opening additional connection (4), 1 of 6 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/lib/trust_router/keys" # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 1024 } # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loaded module rlm_detail # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr ess}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr ess}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr ess}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr ess}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addr ess}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_unix # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "cistron" } reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server abfab-idp { # from file /etc/raddb/sites-enabled/abfab-tr-idp # Loading authenticate {...} # Loading authorize {...} # Loading post-proxy {...} # Loading post-auth {...} } # server abfab-idp server channel_bindings { # from file /etc/raddb/sites-enabled/channel_bindings # Loading authorize {...} } # server channel_bindings server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel /etc/raddb/policy.d/abfab-tr[28] Please change %{gss-acceptor-host-name}} to &gss-acceptor-host-name} thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 cleanup_delay = 5 max_queue_size = 65536 auto_limit_acct = no } Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" virtual_server = "abfab-idp" ipaddr = * port = 2083 proto = "tcp" tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.key" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 8192 include_length = yes check_crl = no cipher_list = "DEFAULT" require_client_cert = yes ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 1 waiting to be assigned a request clients = "radsec-abfab" client default { ipaddr = 0.0.0.0/0 require_message_authenticator = no proto = "tls" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth proto tcp address * port 2083 (TLS) bound to server abfab-idp Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 32883 Ready to process requests ... new connection request on TCP socket Listening on auth from client (127.0.0.1, 47640) -> (*, 2083, virtual-server=abfab-idp) Waking up in 0.8 seconds. (0) Requiring client certificate (0) Initiate (0) (other): before/accept initialization (0) TLS_accept: before/accept initialization (0) <<< TLS 1.0 Handshake [length 0096], ClientHello (0) TLS_accept: SSLv3 read client hello A (0) >>> TLS 1.0 Handshake [length 003e], ServerHello (0) TLS_accept: SSLv3 write server hello A (0) >>> TLS 1.0 Handshake [length 093f], Certificate (0) TLS_accept: SSLv3 write certificate A (0) >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (0) TLS_accept: SSLv3 write key exchange A (0) >>> TLS 1.0 Handshake [length 00bc], CertificateRequest (0) TLS_accept: SSLv3 write certificate request A (0) TLS_accept: SSLv3 flush data (0) TLS_accept: Need to read more data: SSLv3 read client certificate A (0) TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode Waking up in 0.8 seconds. (0) <<< TLS 1.0 Handshake [length 093a], Certificate (0) TLS Verify adding attributes (0) chain-depth=1, (0) error=0 (0) --> BUF-Name = The RP Company Certificate Authority (0) --> subject = /C=FR/ST=Radius/L=Somewhere/O=The RP Company/emailAddress=admin@main-rp65x64.localdomain/CN=The RP Company Certificate Authority (0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=The RP Company/emailAddress=admin@main-rp65x64.localdomain/CN=The RP Company Certificate Authority (0) --> verify return:1 (0) TLS Verify adding attributes (0) chain-depth=0, (0) error=0 (0) --> BUF-Name = user@main-rp65x64.localdomain (0) --> subject = /C=FR/ST=Radius/O=The RP Company/CN=user@main-rp65x64.localdomain/emailAddress=user@main-rp65x64.loc aldomain (0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=The RP Company/emailAddress=admin@main-rp65x64.localdomain/CN=The RP Company Certificate Authority (0) --> verify return:1 (0) TLS_accept: SSLv3 read client certificate A (0) <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (0) TLS_accept: SSLv3 read client key exchange A (0) <<< TLS 1.0 Handshake [length 0106], CertificateVerify (0) TLS_accept: SSLv3 read certificate verify A (0) <<< TLS 1.0 ChangeCipherSpec [length 0001] (0) <<< TLS 1.0 Handshake [length 0010], Finished (0) TLS_accept: SSLv3 read finished A (0) >>> TLS 1.0 ChangeCipherSpec [length 0001] (0) TLS_accept: SSLv3 write change cipher spec A (0) >>> TLS 1.0 Handshake [length 0010], Finished (0) TLS_accept: SSLv3 write finished A (0) TLS_accept: SSLv3 flush data (0) (other): SSL negotiation finished successfully SSL Connection Established Waking up in 0.8 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0, length=131 Threads: total/active/spare threads = 5/0/5 Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) (0) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083 length 131 (0) User-Name = '@main-idp65x64.localdomain' (0) GSS-Acceptor-Service-Name = 'host' (0) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (0) EAP-Message = 0x0200001f01406d61696e2d69647036357836342e6c6f63616c646f6d61696e (0) Message-Authenticator = 0x2c3105c2b0f36cc4cd0648f99f293146 (0) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp (0) authorize { (0) policy psk_authorize { (0) if (TLS-PSK-Identity) { (0) if (TLS-PSK-Identity) -> FALSE (0) } # policy psk_authorize = notfound (0) policy abfab_client_check { (0) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { (0) EXPAND %{client:gss_acceptor_host_name} (0) --> (0) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") -> FALSE (0) if ("%{client:trust_router_coi}") { (0) EXPAND %{client:trust_router_coi} (0) --> trapc65x64.localdomain (0) if ("%{client:trust_router_coi}") -> TRUE (0) if ("%{client:trust_router_coi}") { (0) update request { (0) EXPAND %{client:trust_router_coi} (0) --> trapc65x64.localdomain (0) Trust-Router-COI := "trapc65x64.localdomain" (0) } # update request = noop (0) } # if ("%{client:trust_router_coi}") = noop (0) if ("%{client:gss_acceptor_realm_name}") { (0) EXPAND %{client:gss_acceptor_realm_name} (0) --> main-rp65x64.localdomain (0) if ("%{client:gss_acceptor_realm_name}") -> TRUE (0) if ("%{client:gss_acceptor_realm_name}") { (0) update request { (0) EXPAND %{client:gss_acceptor_realm_name} (0) --> main-rp65x64.localdomain (0) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain" (0) } # update request = noop (0) } # if ("%{client:gss_acceptor_realm_name}") = noop (0) } # policy abfab_client_check = noop (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = noop (0) [preprocess] = ok (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name = "@main-idp65x64.localdomain" (0) suffix: Found realm "main-idp65x64.localdomain" (0) suffix: Adding Realm = "main-idp65x64.localdomain" (0) suffix: Proxying request from user @main-idp65x64.localdomain to realm main-idp65x64.localdomain (0) suffix: Preparing to proxy authentication request to realm "main-idp65x64.localdomain" (0) [suffix] = updated (0) eap: Request is supposed to be proxied to Realm main-idp65x64.localdomain. Not doing EAP. (0) [eap] = noop (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok Opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (192.168.213.24, 2083)' Waking up in 0.3 seconds. Trying SSL to port 2083 Requiring Server certificate (0) (other): before/connect initialization (0) TLS_connect: before/connect initialization (0) >>> Unknown TLS version [length 00f0] (0) TLS_connect: SSLv2/v3 write client hello A (0) <<< Unknown TLS version [length 003e] (0) TLS_connect: SSLv3 read server hello A (0) <<< Unknown TLS version [length 094e] (0) TLS Verify adding attributes (0) chain-depth=1, (0) error=0 (0) --> BUF-Name = The IDP Company Certificate Authority (0) --> subject = /C=FR/ST=Radius/L=Somewhere/O=The IDP Company/emailAddress=admin@main-idp65x64.localdomain/CN=The IDP Company Certificate Authority (0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=The IDP Company/emailAddress=admin@main-idp65x64.localdomain/CN=The IDP Company Certificate Authority (0) --> verify return:1 (0) TLS Verify adding attributes (0) chain-depth=0, (0) error=0 (0) --> BUF-Name = The IDP Company Server Certificate (0) --> subject = /C=FR/ST=Radius/O=The IDP Company/CN=The IDP Company Server Certificate/emailAddress=admin@main-idp65x64.localdomain (0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=The IDP Company/emailAddress=admin@main-idp65x64.localdomain/CN=The IDP Company Certificate Authority (0) --> verify return:1 (0) TLS_connect: SSLv3 read server certificate A (0) <<< Unknown TLS version [length 014d] (0) TLS_connect: SSLv3 read server key exchange A (0) <<< Unknown TLS version [length 00dd] (0) TLS_connect: SSLv3 read server certificate request A (0) <<< Unknown TLS version [length 0004] (0) TLS_connect: SSLv3 read server done A (0) >>> Unknown TLS version [length 0949] (0) TLS_connect: SSLv3 write client certificate A (0) >>> Unknown TLS version [length 0046] (0) TLS_connect: SSLv3 write client key exchange A (0) >>> Unknown TLS version [length 0108] (0) TLS_connect: SSLv3 write certificate verify A (0) >>> Unknown TLS version [length 0001] (0) TLS_connect: SSLv3 write change cipher spec A (0) >>> Unknown TLS version [length 0010] (0) TLS_connect: SSLv3 write finished A (0) TLS_connect: SSLv3 flush data (0) <<< Unknown TLS version [length 0001] (0) <<< Unknown TLS version [length 0010] (0) TLS_connect: SSLv3 read finished A (0) (other): SSL negotiation finished successfully Listening on proxy (192.168.213.56, 39779) -> home_server (192.168.213.24, 2083) (0) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout 30.000000 (0) Sent Access-Request Id 51 from 192.168.213.56:39779 to 192.168.213.24:2083 length 202 (0) User-Name = '@main-idp65x64.localdomain' (0) GSS-Acceptor-Service-Name = 'host' (0) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (0) EAP-Message = 0x0200001f01406d61696e2d69647036357836342e6c6f63616c646f6d61696e (0) Message-Authenticator = 0x2c3105c2b0f36cc4cd0648f99f293146 (0) Trust-Router-COI := 'trapc65x64.localdomain' (0) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain' (0) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT' (0) NAS-IP-Address = 127.0.0.1 (0) Proxy-State = 0x30 Thread 5 waiting to be assigned a request Waking up in 0.1 seconds. Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 0, (1 handled so far) (0) Received Access-Challenge Id 51 from 192.168.213.24:2083 to 192.168.213.56:39779 length 67 (0) EAP-Message = 0x010100061520 (0) Message-Authenticator = 0x57713dab1b8477f7b5f3813f73d67cc9 (0) State = 0x624e9873624f8d9244b62dd155e240a4 (0) Proxy-State = 0x30 (0) # Executing section post-proxy from file /etc/raddb/sites-enabled/abfab-tr-idp (0) post-proxy { (0) eap: No pre-existing handler found (0) [eap] = noop (0) } # post-proxy = noop (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp (0) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 64 (0) EAP-Message = 0x010100061520 (0) Message-Authenticator = 0x57713dab1b8477f7b5f3813f73d67cc9 (0) State = 0x624e9873624f8d9244b62dd155e240a4 (0) Finished request Thread 4 waiting to be assigned a request (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0, length=279 Waking up in 0.3 seconds. Thread 3 got semaphore Thread 3 handling request 1, (1 handled so far) (1) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083 length 279 (1) User-Name = '@main-idp65x64.localdomain' (1) GSS-Acceptor-Service-Name = 'host' (1) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (1) EAP-Message = 0x020100a115001603010096010000920301550baed294c1717618dd6172bee5229dc2bcaa4 06e88d566952d30836773e97300004cc014c00a0039003800880087c00fc00500350084c013 c00900330032c012c008009a00990045004400160013c00ec004c00dc003002f00960041000 a0007c011c007c0 (1) State = 0x624e9873624f8d9244b62dd155e240a4 (1) Message-Authenticator = 0x6d99b9ff73c8b14335db31d396e588a8 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp (1) authorize { (1) policy psk_authorize { (1) if (TLS-PSK-Identity) { (1) if (TLS-PSK-Identity) -> FALSE (1) } # policy psk_authorize = notfound (1) policy abfab_client_check { (1) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { (1) EXPAND %{client:gss_acceptor_host_name} (1) --> (1) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") -> FALSE (1) if ("%{client:trust_router_coi}") { (1) EXPAND %{client:trust_router_coi} (1) --> trapc65x64.localdomain (1) if ("%{client:trust_router_coi}") -> TRUE (1) if ("%{client:trust_router_coi}") { (1) update request { (1) EXPAND %{client:trust_router_coi} (1) --> trapc65x64.localdomain (1) Trust-Router-COI := "trapc65x64.localdomain" (1) } # update request = noop (1) } # if ("%{client:trust_router_coi}") = noop (1) if ("%{client:gss_acceptor_realm_name}") { (1) EXPAND %{client:gss_acceptor_realm_name} (1) --> main-rp65x64.localdomain (1) if ("%{client:gss_acceptor_realm_name}") -> TRUE (1) if ("%{client:gss_acceptor_realm_name}") { (1) update request { (1) EXPAND %{client:gss_acceptor_realm_name} (1) --> main-rp65x64.localdomain (1) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain" (1) } # update request = noop (1) } # if ("%{client:gss_acceptor_realm_name}") = noop (1) } # policy abfab_client_check = noop (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = noop (1) [preprocess] = ok (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name = "@main-idp65x64.localdomain" (1) suffix: Found realm "main-idp65x64.localdomain" (1) suffix: Adding Realm = "main-idp65x64.localdomain" (1) suffix: Proxying request from user @main-idp65x64.localdomain to realm main-idp65x64.localdomain (1) suffix: Preparing to proxy authentication request to realm "main-idp65x64.localdomain" (1) [suffix] = updated (1) eap: Request is supposed to be proxied to Realm main-idp65x64.localdomain. Not doing EAP. (1) [eap] = noop (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = ok (1) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout 30.000000 (1) Sent Access-Request Id 242 from 192.168.213.56:39779 to 192.168.213.24:2083 length 350 (1) User-Name = '@main-idp65x64.localdomain' (1) GSS-Acceptor-Service-Name = 'host' (1) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (1) EAP-Message = 0x020100a115001603010096010000920301550baed294c1717618dd6172bee5229dc2bcaa4 06e88d566952d30836773e97300004cc014c00a0039003800880087c00fc00500350084c013 c00900330032c012c008009a00990045004400160013c00ec004c00dc003002f00960041000 a0007c011c007c0 (1) State = 0x624e9873624f8d9244b62dd155e240a4 (1) Message-Authenticator = 0x6d99b9ff73c8b14335db31d396e588a8 (1) Trust-Router-COI := 'trapc65x64.localdomain' (1) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain' (1) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT' (1) NAS-IP-Address = 127.0.0.1 (1) Proxy-State = 0x30 Thread 3 waiting to be assigned a request (1) Received Access-Challenge Id 242 from 192.168.213.24:2083 to 192.168.213.56:39779 length 1071 (1) EAP-Message = 0x010203ec15c000000b0f160301005e0200005a0301550baedba41c012c8ec4d2820c405f9 27fbbb73a5d12045a8b9070302f123dbd2063312a9b5af0f5543b7524587b822afc7476ba1e a27b5e521006ca647509cc05c014000012ff01000100000b000403000102000f00010116030 1094e0b00094a00 (1) Message-Authenticator = 0x4cbff08646c49fc075c254ddaf3707ec (1) State = 0x624e9873634c8d9244b62dd155e240a4 (1) Proxy-State = 0x30 (1) # Executing section post-proxy from file /etc/raddb/sites-enabled/abfab-tr-idp (1) post-proxy { (1) eap: No pre-existing handler found (1) [eap] = noop (1) } # post-proxy = noop (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp (1) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 1068 (1) EAP-Message = 0x010203ec15c000000b0f160301005e0200005a0301550baedba41c012c8ec4d2820c405f9 27fbbb73a5d12045a8b9070302f123dbd2063312a9b5af0f5543b7524587b822afc7476ba1e a27b5e521006ca647509cc05c014000012ff01000100000b000403000102000f00010116030 1094e0b00094a00 (1) Message-Authenticator = 0x4cbff08646c49fc075c254ddaf3707ec (1) State = 0x624e9873634c8d9244b62dd155e240a4 (1) Finished request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0, length=124 Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 2, (1 handled so far) (2) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083 length 124 (2) User-Name = '@main-idp65x64.localdomain' (2) GSS-Acceptor-Service-Name = 'host' (2) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (2) EAP-Message = 0x020200061500 (2) State = 0x624e9873634c8d9244b62dd155e240a4 (2) Message-Authenticator = 0xa8c75d22fef8821b5d8cfd5afa068964 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp (2) authorize { (2) policy psk_authorize { (2) if (TLS-PSK-Identity) { (2) if (TLS-PSK-Identity) -> FALSE (2) } # policy psk_authorize = notfound (2) policy abfab_client_check { (2) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { (2) EXPAND %{client:gss_acceptor_host_name} (2) --> (2) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") -> FALSE (2) if ("%{client:trust_router_coi}") { (2) EXPAND %{client:trust_router_coi} (2) --> trapc65x64.localdomain (2) if ("%{client:trust_router_coi}") -> TRUE (2) if ("%{client:trust_router_coi}") { (2) update request { (2) EXPAND %{client:trust_router_coi} (2) --> trapc65x64.localdomain (2) Trust-Router-COI := "trapc65x64.localdomain" (2) } # update request = noop (2) } # if ("%{client:trust_router_coi}") = noop (2) if ("%{client:gss_acceptor_realm_name}") { (2) EXPAND %{client:gss_acceptor_realm_name} (2) --> main-rp65x64.localdomain (2) if ("%{client:gss_acceptor_realm_name}") -> TRUE (2) if ("%{client:gss_acceptor_realm_name}") { (2) update request { (2) EXPAND %{client:gss_acceptor_realm_name} (2) --> main-rp65x64.localdomain (2) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain" (2) } # update request = noop (2) } # if ("%{client:gss_acceptor_realm_name}") = noop (2) } # policy abfab_client_check = noop (2) policy filter_username { (2) if (!&User-Name) { (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) { (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # policy filter_username = noop (2) [preprocess] = ok (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name = "@main-idp65x64.localdomain" (2) suffix: Found realm "main-idp65x64.localdomain" (2) suffix: Adding Realm = "main-idp65x64.localdomain" (2) suffix: Proxying request from user @main-idp65x64.localdomain to realm main-idp65x64.localdomain (2) suffix: Preparing to proxy authentication request to realm "main-idp65x64.localdomain" (2) [suffix] = updated (2) eap: Request is supposed to be proxied to Realm main-idp65x64.localdomain. Not doing EAP. (2) [eap] = noop (2) [expiration] = noop (2) [logintime] = noop (2) } # authorize = ok (2) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout 30.000000 (2) Sent Access-Request Id 31 from 192.168.213.56:39779 to 192.168.213.24:2083 length 195 (2) User-Name = '@main-idp65x64.localdomain' (2) GSS-Acceptor-Service-Name = 'host' (2) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (2) EAP-Message = 0x020200061500 (2) State = 0x624e9873634c8d9244b62dd155e240a4 (2) Message-Authenticator = 0xa8c75d22fef8821b5d8cfd5afa068964 (2) Trust-Router-COI := 'trapc65x64.localdomain' (2) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain' (2) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT' (2) NAS-IP-Address = 127.0.0.1 (2) Proxy-State = 0x30 Thread 2 waiting to be assigned a request (2) Received Access-Challenge Id 31 from 192.168.213.24:2083 to 192.168.213.56:39779 length 1071 (2) EAP-Message = 0x010303ec15c000000b0f4d2ab15016ff2f6912da25705c6b9117ca3b45d563b87acc36153 98ac114410cab095da7455f94c6dd3b67fb12b754e03534443ab36b142336193532c5e470c9 b61941ed2911d3167a03e0bb0f799255fa8024254afb9a8aee0b07c5f2e5e40e486c89e7a56 83291be4f03f716 (2) Message-Authenticator = 0x776c05805ff610a169d2f2711eeeb97a (2) State = 0x624e9873604d8d9244b62dd155e240a4 (2) Proxy-State = 0x30 (2) # Executing section post-proxy from file /etc/raddb/sites-enabled/abfab-tr-idp (2) post-proxy { (2) eap: No pre-existing handler found (2) [eap] = noop (2) } # post-proxy = noop (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp (2) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 1068 (2) EAP-Message = 0x010303ec15c000000b0f4d2ab15016ff2f6912da25705c6b9117ca3b45d563b87acc36153 98ac114410cab095da7455f94c6dd3b67fb12b754e03534443ab36b142336193532c5e470c9 b61941ed2911d3167a03e0bb0f799255fa8024254afb9a8aee0b07c5f2e5e40e486c89e7a56 83291be4f03f716 (2) Message-Authenticator = 0x776c05805ff610a169d2f2711eeeb97a (2) State = 0x624e9873604d8d9244b62dd155e240a4 (2) Finished request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0, length=124 Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 3, (1 handled so far) (3) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083 length 124 (3) User-Name = '@main-idp65x64.localdomain' (3) GSS-Acceptor-Service-Name = 'host' (3) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (3) EAP-Message = 0x020300061500 (3) State = 0x624e9873604d8d9244b62dd155e240a4 (3) Message-Authenticator = 0x3b2e1bcb5ed0ee5d07b02bc5d6a9fb1b (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp (3) authorize { (3) policy psk_authorize { (3) if (TLS-PSK-Identity) { (3) if (TLS-PSK-Identity) -> FALSE (3) } # policy psk_authorize = notfound (3) policy abfab_client_check { (3) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { (3) EXPAND %{client:gss_acceptor_host_name} (3) --> (3) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") -> FALSE (3) if ("%{client:trust_router_coi}") { (3) EXPAND %{client:trust_router_coi} (3) --> trapc65x64.localdomain (3) if ("%{client:trust_router_coi}") -> TRUE (3) if ("%{client:trust_router_coi}") { (3) update request { (3) EXPAND %{client:trust_router_coi} (3) --> trapc65x64.localdomain (3) Trust-Router-COI := "trapc65x64.localdomain" (3) } # update request = noop (3) } # if ("%{client:trust_router_coi}") = noop (3) if ("%{client:gss_acceptor_realm_name}") { (3) EXPAND %{client:gss_acceptor_realm_name} (3) --> main-rp65x64.localdomain (3) if ("%{client:gss_acceptor_realm_name}") -> TRUE (3) if ("%{client:gss_acceptor_realm_name}") { (3) update request { (3) EXPAND %{client:gss_acceptor_realm_name} (3) --> main-rp65x64.localdomain (3) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain" (3) } # update request = noop (3) } # if ("%{client:gss_acceptor_realm_name}") = noop (3) } # policy abfab_client_check = noop (3) policy filter_username { (3) if (!&User-Name) { (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) { (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # policy filter_username = noop (3) [preprocess] = ok (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name = "@main-idp65x64.localdomain" (3) suffix: Found realm "main-idp65x64.localdomain" (3) suffix: Adding Realm = "main-idp65x64.localdomain" (3) suffix: Proxying request from user @main-idp65x64.localdomain to realm main-idp65x64.localdomain (3) suffix: Preparing to proxy authentication request to realm "main-idp65x64.localdomain" (3) [suffix] = updated (3) eap: Request is supposed to be proxied to Realm main-idp65x64.localdomain. Not doing EAP. (3) [eap] = noop (3) [expiration] = noop (3) [logintime] = noop (3) } # authorize = ok (3) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout 30.000000 (3) Sent Access-Request Id 148 from 192.168.213.56:39779 to 192.168.213.24:2083 length 195 (3) User-Name = '@main-idp65x64.localdomain' (3) GSS-Acceptor-Service-Name = 'host' (3) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (3) EAP-Message = 0x020300061500 (3) State = 0x624e9873604d8d9244b62dd155e240a4 (3) Message-Authenticator = 0x3b2e1bcb5ed0ee5d07b02bc5d6a9fb1b (3) Trust-Router-COI := 'trapc65x64.localdomain' (3) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain' (3) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT' (3) NAS-IP-Address = 127.0.0.1 (3) Proxy-State = 0x30 Thread 1 waiting to be assigned a request (3) Received Access-Challenge Id 148 from 192.168.213.24:2083 to 192.168.213.56:39779 length 920 (3) EAP-Message = 0x01040355158000000b0f12301006035504071309536f6d657768657265311830160603550 40a130f5468652049445020436f6d70616e79312e302c06092a864886f70d010901161f6164 6d696e406d61696e2d69647036357836342e6c6f63616c646f6d61696e312e302c060355040 313255468652049 (3) Message-Authenticator = 0x09669b4642bdce77fe3a7d0359b7ac4f (3) State = 0x624e9873614a8d9244b62dd155e240a4 (3) Proxy-State = 0x30 (3) # Executing section post-proxy from file /etc/raddb/sites-enabled/abfab-tr-idp (3) post-proxy { (3) eap: No pre-existing handler found (3) [eap] = noop (3) } # post-proxy = noop (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp (3) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 917 (3) EAP-Message = 0x01040355158000000b0f12301006035504071309536f6d657768657265311830160603550 40a130f5468652049445020436f6d70616e79312e302c06092a864886f70d010901161f6164 6d696e406d61696e2d69647036357836342e6c6f63616c646f6d61696e312e302c060355040 313255468652049 (3) Message-Authenticator = 0x09669b4642bdce77fe3a7d0359b7ac4f (3) State = 0x624e9873614a8d9244b62dd155e240a4 (3) Finished request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0, length=258 Waking up in 0.2 seconds. Thread 5 got semaphore Thread 5 handling request 4, (2 handled so far) (4) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083 length 258 (4) User-Name = '@main-idp65x64.localdomain' (4) GSS-Acceptor-Service-Name = 'host' (4) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (4) EAP-Message = 0x0204008c150016030100461000004241044edefecb0a15e53b2fd6f654884ae6526574a22 008310394452ad36b69e663a430974d58930fc14dee399bbcadace6e32e09db92ed03f67781 26b6e67136bf84140301000101160301003069e526b5f5f44ab2b02cec69ee08ccccf2d3c75 3c154ab68150f70 (4) State = 0x624e9873614a8d9244b62dd155e240a4 (4) Message-Authenticator = 0xa0e6172a092f092ae70db1580f9f1751 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp (4) authorize { (4) policy psk_authorize { (4) if (TLS-PSK-Identity) { (4) if (TLS-PSK-Identity) -> FALSE (4) } # policy psk_authorize = notfound (4) policy abfab_client_check { (4) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { (4) EXPAND %{client:gss_acceptor_host_name} (4) --> (4) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") -> FALSE (4) if ("%{client:trust_router_coi}") { (4) EXPAND %{client:trust_router_coi} (4) --> trapc65x64.localdomain (4) if ("%{client:trust_router_coi}") -> TRUE (4) if ("%{client:trust_router_coi}") { (4) update request { (4) EXPAND %{client:trust_router_coi} (4) --> trapc65x64.localdomain (4) Trust-Router-COI := "trapc65x64.localdomain" (4) } # update request = noop (4) } # if ("%{client:trust_router_coi}") = noop (4) if ("%{client:gss_acceptor_realm_name}") { (4) EXPAND %{client:gss_acceptor_realm_name} (4) --> main-rp65x64.localdomain (4) if ("%{client:gss_acceptor_realm_name}") -> TRUE (4) if ("%{client:gss_acceptor_realm_name}") { (4) update request { (4) EXPAND %{client:gss_acceptor_realm_name} (4) --> main-rp65x64.localdomain (4) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain" (4) } # update request = noop (4) } # if ("%{client:gss_acceptor_realm_name}") = noop (4) } # policy abfab_client_check = noop (4) policy filter_username { (4) if (!&User-Name) { (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) { (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # policy filter_username = noop (4) [preprocess] = ok (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name = "@main-idp65x64.localdomain" (4) suffix: Found realm "main-idp65x64.localdomain" (4) suffix: Adding Realm = "main-idp65x64.localdomain" (4) suffix: Proxying request from user @main-idp65x64.localdomain to realm main-idp65x64.localdomain (4) suffix: Preparing to proxy authentication request to realm "main-idp65x64.localdomain" (4) [suffix] = updated (4) eap: Request is supposed to be proxied to Realm main-idp65x64.localdomain. Not doing EAP. (4) [eap] = noop (4) [expiration] = noop (4) [logintime] = noop (4) } # authorize = ok (4) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout 30.000000 (4) Sent Access-Request Id 170 from 192.168.213.56:39779 to 192.168.213.24:2083 length 329 (4) User-Name = '@main-idp65x64.localdomain' (4) GSS-Acceptor-Service-Name = 'host' (4) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (4) EAP-Message = 0x0204008c150016030100461000004241044edefecb0a15e53b2fd6f654884ae6526574a22 008310394452ad36b69e663a430974d58930fc14dee399bbcadace6e32e09db92ed03f67781 26b6e67136bf84140301000101160301003069e526b5f5f44ab2b02cec69ee08ccccf2d3c75 3c154ab68150f70 (4) State = 0x624e9873614a8d9244b62dd155e240a4 (4) Message-Authenticator = 0xa0e6172a092f092ae70db1580f9f1751 (4) Trust-Router-COI := 'trapc65x64.localdomain' (4) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain' (4) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT' (4) NAS-IP-Address = 127.0.0.1 (4) Proxy-State = 0x30 Thread 5 waiting to be assigned a request (4) Received Access-Challenge Id 170 from 192.168.213.24:2083 to 192.168.213.56:39779 length 130 (4) EAP-Message = 0x0105004515800000003b140301000101160301003003c05dd1fc522ee506b71d52632ad1f 9351611cd071c429b2821f1694ab45ac2f0703b13877270383d7b6077b4ecb953 (4) Message-Authenticator = 0xcaa6eda1c3a5a258d463a899b28d5f55 (4) State = 0x624e9873664b8d9244b62dd155e240a4 (4) Proxy-State = 0x30 (4) # Executing section post-proxy from file /etc/raddb/sites-enabled/abfab-tr-idp (4) post-proxy { (4) eap: No pre-existing handler found (4) [eap] = noop (4) } # post-proxy = noop (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp (4) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 127 (4) EAP-Message = 0x0105004515800000003b140301000101160301003003c05dd1fc522ee506b71d52632ad1f 9351611cd071c429b2821f1694ab45ac2f0703b13877270383d7b6077b4ecb953 (4) Message-Authenticator = 0xcaa6eda1c3a5a258d463a899b28d5f55 (4) State = 0x624e9873664b8d9244b62dd155e240a4 (4) Finished request Waking up in 0.2 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0, length=246 Waking up in 0.1 seconds. Thread 4 got semaphore Thread 4 handling request 5, (2 handled so far) (5) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083 length 246 (5) User-Name = '@main-idp65x64.localdomain' (5) GSS-Acceptor-Service-Name = 'host' (5) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (5) EAP-Message = 0x02050080150017030100208b62ff2b3881902a380bc71904c7a8ef12b3abf37e258a37c26 6eeb8a0b7628a17030100509d8d77e1936ce65bc5a1cdd165bad9317d40782e6b62738c3e0a 54a065a2f77ef6c1ca5b62736bbd197ebd83bf7329c7dccb665fbcd37ae90b29b97e1ee16d8 8782851dcfded91 (5) State = 0x624e9873664b8d9244b62dd155e240a4 (5) Message-Authenticator = 0xcf9509b67ea4081fa1c3b8e42bd4acdc (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp (5) authorize { (5) policy psk_authorize { (5) if (TLS-PSK-Identity) { (5) if (TLS-PSK-Identity) -> FALSE (5) } # policy psk_authorize = notfound (5) policy abfab_client_check { (5) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { (5) EXPAND %{client:gss_acceptor_host_name} (5) --> (5) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") -> FALSE (5) if ("%{client:trust_router_coi}") { (5) EXPAND %{client:trust_router_coi} (5) --> trapc65x64.localdomain (5) if ("%{client:trust_router_coi}") -> TRUE (5) if ("%{client:trust_router_coi}") { (5) update request { (5) EXPAND %{client:trust_router_coi} (5) --> trapc65x64.localdomain (5) Trust-Router-COI := "trapc65x64.localdomain" (5) } # update request = noop (5) } # if ("%{client:trust_router_coi}") = noop (5) if ("%{client:gss_acceptor_realm_name}") { (5) EXPAND %{client:gss_acceptor_realm_name} (5) --> main-rp65x64.localdomain (5) if ("%{client:gss_acceptor_realm_name}") -> TRUE (5) if ("%{client:gss_acceptor_realm_name}") { (5) update request { (5) EXPAND %{client:gss_acceptor_realm_name} (5) --> main-rp65x64.localdomain (5) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain" (5) } # update request = noop (5) } # if ("%{client:gss_acceptor_realm_name}") = noop (5) } # policy abfab_client_check = noop (5) policy filter_username { (5) if (!&User-Name) { (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) { (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # policy filter_username = noop (5) [preprocess] = ok (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name = "@main-idp65x64.localdomain" (5) suffix: Found realm "main-idp65x64.localdomain" (5) suffix: Adding Realm = "main-idp65x64.localdomain" (5) suffix: Proxying request from user @main-idp65x64.localdomain to realm main-idp65x64.localdomain (5) suffix: Preparing to proxy authentication request to realm "main-idp65x64.localdomain" (5) [suffix] = updated (5) eap: Request is supposed to be proxied to Realm main-idp65x64.localdomain. Not doing EAP. (5) [eap] = noop (5) [expiration] = noop (5) [logintime] = noop (5) } # authorize = ok (5) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout 30.000000 (5) Sent Access-Request Id 154 from 192.168.213.56:39779 to 192.168.213.24:2083 length 317 (5) User-Name = '@main-idp65x64.localdomain' (5) GSS-Acceptor-Service-Name = 'host' (5) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (5) EAP-Message = 0x02050080150017030100208b62ff2b3881902a380bc71904c7a8ef12b3abf37e258a37c26 6eeb8a0b7628a17030100509d8d77e1936ce65bc5a1cdd165bad9317d40782e6b62738c3e0a 54a065a2f77ef6c1ca5b62736bbd197ebd83bf7329c7dccb665fbcd37ae90b29b97e1ee16d8 8782851dcfded91 (5) State = 0x624e9873664b8d9244b62dd155e240a4 (5) Message-Authenticator = 0xcf9509b67ea4081fa1c3b8e42bd4acdc (5) Trust-Router-COI := 'trapc65x64.localdomain' (5) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain' (5) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT' (5) NAS-IP-Address = 127.0.0.1 (5) Proxy-State = 0x30 Thread 4 waiting to be assigned a request (5) Received Access-Challenge Id 154 from 192.168.213.24:2083 to 192.168.213.56:39779 length 140 (5) EAP-Message = 0x0106004f15800000004517030100407a9f331f46c728c130d7ba48c5241fba882601f45d0 6d3f751471eaf62b6e5d7197e99a5b0f427c4787bf0b772ae79a49b452755f0de9db606fa99 35556aa183 (5) Message-Authenticator = 0x1ba652c38efca358b6442b6462b25619 (5) State = 0x624e987367488d9244b62dd155e240a4 (5) Proxy-State = 0x30 (5) # Executing section post-proxy from file /etc/raddb/sites-enabled/abfab-tr-idp (5) post-proxy { (5) eap: No pre-existing handler found (5) [eap] = noop (5) } # post-proxy = noop (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp (5) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 137 (5) EAP-Message = 0x0106004f15800000004517030100407a9f331f46c728c130d7ba48c5241fba882601f45d0 6d3f751471eaf62b6e5d7197e99a5b0f427c4787bf0b772ae79a49b452755f0de9db606fa99 35556aa183 (5) Message-Authenticator = 0x1ba652c38efca358b6442b6462b25619 (5) State = 0x624e987367488d9244b62dd155e240a4 (5) Finished request Waking up in 0.1 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0, length=278 Thread 3 got semaphore Thread 3 handling request 6, (2 handled so far) (6) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083 length 278 (6) User-Name = '@main-idp65x64.localdomain' (6) GSS-Acceptor-Service-Name = 'host' (6) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (6) EAP-Message = 0x020600a015001703010020035dc5746d642d942c34504894241ffb3a4800d226236832a44 61b03e3f6e9a517030100700b145eddc20debb2bcb54c2f64ecf2d9821212b4a44fc84f25c6 e813f5262c60648ba8c2502a6bbe9ee9bc5e75e21cb0d892b91b3623c82afc4e39f02c03a2e 2b4ddcae0b8f120 (6) State = 0x624e987367488d9244b62dd155e240a4 (6) Message-Authenticator = 0x60af0ea3cd7ee5a210c95532f9b44dd7 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp (6) authorize { (6) policy psk_authorize { (6) if (TLS-PSK-Identity) { (6) if (TLS-PSK-Identity) -> FALSE (6) } # policy psk_authorize = notfound (6) policy abfab_client_check { (6) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { (6) EXPAND %{client:gss_acceptor_host_name} (6) --> (6) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") -> FALSE (6) if ("%{client:trust_router_coi}") { (6) EXPAND %{client:trust_router_coi} (6) --> trapc65x64.localdomain (6) if ("%{client:trust_router_coi}") -> TRUE (6) if ("%{client:trust_router_coi}") { (6) update request { (6) EXPAND %{client:trust_router_coi} (6) --> trapc65x64.localdomain (6) Trust-Router-COI := "trapc65x64.localdomain" (6) } # update request = noop (6) } # if ("%{client:trust_router_coi}") = noop (6) if ("%{client:gss_acceptor_realm_name}") { (6) EXPAND %{client:gss_acceptor_realm_name} (6) --> main-rp65x64.localdomain (6) if ("%{client:gss_acceptor_realm_name}") -> TRUE (6) if ("%{client:gss_acceptor_realm_name}") { (6) update request { (6) EXPAND %{client:gss_acceptor_realm_name} (6) --> main-rp65x64.localdomain (6) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain" (6) } # update request = noop (6) } # if ("%{client:gss_acceptor_realm_name}") = noop (6) } # policy abfab_client_check = noop (6) policy filter_username { (6) if (!&User-Name) { (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) { (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # policy filter_username = noop (6) [preprocess] = ok (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name = "@main-idp65x64.localdomain" (6) suffix: Found realm "main-idp65x64.localdomain" (6) suffix: Adding Realm = "main-idp65x64.localdomain" (6) suffix: Proxying request from user @main-idp65x64.localdomain to realm main-idp65x64.localdomain (6) suffix: Preparing to proxy authentication request to realm "main-idp65x64.localdomain" (6) [suffix] = updated (6) eap: Request is supposed to be proxied to Realm main-idp65x64.localdomain. Not doing EAP. (6) [eap] = noop (6) [expiration] = noop (6) [logintime] = noop (6) } # authorize = ok (6) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout 30.000000 (6) Sent Access-Request Id 90 from 192.168.213.56:39779 to 192.168.213.24:2083 length 349 (6) User-Name = '@main-idp65x64.localdomain' (6) GSS-Acceptor-Service-Name = 'host' (6) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (6) EAP-Message = 0x020600a015001703010020035dc5746d642d942c34504894241ffb3a4800d226236832a44 61b03e3f6e9a517030100700b145eddc20debb2bcb54c2f64ecf2d9821212b4a44fc84f25c6 e813f5262c60648ba8c2502a6bbe9ee9bc5e75e21cb0d892b91b3623c82afc4e39f02c03a2e 2b4ddcae0b8f120 (6) State = 0x624e987367488d9244b62dd155e240a4 (6) Message-Authenticator = 0x60af0ea3cd7ee5a210c95532f9b44dd7 (6) Trust-Router-COI := 'trapc65x64.localdomain' (6) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain' (6) Event-Timestamp = 'Mar 20 2015 05:23:30 GMT' (6) NAS-IP-Address = 127.0.0.1 (6) Proxy-State = 0x30 Thread 3 waiting to be assigned a request (6) Received Access-Challenge Id 90 from 192.168.213.24:2083 to 192.168.213.56:39779 length 156 (6) EAP-Message = 0x0107005f1580000000551703010050bf16d2f6beb2090271610cf06e770074ca6ecbf231e a112a22626d10efdcf188d4a129afc427b50672c4313f97f2d3400c66bbb11a763460d64937 1f01ccbc85b29154d94f2481f90f1f893789394048 (6) Message-Authenticator = 0x6e0a470348ecb3579f412717030f788b (6) State = 0x624e987364498d9244b62dd155e240a4 (6) Proxy-State = 0x30 (6) # Executing section post-proxy from file /etc/raddb/sites-enabled/abfab-tr-idp (6) post-proxy { (6) eap: No pre-existing handler found (6) [eap] = noop (6) } # post-proxy = noop (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp (6) Sent Access-Challenge Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 153 (6) EAP-Message = 0x0107005f1580000000551703010050bf16d2f6beb2090271610cf06e770074ca6ecbf231e a112a22626d10efdcf188d4a129afc427b50672c4313f97f2d3400c66bbb11a763460d64937 1f01ccbc85b29154d94f2481f90f1f893789394048 (6) Message-Authenticator = 0x6e0a470348ecb3579f412717030f788b (6) State = 0x624e987364498d9244b62dd155e240a4 (6) Finished request (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 47640, id=0, length=124 Thread 2 got semaphore Thread 2 handling request 7, (2 handled so far) (7) Received Access-Request Id 0 from 127.0.0.1:47640 to 0.0.0.0:2083 length 124 (7) User-Name = '@main-idp65x64.localdomain' (7) GSS-Acceptor-Service-Name = 'host' (7) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (7) EAP-Message = 0x020700061500 (7) State = 0x624e987364498d9244b62dd155e240a4 (7) Message-Authenticator = 0x012c910c69bf42cd6876c32bf8ffb696 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp (7) authorize { (7) policy psk_authorize { (7) if (TLS-PSK-Identity) { (7) if (TLS-PSK-Identity) -> FALSE (7) } # policy psk_authorize = notfound (7) policy abfab_client_check { (7) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { (7) EXPAND %{client:gss_acceptor_host_name} (7) --> (7) if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") -> FALSE (7) if ("%{client:trust_router_coi}") { (7) EXPAND %{client:trust_router_coi} (7) --> trapc65x64.localdomain (7) if ("%{client:trust_router_coi}") -> TRUE (7) if ("%{client:trust_router_coi}") { (7) update request { (7) EXPAND %{client:trust_router_coi} (7) --> trapc65x64.localdomain (7) Trust-Router-COI := "trapc65x64.localdomain" (7) } # update request = noop (7) } # if ("%{client:trust_router_coi}") = noop (7) if ("%{client:gss_acceptor_realm_name}") { (7) EXPAND %{client:gss_acceptor_realm_name} (7) --> main-rp65x64.localdomain (7) if ("%{client:gss_acceptor_realm_name}") -> TRUE (7) if ("%{client:gss_acceptor_realm_name}") { (7) update request { (7) EXPAND %{client:gss_acceptor_realm_name} (7) --> main-rp65x64.localdomain (7) GSS-Acceptor-Realm-Name := "main-rp65x64.localdomain" (7) } # update request = noop (7) } # if ("%{client:gss_acceptor_realm_name}") = noop (7) } # policy abfab_client_check = noop (7) policy filter_username { (7) if (!&User-Name) { (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) { (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # policy filter_username = noop (7) [preprocess] = ok (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "main-idp65x64.localdomain" for User-Name = "@main-idp65x64.localdomain" (7) suffix: Found realm "main-idp65x64.localdomain" (7) suffix: Adding Realm = "main-idp65x64.localdomain" (7) suffix: Proxying request from user @main-idp65x64.localdomain to realm main-idp65x64.localdomain (7) suffix: Preparing to proxy authentication request to realm "main-idp65x64.localdomain" (7) [suffix] = updated (7) eap: Request is supposed to be proxied to Realm main-idp65x64.localdomain. Not doing EAP. (7) [eap] = noop (7) [expiration] = noop (7) [logintime] = noop (7) } # authorize = ok (7) Proxying request to home server 192.168.213.24 port 2083 (TLS) timeout 30.000000 (7) Sent Access-Request Id 105 from 192.168.213.56:39779 to 192.168.213.24:2083 length 195 (7) User-Name = '@main-idp65x64.localdomain' (7) GSS-Acceptor-Service-Name = 'host' (7) GSS-Acceptor-Host-Name = 'main-rp65x64.localdomain' (7) EAP-Message = 0x020700061500 (7) State = 0x624e987364498d9244b62dd155e240a4 (7) Message-Authenticator = 0x012c910c69bf42cd6876c32bf8ffb696 (7) Trust-Router-COI := 'trapc65x64.localdomain' (7) GSS-Acceptor-Realm-Name := 'main-rp65x64.localdomain' (7) Event-Timestamp = 'Mar 20 2015 05:23:31 GMT' (7) NAS-IP-Address = 127.0.0.1 (7) Proxy-State = 0x30 Thread 2 waiting to be assigned a request (7) Received Access-Accept Id 105 from 192.168.213.24:2083 to 192.168.213.56:39779 length 163 (7) MS-MPPE-Recv-Key = 0x5eb67478c6a7589f59f6c24ced7fecb1fc5c03c08b75fc643d035b4bf91c598e (7) MS-MPPE-Send-Key = 0xf4d8dfd23b3014ae7e20d695f9053bab4776789a6d445bcd80aaf2d49af6b802 (7) EAP-Message = 0x03070004 (7) Message-Authenticator = 0x7eab126e9bb769fd385c1b6ffdf805a7 (7) Proxy-State = 0x30 (7) # Executing section post-proxy from file /etc/raddb/sites-enabled/abfab-tr-idp (7) post-proxy { (7) eap: No pre-existing handler found (7) [eap] = noop (7) } # post-proxy = noop (7) Found Auth-Type = Accept (7) Auth-Type = Accept, accepting the user (7) # Executing section post-auth from file /etc/raddb/sites-enabled/abfab-tr-idp (7) post-auth { (7) [exec] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # post-auth = noop (7) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 127.0.0.1:47640 length 160 (7) MS-MPPE-Recv-Key = 0x5eb67478c6a7589f59f6c24ced7fecb1fc5c03c08b75fc643d035b4bf91c598e (7) MS-MPPE-Send-Key = 0xf4d8dfd23b3014ae7e20d695f9053bab4776789a6d445bcd80aaf2d49af6b802 (7) EAP-Message = 0x03070004 (7) Message-Authenticator = 0x7eab126e9bb769fd385c1b6ffdf805a7 (7) Finished request Closing TLS socket from client port 47640 (0) >>> TLS 1.0 Alert [length 0002], warning close_notify Client has closed connection Waking up in 3.9 seconds. (0) <done>: Cleaning up request packet ID 0 with timestamp +5 (1) <done>: Cleaning up request packet ID 0 with timestamp +5 (2) <done>: Cleaning up request packet ID 0 with timestamp +5 (3) <done>: Cleaning up request packet ID 0 with timestamp +5 (4) <done>: Cleaning up request packet ID 0 with timestamp +5 (5) <done>: Cleaning up request packet ID 0 with timestamp +5 (6) <done>: Cleaning up request packet ID 0 with timestamp +5 ... shutting down socket auth from client (127.0.0.1, 47640) -> (*, 2083, virtual-server=abfab-idp) (7) <done>: Cleaning up request packet ID 0 with timestamp +6 Waking up in 2.9 seconds. ... cleaning up socket auth from client (127.0.0.1, 47640) -> (*, 2083, virtual-server=abfab-idp) Ready to process requests
On Apr 1, 2015, at 11:50 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
Probably because the home server name you used is a valid DNS name,
I ive you the output of this cnfiguration (authhost set to the home_server). You'll notice that authhost willhappily accept the home_server entry and then do its thing... Provided a secret has been provided in the 'realm' entry. The home_server entry contains an underscore (not a dot):
Ah... authhost can refer to a home_server. I hadn't seen that. I should probably remove that. There's no good reason for it. Alan DeKok.
Ah... authhost can refer to a home_server. I hadn't seen that. I should probably remove that. There's no good reason for it.
That'd be grand... Then these glitches don't happen anymore. :-) And configs will be saner. Of course, it might break other configs... But c'est la vie. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Home server pools, and home servers. This has been in the server since v2.0.0. The realm "accthost" config has been deprecated since 2008. :(
Can we please kill the old format then? If authhost shouldn't be used anymore, perhaps a hard line needs to be taken for 3.1.x now, and tell people in a message to use auth_pool + home_server for proxying... But, that said, thank you Alan^2 and Christopher for pointing in the right direction. I've now made it work, which should make life somewhat easier to document. I'll submit a small pull request for the proxy.conf (to point people at the TLS file for TLS-based realm proxying examples). Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
Since FR now supports TLS, how should I configure proxy.conf to specify that I want a specific realm to be handled over TLS (instead of the default UDP)? I can't find anything in the online docs (am happy to submit patches to improve this in 3.0.8 and later once I've tested that here).
example is waiting for you in the tls virtual server file :-) alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Stefan Paetow -
Teague, Christopher J.