Hello All, I started to play with FreeRADIUS v4 and i use the Dockerfile (Debian 11) in order to have the lastest FreeRADIUS v4 version (last commit id) running. The only thing i changed from the default configuration is the clients.conf file just to add my my source ip: ``` client test { ipaddr = 172.17.0.1 secret = testing123 } ``` I did a simple test with eapol_test with a fake account and it end with a seg fault. eapol_test -c v4_peap_user.conf -s testing123 -a 172.17.0.1 -M de:ad:be:ef:42:42 -N 30:s:00:11:22:33:44:55:UConnect -N4:x:c0a80001 v4_peap_user.conf: ``` network={ ssid="UConnect" key_mgmt=WPA-EAP eap=PEAP identity="testuser@testuser.ca" anonymous_identity="testuser@testuser.ca" password="strongestpasswordintheworld" phase2="autheap=MSCHAPV2" # # Uncomment the following to perform server certificate validation. # ca_cert="/etc/raddb/certs/ca.der" } ``` ``` (6.0) eap.peap - Virtual server (null) received request (6.0) eap.peap - EAP-Identity = "testuser@testuser.ca" (6.0) eap.peap - EAP-Type = PEAP (6.0) eap.peap - server (null) { CAUGHT SIGNAL: Segmentation fault Backtrace of last 2 frames: /opt/freeradius/lib/libfreeradius-util.so(fr_fault+0xe8)[0x7f6ea5a1106b] /lib/x86_64-linux-gnu/libpthread.so.0(+0x14140)[0x7f6ea5797140] No panic action set _EXIT(139) CALLED src/lib/util/debug.c[1052] ``` Not sure what happen exactly, but can it be a configuration issue or is it too early to start to test FreeRADIUS 4 ? Thanks Regards Fabrice ``` root@d8616b73313c:/opt/freeradius# ./sbin/radiusd -X Info : FreeRADIUS Version 4.0.0 Info : Copyright 1999-2022 The FreeRADIUS server project and contributors Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info : PARTICULAR PURPOSE Info : You may redistribute copies of FreeRADIUS under the terms of the Info : GNU General Public License Info : For more information about these matters, see the file named COPYRIGHT Getting debug state failed: ptrace capability not set. If debugger detection is required run as root or: setcap cap_sys_ptrace+ep <path_to_binary> Info : Starting - reading configuration files ... Debug : Including dictionary file "/opt/freeradius/etc/raddb/dictionary" including configuration file /opt/freeradius/etc/raddb/radiusd.conf Including files in directory "/opt/freeradius/etc/raddb/template.d/" including configuration file /opt/freeradius/etc/raddb/template.d/default including configuration file /opt/freeradius/etc/raddb/clients.conf Including files in directory "/opt/freeradius/etc/raddb/mods-enabled/" including configuration file /opt/freeradius/etc/raddb/mods-enabled/always including configuration file /opt/freeradius/etc/raddb/mods-enabled/attr_filter including configuration file /opt/freeradius/etc/raddb/mods-enabled/cache_eap including configuration file /opt/freeradius/etc/raddb/mods-enabled/chap including configuration file /opt/freeradius/etc/raddb/mods-enabled/client including configuration file /opt/freeradius/etc/raddb/mods-enabled/delay including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail.log including configuration file /opt/freeradius/etc/raddb/mods-enabled/digest including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap_inner including configuration file /opt/freeradius/etc/raddb/mods-enabled/echo including configuration file /opt/freeradius/etc/raddb/mods-enabled/escape including configuration file /opt/freeradius/etc/raddb/mods-enabled/exec including configuration file /opt/freeradius/etc/raddb/mods-enabled/expr including configuration file /opt/freeradius/etc/raddb/mods-enabled/files including configuration file /opt/freeradius/etc/raddb/mods-enabled/linelog including configuration file /opt/freeradius/etc/raddb/mods-enabled/logintime including configuration file /opt/freeradius/etc/raddb/mods-enabled/mschap including configuration file /opt/freeradius/etc/raddb/mods-enabled/ntlm_auth including configuration file /opt/freeradius/etc/raddb/mods-enabled/pap including configuration file /opt/freeradius/etc/raddb/mods-enabled/passwd including configuration file /opt/freeradius/etc/raddb/mods-enabled/radutmp including configuration file /opt/freeradius/etc/raddb/mods-enabled/soh including configuration file /opt/freeradius/etc/raddb/mods-enabled/sradutmp including configuration file /opt/freeradius/etc/raddb/mods-enabled/stats including configuration file /opt/freeradius/etc/raddb/mods-enabled/unix including configuration file /opt/freeradius/etc/raddb/mods-enabled/unpack including configuration file /opt/freeradius/etc/raddb/mods-enabled/utf8 Including files in directory "/opt/freeradius/etc/raddb/policy.d/" including configuration file /opt/freeradius/etc/raddb/policy.d/abfab-tr including configuration file /opt/freeradius/etc/raddb/policy.d/accounting including configuration file /opt/freeradius/etc/raddb/policy.d/canonicalisation including configuration file /opt/freeradius/etc/raddb/policy.d/control including configuration file /opt/freeradius/etc/raddb/policy.d/cui including configuration file /opt/freeradius/etc/raddb/policy.d/debug including configuration file /opt/freeradius/etc/raddb/policy.d/dhcp including configuration file /opt/freeradius/etc/raddb/policy.d/eap including configuration file /opt/freeradius/etc/raddb/policy.d/filter including configuration file /opt/freeradius/etc/raddb/policy.d/operator-name including configuration file /opt/freeradius/etc/raddb/policy.d/tacacs including configuration file /opt/freeradius/etc/raddb/policy.d/time including configuration file /opt/freeradius/etc/raddb/policy.d/vendor Including files in directory "/opt/freeradius/etc/raddb/sites-enabled/" including configuration file /opt/freeradius/etc/raddb/sites-enabled/default Loaded module "process_radius" Loaded module "proto_radius" including configuration file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel Parsing security rules to bootstrap UID / GID / chroot / etc. main { prefix = /opt/freeradius security { allow_core_dumps = no allow_vulnerable_openssl = yes openssl_fips_mode = no } name = radiusd local_state_dir = "/opt/freeradius/var" run_dir = /opt/freeradius/var/run/radiusd } Parsing main configuration. main { server default { namespace = radius radius { Access-Request { log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } session { timeout = 15 max = 4096 } } } listen { type = Access-Request type = Status-Server transport = udp Loaded module "proto_radius_udp" udp { ipaddr = * port = 1812 networks { allow = 127/8 allow = 192.0.2/24 } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.068619887 idle_timeout = 60.068619887 nak_lifetime = 30.068619887 max_connections = 256 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } listen { type = Access-Request type = Status-Server transport = tcp Loaded module "proto_radius_tcp" tcp { ipaddr = * port = 1812 networks { allow = 127/8 allow = 192.0.2/24 } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 16.70678144 idle_timeout = 36.719805145 nak_lifetime = 37.379572924 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } listen { type = Accounting-Request transport = udp udp { ipaddr = * port = 1813 networks { } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 21.384014109 idle_timeout = 41.397037814 nak_lifetime = 42.056805593 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } } server inner-tunnel { namespace = radius radius { Access-Request { log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } session { timeout = 15 max = 4096 } } } listen { type = Access-Request transport = udp udp { ipaddr = 127.0.0.1 port = 18120 networks { } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 16.966142743 idle_timeout = 36.979166448 nak_lifetime = 37.638934227 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } } security { } sbin_dir = "/opt/freeradius/sbin" logdir = /opt/freeradius/var/log/radius radacctdir = /opt/freeradius/var/log/radius/radacct reverse_lookups = no hostname_lookups = yes max_request_time = 30 pidfile = /opt/freeradius/var/run/radiusd/radiusd.pid debug_level = 0 max_requests = 16384 log { colourise = yes } resources { } thread pool { num_networks = 1 num_workers = 0 Setting thread.workers = 2 openssl_async_pool_init = 64 openssl_async_pool_max = 1024 } } Switching to configured log settings radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no dedup_authenticator = no secret = <<< secret >>> proto = * limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no dedup_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client test { ipaddr = 172.17.0.1 require_message_authenticator = no dedup_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debug state unknown (cap_sys_ptrace capability not set) systemd watchdog is disabled pre-suid-down capabilities: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep trigger { ... } subsection not found, triggers will be disabled #### Bootstrapping listeners #### client localhost { ipaddr = 192.0.2.1 require_message_authenticator = no dedup_authenticator = no secret = <<< secret >>> shortname = sample limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Creating Auth-Type = pap Creating Auth-Type = chap Creating Auth-Type = mschap Creating Auth-Type = digest Creating Auth-Type = ldap Creating Auth-Type = eap #### Bootstrapping modules #### modules { Loaded module "rlm_always" always reject { rcode = reject simulcount = 0 mpp = no } Bootstrapping module "reject" always fail { rcode = fail simulcount = 0 mpp = no } Bootstrapping module "fail" always ok { rcode = ok simulcount = 0 mpp = no } Bootstrapping module "ok" always handled { rcode = handled simulcount = 0 mpp = no } Bootstrapping module "handled" always invalid { rcode = invalid simulcount = 0 mpp = no } Bootstrapping module "invalid" always disallow { rcode = disallow simulcount = 0 mpp = no } Bootstrapping module "disallow" always notfound { rcode = notfound simulcount = 0 mpp = no } Bootstrapping module "notfound" always noop { rcode = noop simulcount = 0 mpp = no } Bootstrapping module "noop" always updated { rcode = updated simulcount = 0 mpp = no } Bootstrapping module "updated" Loaded module "rlm_attr_filter" attr_filter attr_filter.pre-proxy { filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy key = "%{Realm}" relaxed = no } attr_filter attr_filter.post-proxy { filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy key = "%{Realm}" relaxed = no } attr_filter attr_filter.access_reject { filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject key = "%{User-Name}" relaxed = no } attr_filter attr_filter.access_challenge { filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge key = "%{User-Name}" relaxed = no } attr_filter attr_filter.accounting_response { filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response key = "%{User-Name}" relaxed = no } Loaded module "rlm_cache" cache cache_eap { driver = rbtree Loaded module "rlm_cache_rbtree" key = "%{%{control.State}:-%{%{reply.State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } Bootstrapping module "cache_eap" Loaded module "rlm_chap" Loaded module "rlm_client" Loaded module "rlm_delay" delay { delay = 1.0 relative = no force_reschedule = no } Bootstrapping module "delay" delay delay_reject { delay = "%{%{reply.FreeRADIUS-Response-Delay}:-1}" relative = yes force_reschedule = no } Bootstrapping module "delay_reject" Loaded module "rlm_detail" detail { filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y-%m-%d header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } detail auth_log { filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y-%m-%d header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } detail reply_log { filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y-%m-%d header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } detail pre_proxy_log { filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y-%m-%d header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } detail post_proxy_log { filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y-%m-%d header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } Loaded module "rlm_digest" Loaded module "rlm_eap" eap { require_identity_realm = nai type = md5 Loaded module "rlm_eap_md5" type = gtc Loaded module "rlm_eap_gtc" gtc { challenge = "Password: " auth_type = PAP } type = tls Loaded module "rlm_eap_tls" tls { tls = tls-common require_client_cert = yes include_length = yes } type = ttls Loaded module "rlm_eap_ttls" ttls { tls = tls-common virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } type = mschapv2 Loaded module "rlm_eap_mschapv2" mschapv2 { with_ntdomain_hack = no auth_type = mschap send_error = no } type = peap Loaded module "rlm_eap_peap" peap { tls = tls-common virtual_server = "inner-tunnel" soh = no require_client_cert = no } ignore_unknown_eap_types = no } Bootstrapping module "eap" eap inner-eap { require_identity_realm = nai default_eap_type = mschapv2 type = md5 type = gtc gtc { challenge = "Password: " auth_type = PAP } type = mschapv2 mschapv2 { with_ntdomain_hack = no auth_type = mschap send_error = no } type = tls tls { tls = tls-peer require_client_cert = yes include_length = yes } ignore_unknown_eap_types = no } Bootstrapping module "inner-eap" Loaded module "rlm_exec" exec echo { wait = yes program = "/bin/echo Tmp-String-0 := %{User-Name}" input_pairs = request output_pairs = reply shell_escape = yes env_inherit = no } Bootstrapping module "echo" Loaded module "rlm_escape" escape { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } Bootstrapping module "escape" exec { wait = yes input_pairs = request shell_escape = yes env_inherit = no timeout = 10 } Bootstrapping module "exec" Loaded module "rlm_expr" Bootstrapping module "expr" Loaded module "rlm_files" files { filename = /opt/freeradius/etc/raddb/mods-config/files/authorize acctusersfile = /opt/freeradius/etc/raddb/mods-config/files/accounting key = "%{%{Stripped-User-Name}:-%{User-Name}}" } Loaded module "rlm_linelog" linelog { destination = file delimiter = "\n" format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply.Packet-Type}:-default}" file { filename = /opt/freeradius/var/log/radius/linelog permissions = 384 escape_filenames = no } syslog { severity = "info" } unix { } tcp { server = localhost IPv4 address [127.0.0.1] port = 514 timeout = 7.284352243 } udp { server = localhost IPv4 address [127.0.0.1] port = 514 timeout = 4.749470769 } } linelog log_accounting { destination = file delimiter = "\n" format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" file { filename = /opt/freeradius/var/log/radius/linelog-accounting permissions = 384 escape_filenames = no } syslog { severity = "info" } unix { } tcp { timeout = 1000 } udp { timeout = 1000 } } Loaded module "rlm_logintime" logintime { minimum_timeout = 60 } Loaded module "rlm_mschap" mschap { normalise = yes use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind { retry_with_normalised_username = no } } Bootstrapping module "mschap" exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%(mschap:User-Name) --password=%{User-Password}" shell_escape = yes env_inherit = no } Bootstrapping module "ntlm_auth" Loaded module "rlm_pap" pap { normalise = yes } Loaded module "rlm_passwd" passwd etc_passwd { filename = /etc/passwd format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } Loaded module "rlm_radutmp" radutmp { filename = /opt/freeradius/var/log/radius/radutmp username = "%{User-Name}" check_with_nas = yes permissions = 384 caller_id = no } Loaded module "rlm_soh" soh { dhcp = yes } Bootstrapping module "soh" radutmp sradutmp { filename = /opt/freeradius/var/log/radius/sradutmp username = "%{User-Name}" check_with_nas = yes permissions = 420 caller_id = no } Loaded module "rlm_stats" stats { } Loaded module "rlm_unix" unix { } Bootstrapping module "unix" Creating attribute Unix-Group Loaded module "rlm_unpack" Bootstrapping module "unpack" Loaded module "rlm_utf8" } # modules #### Instantiating listeners #### Compiling policies in server default { ... } Compiling policies in - recv Access-Request {...} /opt/freeradius/etc/raddb/sites-enabled/default[795]: Ignoring "-sql" as the "sql" module is not enabled. /opt/freeradius/etc/raddb/sites-enabled/default[811]: Ignoring "-ldap" as the "ldap" module is not enabled. Compiling policies in - send Access-Accept {...} /opt/freeradius/etc/raddb/sites-enabled/default[1122]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - send Access-Challenge {...} Compiling policies in - send Access-Reject {...} /opt/freeradius/etc/raddb/sites-enabled/default[1239]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - recv Accounting-Request {...} Compiling policies in - send Accounting-Response {...} /opt/freeradius/etc/raddb/sites-enabled/default[1458]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - recv Status-Server {...} Compiling policies in - authenticate pap {...} Compiling policies in - authenticate chap {...} Compiling policies in - authenticate mschap {...} Compiling policies in - authenticate digest {...} Compiling policies in - authenticate ldap {...} /opt/freeradius/etc/raddb/sites-enabled/default[981]: Ignoring "-ldap" as the "ldap" module is not enabled. Compiling policies in - authenticate eap {...} Compiling policies in - accounting Start {...} Compiling policies in - accounting Stop {...} Compiling policies in - accounting Alive {...} Compiling policies in - accounting Accounting-On {...} Compiling policies in - accounting Accounting-Off {...} Compiling policies in - accounting Failed {...} /opt/freeradius/etc/raddb/sites-enabled/default[80]: radius { ... } section is unused Compiling policies in server inner-tunnel { ... } Compiling policies in - recv Access-Request {...} /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[124]: Ignoring "-sql" as the "sql" module is not enabled. /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[134]: Ignoring "-ldap" as the "ldap" module is not enabled. Compiling policies in - send Access-Accept {...} /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[269]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - send Access-Reject {...} /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[304]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - authenticate pap {...} Compiling policies in - authenticate chap {...} Compiling policies in - authenticate mschap {...} Compiling policies in - authenticate eap {...} src/lib/server/virtual_servers.c[380]: radius { ... } section is unused #### Instantiating modules #### Instantiating module "attr_filter.access_challenge" Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge Instantiating module "attr_filter.access_reject" Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject Instantiating module "attr_filter.accounting_response" Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response Instantiating module "attr_filter.post-proxy" Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy Instantiating module "attr_filter.pre-proxy" Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy Instantiating module "auth_log" auth_log - 'User-Password' suppressed, will not appear in detail output Instantiating module "cache_eap" Instantiating module "chap" Instantiating module "detail" Instantiating module "digest" Instantiating module "disallow" Instantiating module "eap" Instantiating module "echo" Instantiating module "etc_passwd" Instantiating module "exec" Instantiating module "fail" Instantiating module "files" Reading file /opt/freeradius/etc/raddb/mods-config/files/authorize Reading file /opt/freeradius/etc/raddb/mods-config/files/accounting Instantiating module "handled" Instantiating module "inner-eap" inner-eap - Failed to find 'authenticate inner-eap {...}' section. EAP authentication will likely not work Instantiating module "invalid" Instantiating module "linelog" Instantiating module "log_accounting" Instantiating module "logintime" Instantiating module "mschap" mschap - Using internal authentication Instantiating module "noop" Instantiating module "notfound" Instantiating module "ntlm_auth" Instantiating module "ok" Instantiating module "pap" Instantiating module "post_proxy_log" Instantiating module "pre_proxy_log" Instantiating module "reject" Instantiating module "reply_log" Instantiating module "stats" Instantiating module "updated" Instantiating module "cache_eap.rbtree" Instantiating module "eap.mschapv2" Instantiating module "eap.peap" tls-config tls-common { chain rsa { format = pem certificate_file = /opt/freeradius/etc/raddb/certs/rsa/server.pem private_key_password = <<< secret >>> private_key_file = /opt/freeradius/etc/raddb/certs/rsa/server.key ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem verify_mode = hard include_root_ca = no } verify_depth = 0 ca_path = /opt/freeradius/etc/raddb/certs ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem dh_file = /opt/freeradius/etc/raddb/certs/dh fragment_size = 1024 cipher_list = "DEFAULT" cipher_server_preference = yes allow_renegotiation = no ecdh_curve = prime256v1 tls_min_version = 1.200000 session { mode = auto name = "%{EAP-Type}%{Virtual-Server}" lifetime = 86400 require_extended_master_secret = yes require_perfect_forward_secrecy = no } verify { mode = all attribute_mode = client-and-issuer check_crl = no } } tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless" Instantiating module "eap.tls" tls - Using cached TLS configuration from previous invocation Instantiating module "eap.ttls" tls - Using cached TLS configuration from previous invocation Instantiating module "inner-eap.mschapv2" Instantiating module "inner-eap.tls" tls-config tls-peer { chain { format = pem certificate_file = /opt/freeradius/etc/raddb/certs/rsa/server.pem private_key_password = <<< secret >>> private_key_file = /opt/freeradius/etc/raddb/certs/rsa/server.key ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem verify_mode = hard include_root_ca = no } verify_depth = 0 ca_path = /opt/freeradius/etc/raddb/certs ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem dh_file = /opt/freeradius/etc/raddb/certs/dh fragment_size = 16384 cipher_server_preference = yes allow_renegotiation = no ecdh_curve = "prime256v1" tls_min_version = 1.200000 session { mode = auto name = "%{EAP-Type}%{Virtual-Server}" lifetime = 86400 require_extended_master_secret = yes require_perfect_forward_secrecy = no } verify { mode = all attribute_mode = client-and-issuer check_crl = no } } tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless" Scheduler created in single-threaded mode #### Opening listener interfaces #### Listening on radius_udp server * port 1812 bound to virtual server default Listening on radius_tcp server * port 1812 bound to virtual server default Listening on radius_udp server * port 1813 bound to virtual server default Listening on radius_udp server 127.0.0.1 port 18120 bound to virtual server inner-tunnel post-suid-down capabilities: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep Ready to process requests proto_radius_udp - Received Access-Request ID 0 length 182 radius_udp server * port 1812 Worker - Resetting cleanup timer to +30 (0) default { (0) Received Access-Request ID 0 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0 (0) User-Name = "testuser@testuser.ca" (0) Calling-Station-Id = "DE-AD-BE-EF-42-42" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) Called-Station-Id = "00:11:22:33:44:55:UConnect" (0) NAS-IP-Address = 192.168.0.1 (0) EAP-Message = 0x02e100190174657374757365724074657374757365722e6361 (0) Message-Authenticator = 0x0974fe1b57a5e18d67d63ebca3cca28b (0) Packet-Type = Access-Request (0) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default (0) recv Access-Request { (0) policy filter_username { (0) if (&State) { (0) ... (0) } (0) elsif (&User-Name) { (0) if (&User-Name =~ / /) { (0) ... (0) } (0) if (&User-Name =~ /@[^@]*@/ ) { (0) ... (0) } (0) if (&User-Name =~ /\.\./ ) { (0) ... (0) } (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (0) ... (0) } (0) if (&User-Name =~ /\.$/) { (0) ... (0) } (0) if (&User-Name =~ /@\./) { (0) ... (0) } (0) update session-state { (0) &Session-State-User-Name := &User-Name -> "testuser@testuser.ca" (0) } # update session-state (noop) (0) } # elsif (&User-Name) (noop) (0) } # policy filter_username (noop) (0) chap (noop) (0) mschap (noop) (0) digest (noop) (0) eap - Peer sent EAP Response (code 2) ID 225 length 25 (0) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize (0) eap - Setting &control.Auth-Type = eap (0) eap (ok) (0) } # recv Access-Request (ok) (0) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default (0) authenticate eap { (0) eap - New EAP session started (0) eap - Peer sent packet with EAP method Identity (1) (0) eap - Calling submodule eap_md5 (0) subrequest { (0.0) eap.md5 - Issuing MD5 Challenge (0.0) eap.md5 (handled) (0) subrequest - Resuming execution (0) } # subrequest (noop) (0) eap - Sending EAP Request (code 1) ID 226 length 22 (0) eap (handled) (0) } # authenticate eap (handled) (0) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default (0) send Access-Challenge { (0) attr_filter.access_challenge - EXPAND %{User-Name} (0) attr_filter.access_challenge - --> testuser@testuser.ca (0) attr_filter.access_challenge - --> testuser@testuser.ca (0) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (0) attr_filter.access_challenge.post-auth (updated) (0) handled (handled) (0) } # send Access-Challenge (handled) (0) radius - Saving &session-state (0) radius - &session-state.Session-State-User-Name = "testuser@testuser.ca" (0) radius (ok) (0) } # default (ok) (0) Done request (0) Sending Access-Challenge ID 0 from 172.17.0.2:1812 to 172.17.0.1:49022 length 80 via socket radius_udp server * port 1812 (0) EAP-Message = 0x01e200160410cf1c6b1980299aa0d90419f575e2436d (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x01018d0013280e7289558d518d7bb3b9 (0) Packet-Type = Access-Challenge (0) Finished request proto_radius_udp - cleaning up request in 5.068620s proto_radius_udp - Received Access-Request ID 1 length 181 radius_udp server * port 1812 (1) default { (1) Received Access-Request ID 1 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0 (1) User-Name = "testuser@testuser.ca" (1) Calling-Station-Id = "DE-AD-BE-EF-42-42" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) Called-Station-Id = "00:11:22:33:44:55:UConnect" (1) NAS-IP-Address = 192.168.0.1 (1) EAP-Message = 0x02e200060319 (1) State = 0x01018d0013280e7289558d518d7bb3b9 (1) Message-Authenticator = 0x497720a6d791a595ceaa6044754cf031 (1) Packet-Type = Access-Request (1) Restored &session-state (1) &session-state.Session-State-User-Name = "testuser@testuser.ca" (1) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default (1) recv Access-Request { (1) policy filter_username { (1) if (&State) { (1) if (&User-Name) { (1) if (!&session-state.Session-State-User-Name) { (1) ... (1) } (1) if (&User-Name != &session-state.Session-State-User-Name) { (1) ... (1) } (1) } # if (&User-Name) (noop) (1) } # if (&State) (noop) (1) } # policy filter_username (noop) (1) chap (noop) (1) mschap (noop) (1) digest (noop) (1) eap - Peer sent EAP Response (code 2) ID 226 length 6 (1) eap - Continuing on-going EAP conversation (1) eap - Setting &control.Auth-Type = eap (1) eap (updated) (1) files - EXPAND %{Stripped-User-Name} (1) files - --> (1) files - EXPAND %{User-Name} (1) files - --> testuser@testuser.ca (1) files - EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (1) files - --> testuser@testuser.ca (1) files (noop) (1) policy expiration { (1) if (&control.Expiration) { (1) ... (1) } (1) } # policy expiration (updated) (1) logintime (noop) (1) pap (noop) (1) } # recv Access-Request (updated) (1) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default (1) authenticate eap { (1) eap - Continuing EAP session (1) eap - Peer sent packet with EAP method NAK (3) (1) eap - Calling submodule eap_peap (1) subrequest { (1.0) eap.peap - Initiating new TLS session (1.0) eap.peap - EXPAND %{EAP-Type} (1.0) eap.peap - --> PEAP (1.0) eap.peap - EXPAND %{Virtual-Server} (1.0) eap.peap - --> (1.0) eap.peap (handled) (1) subrequest - Resuming execution (1) } # subrequest (noop) (1) eap - Sending EAP Request (code 1) ID 227 length 6 (1) eap (handled) (1) } # authenticate eap (handled) (1) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default (1) send Access-Challenge { (1) attr_filter.access_challenge - EXPAND %{User-Name} (1) attr_filter.access_challenge - --> testuser@testuser.ca (1) attr_filter.access_challenge - --> testuser@testuser.ca (1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (1) attr_filter.access_challenge.post-auth (updated) (1) handled (handled) (1) } # send Access-Challenge (handled) (1) radius - Saving &session-state (1) radius - &session-state.Session-State-User-Name = "testuser@testuser.ca" (1) radius (ok) (1) } # default (ok) (1) Done request (1) Sending Access-Challenge ID 1 from 172.17.0.2:1812 to 172.17.0.1:49022 length 64 via socket radius_udp server * port 1812 (1) EAP-Message = 0x01e300061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x02038d008bd3a65c89558d518d7bb3b9 (1) Packet-Type = Access-Challenge (1) Finished request proto_radius_udp - cleaning up request in 5.068620s proto_radius_udp - Received Access-Request ID 2 length 375 radius_udp server * port 1812 (2) default { (2) Received Access-Request ID 2 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0 (2) User-Name = "testuser@testuser.ca" (2) Calling-Station-Id = "DE-AD-BE-EF-42-42" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) Called-Station-Id = "00:11:22:33:44:55:UConnect" (2) NAS-IP-Address = 192.168.0.1 (2) EAP-Message = 0x02e300c81980000000be16030100b9010000b5030340c75eff9a2146e20efd7538a0308ec6ed2d6df3a09d48d5f53abb65ccdaf553000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602 (2) State = 0x02038d008bd3a65c89558d518d7bb3b9 (2) Message-Authenticator = 0xf0aedc9cd95dfc616efb7c16b85ac4ca (2) Packet-Type = Access-Request (2) Restored &session-state (2) &session-state.Session-State-User-Name = "testuser@testuser.ca" (2) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default (2) recv Access-Request { (2) policy filter_username { (2) if (&State) { (2) if (&User-Name) { (2) if (!&session-state.Session-State-User-Name) { (2) ... (2) } (2) if (&User-Name != &session-state.Session-State-User-Name) { (2) ... (2) } (2) } # if (&User-Name) (noop) (2) } # if (&State) (noop) (2) } # policy filter_username (noop) (2) chap (noop) (2) mschap (noop) (2) digest (noop) (2) eap - Peer sent EAP Response (code 2) ID 227 length 200 (2) eap - Continuing tunnel setup (2) eap - Setting &control.Auth-Type = eap (2) eap (ok) (2) } # recv Access-Request (ok) (2) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default (2) authenticate eap { (2) eap - Continuing EAP session (2) eap - Peer sent packet with EAP method PEAP (25) (2) eap - Calling submodule eap_peap (2) subrequest { (2.0) eap.peap - Continuing EAP-TLS (2.0) eap.peap - Peer indicated complete TLS record size will be 190 bytes (2.0) eap.peap - Got complete TLS record, with length field (190 bytes) (2.0) eap.peap - [eap-tls verify] = complete (2.0) Handshake state - before SSL initialization (0) (2.0) Handshake state - Server before SSL initialization (0) (2.0) Handshake state - Server before SSL initialization (0) (2.0) <<< recv TLS 1.3, handshake[length 185], client_hello (2.0) Allowing future session-resumption (2.0) Handshake state - Server SSLv3/TLS read client hello (20) (2.0) >>> send TLS 1.2, handshake[length 61], server_hello (2.0) Handshake state - Server SSLv3/TLS write server hello (22) (2.0) >>> send TLS 1.2, handshake[length 1397], certificate (2.0) Handshake state - Server SSLv3/TLS write certificate (23) (2.0) >>> send TLS 1.2, handshake[length 333], server_key_exchange (2.0) Handshake state - Server SSLv3/TLS write key exchange (24) (2.0) >>> send TLS 1.2, handshake[length 4], server_hello_done (2.0) Handshake state - Server SSLv3/TLS write server done (26) (2.0) Need more data from client (2.0) SSL_read (tls_session_async_handshake_cont) - SSL_ERROR_WANT_READ (2) (2.0) Complete TLS record (1815 bytes) larger than MTU (990 bytes), will fragment (2.0) Sending first TLS record fragment (990 bytes), 825 bytes remaining (2.0) eap.peap - [eap-tls process] = handled (2.0) eap.peap (handled) (2) subrequest - Resuming execution (2) } # subrequest (noop) (2) eap - Sending EAP Request (code 1) ID 228 length 1000 (2) eap (handled) (2) } # authenticate eap (handled) (2) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default (2) send Access-Challenge { (2) attr_filter.access_challenge - EXPAND %{User-Name} (2) attr_filter.access_challenge - --> testuser@testuser.ca (2) attr_filter.access_challenge - --> testuser@testuser.ca (2) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (2) attr_filter.access_challenge.post-auth (updated) (2) handled (handled) (2) } # send Access-Challenge (handled) (2) radius - Saving &session-state (2) radius - &session-state.Session-State-User-Name = "testuser@testuser.ca" (2) radius (ok) (2) } # default (ok) (2) Done request (2) Sending Access-Challenge ID 2 from 172.17.0.2:1812 to 172.17.0.1:49022 length 1064 via socket radius_udp server * port 1812 (2) EAP-Message = 0x01e403e819c000000717160303003d020000390303d477d2cab8c6e912f6ef31ac9b07c9c80d7ba2779e10ab73444f574e4752440100c030000011ff01000100000b0004030001020017000016030305750b00057100056e00056b308205673082044fa003020102020101300d06092a864886f70d01010b0500308192310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531143012060355040a0c0b4578616d706c6520496e633120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303431323134303733385a170d3232303631313134303733385a307b310b3009060355040613024652310f300d06035504080c0652616469757331143012060355040a0c0b4578616d706c6520496e633123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e2eae82feaa1c197c639331ba5b8dd5320f9a880088620953e3bceb947e3df8192158f5ee6544cc63104c322da2f345ea14c23892f10cdfb888707e06e0b968be0f322858e5c0c30811986d836886b88b210bd23fcb8eae1a2ff65608d1c799927a4dfaf5401e9b793698ab6ff9193fdf193d18e972b89adb1c07d8f1be784e7d8540fe70bfa8a23bb6cea24aec8a7611c6121b1fd4550fbd927595b66038f972be2508ee3e9cb8ec388e9fa7ea7ff4ef6284767d66ea3cf9c56f31480ae767300aba7e448d1b8158f354023508eac4e9e8dd8643229620e09ff1d74001dc4302ee4d343d49c52bf7b66d54cecf9b232fb46e78a31087f39bb2a8d7b6a139b6d0203010001a38201dc308201d8301d0603551d0e0416041431dc74562239f150d15fd33ce06d6189473c69f63081d20603551d230481ca3081c780147ddde3d24fb7f2c6258d40079b632740a6d36deda18198a48195308192310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531143012060355040a0c0b4578616d706c6520496e633120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982146a1367d2f5e1005ae876ac00c9def9da9e3c943830090603551d1304023000300b0603551d0f0404030205e0301d (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x03018d0013280e7289558d518d7bb3b9 (2) Packet-Type = Access-Challenge (2) Finished request proto_radius_udp - cleaning up request in 5.068620s proto_radius_udp - Received Access-Request ID 3 length 181 radius_udp server * port 1812 (3) default { (3) Received Access-Request ID 3 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0 (3) User-Name = "testuser@testuser.ca" (3) Calling-Station-Id = "DE-AD-BE-EF-42-42" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) Called-Station-Id = "00:11:22:33:44:55:UConnect" (3) NAS-IP-Address = 192.168.0.1 (3) EAP-Message = 0x02e400061900 (3) State = 0x03018d0013280e7289558d518d7bb3b9 (3) Message-Authenticator = 0x6828bc2a6be551813cfe294e29a7817d (3) Packet-Type = Access-Request (3) Restored &session-state (3) &session-state.Session-State-User-Name = "testuser@testuser.ca" (3) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default (3) recv Access-Request { (3) policy filter_username { (3) if (&State) { (3) if (&User-Name) { (3) if (!&session-state.Session-State-User-Name) { (3) ... (3) } (3) if (&User-Name != &session-state.Session-State-User-Name) { (3) ... (3) } (3) } # if (&User-Name) (noop) (3) } # if (&State) (noop) (3) } # policy filter_username (noop) (3) chap (noop) (3) mschap (noop) (3) digest (noop) (3) eap - Peer sent EAP Response (code 2) ID 228 length 6 (3) eap - Continuing tunnel setup (3) eap - Setting &control.Auth-Type = eap (3) eap (ok) (3) } # recv Access-Request (ok) (3) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default (3) authenticate eap { (3) eap - Continuing EAP session (3) eap - Peer sent packet with EAP method PEAP (25) (3) eap - Calling submodule eap_peap (3) subrequest { (3.0) eap.peap - Continuing EAP-TLS (3.0) eap.peap - Peer ACKed our handshake fragment (3.0) eap.peap - [eap-tls verify] = request (3.0) eap.peap - Sending final TLS record fragment (825 bytes) (3.0) eap.peap - [eap-tls process] = handled (3.0) eap.peap (handled) (3) subrequest - Resuming execution (3) } # subrequest (noop) (3) eap - Sending EAP Request (code 1) ID 229 length 831 (3) eap (handled) (3) } # authenticate eap (handled) (3) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default (3) send Access-Challenge { (3) attr_filter.access_challenge - EXPAND %{User-Name} (3) attr_filter.access_challenge - --> testuser@testuser.ca (3) attr_filter.access_challenge - --> testuser@testuser.ca (3) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (3) attr_filter.access_challenge.post-auth (updated) (3) handled (handled) (3) } # send Access-Challenge (handled) (3) radius - Saving &session-state (3) radius - &session-state.Session-State-User-Name = "testuser@testuser.ca" (3) radius (ok) (3) } # default (ok) (3) Done request (3) Sending Access-Challenge ID 3 from 172.17.0.2:1812 to 172.17.0.1:49022 length 895 via socket radius_udp server * port 1812 (3) EAP-Message = 0x01e5033f19000603551d250416301406082b0601050507030106082b0601050507030e30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c303706082b06010505070101042b3029302706082b06010505073001861b687474703a2f2f7777772e6578616d706c652e6f72672f6f637370303a0603551d110433303182127261646975732e6578616d706c652e6f7267a01b06082b06010505070808a00f0c0d2a2e6578616d706c652e636f6d300d06092a864886f70d01010b05000382010100678d89096e6b3e48248e71e584e9faf3aa8098dd75bf170fb9cb754086997897441c3e72dee297dfa73c153d203c2eda6a06d403b12732d3ac8f7bbf64c20c3be5a9580892abc692368bf68b3cc31bf41a175cf374e0d3bcef0f9fcda4bda7b33544c7e5a4170bb3345bf5f385a54ae974fb97c862dcc35ea0f116efedcc7ac4b89bc2db453dada5ba77f16d5c8b9c5dbd2e8dfb65400cc3f1e14ad9789a83ba32fc6304f7f4f07ad99f3a73cd4faab8cc2131e9b906a46395530d28b0ec95148f7a210853bdfa024623c6ecb41d5c9f20cf27b56a8d40885d7fd81afe4aef185e58819100ac5aee5e20c08333dbad3e16750472614ca278405106d1986fa3f4160303014d0c000149030017410476028412e9b00c2630154399c78ae7b787ed8f87e0a714cbe3b3dc73651afbbe104b6b0e49f83cf27fec9379764f4bab6ba48ca1dc415068fd1bd69e671a421e0804010049f912f96ead536a287d6ff62c6bdf45cf0671b73f530402157bc31789aa3352ac7d72803bc668fee51eb8a6c01eb064f51c003a34284e120f5d856b50c705050c0c04b126f5783f5ac4b7f137109225c2da4cd612e8ace939012af571bc0acc70f25d4dfcdd52c5f741ace11c7cba85e3c0920b935fe920a54db3b056c7434f21a0e4b14cff035d445ff2ceca367a6446120dff3e1aa93190360d07a22cb9bf9503255989d9fd4459fd20486ed1af4082df96acd9516b2c6c4c4e1d57af8675796d98c09424751707adcfb9871438aac2527d1edcfc402c6b08ba52c4b196fffda00564b7d6cfe8c5875e6119914bada29860db0bd4ad3cf5cf75851a5aaeed16030300040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x04078d008bd3a65c89558d518d7bb3b9 (3) Packet-Type = Access-Challenge (3) Finished request proto_radius_udp - cleaning up request in 5.068620s proto_radius_udp - Received Access-Request ID 4 length 311 radius_udp server * port 1812 (4) default { (4) Received Access-Request ID 4 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0 (4) User-Name = "testuser@testuser.ca" (4) Calling-Station-Id = "DE-AD-BE-EF-42-42" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) Called-Station-Id = "00:11:22:33:44:55:UConnect" (4) NAS-IP-Address = 192.168.0.1 (4) EAP-Message = 0x02e5008819800000007e1603030046100000424104af5f0fd9357c5f1ef85c44412ded07130f03214653071decbdd2423cb8d921a4f1fc02b262f63b1ac40dee0720d86e6327a0240932586a76dd4827c434e3bf0e1403030001011603030028f54dfcc389a7197acb64f4cac2ddd2e4602d8a8909d86a71b151adc37da7fa6fbf1625581506cb05 (4) State = 0x04078d008bd3a65c89558d518d7bb3b9 (4) Message-Authenticator = 0x5321739cd526678d61b3d552e3ea2aa0 (4) Packet-Type = Access-Request (4) Restored &session-state (4) &session-state.Session-State-User-Name = "testuser@testuser.ca" (4) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default (4) recv Access-Request { (4) policy filter_username { (4) if (&State) { (4) if (&User-Name) { (4) if (!&session-state.Session-State-User-Name) { (4) ... (4) } (4) if (&User-Name != &session-state.Session-State-User-Name) { (4) ... (4) } (4) } # if (&User-Name) (noop) (4) } # if (&State) (noop) (4) } # policy filter_username (noop) (4) chap (noop) (4) mschap (noop) (4) digest (noop) (4) eap - Peer sent EAP Response (code 2) ID 229 length 136 (4) eap - Continuing tunnel setup (4) eap - Setting &control.Auth-Type = eap (4) eap (ok) (4) } # recv Access-Request (ok) (4) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default (4) authenticate eap { (4) eap - Continuing EAP session (4) eap - Peer sent packet with EAP method PEAP (25) (4) eap - Calling submodule eap_peap (4) subrequest { (4.0) eap.peap - Continuing EAP-TLS (4.0) eap.peap - Peer indicated complete TLS record size will be 126 bytes (4.0) eap.peap - Got complete TLS record, with length field (126 bytes) (4.0) eap.peap - [eap-tls verify] = complete (4.0) Handshake state - Server SSLv3/TLS write server done (26) (4.0) <<< recv TLS 1.2, handshake[length 70], client_key_exchange (4.0) Handshake state - Server SSLv3/TLS read client key exchange (28) (4.0) Handshake state - Server SSLv3/TLS read change cipher spec (31) (4.0) <<< recv TLS 1.2, handshake[length 16], finished (4.0) Handshake state - Server SSLv3/TLS read finished (32) (4.0) >>> send TLS 1.2, change_cipher_spec[length 1] (4.0) Handshake state - Server SSLv3/TLS write change cipher spec (35) (4.0) >>> send TLS 1.2, handshake[length 16], finished (4.0) Handshake state - Server SSLv3/TLS write finished (36) (4.0) Handshake state - SSL negotiation finished successfully (1) (4.0) SSL_read (tls_session_async_handshake_cont) - SSL_ERROR_WANT_READ (2) (4.0) Cipher suite: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD (4.0) Adding TLS session information to request (4.0) &session-state.TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (4.0) &session-state.TLS-Session-Version := "TLS 1.2" (4.0) Sending complete TLS record (51 bytes) (4.0) eap.peap - [eap-tls process] = handled (4.0) eap.peap (handled) (4) subrequest - Resuming execution (4) } # subrequest (noop) (4) eap - Sending EAP Request (code 1) ID 230 length 57 (4) eap (handled) (4) } # authenticate eap (handled) (4) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default (4) send Access-Challenge { (4) attr_filter.access_challenge - EXPAND %{User-Name} (4) attr_filter.access_challenge - --> testuser@testuser.ca (4) attr_filter.access_challenge - --> testuser@testuser.ca (4) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (4) attr_filter.access_challenge.post-auth (updated) (4) handled (handled) (4) } # send Access-Challenge (handled) (4) radius - Saving &session-state (4) radius - &session-state.Session-State-User-Name = "testuser@testuser.ca" (4) radius (ok) (4) } # default (ok) (4) Done request (4) Sending Access-Challenge ID 4 from 172.17.0.2:1812 to 172.17.0.1:49022 length 115 via socket radius_udp server * port 1812 (4) EAP-Message = 0x01e600391900140303000101160303002855e89feef9aefa2d98c2a520be9d5ba60e5becc07fd359d0f164a8ac94bb6c198ab372d7cf082a1f (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x05018d0013280e7289558d518d7bb3b9 (4) Packet-Type = Access-Challenge (4) Finished request proto_radius_udp - cleaning up request in 5.068620s proto_radius_udp - Received Access-Request ID 5 length 181 radius_udp server * port 1812 (5) default { (5) Received Access-Request ID 5 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0 (5) User-Name = "testuser@testuser.ca" (5) Calling-Station-Id = "DE-AD-BE-EF-42-42" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) Called-Station-Id = "00:11:22:33:44:55:UConnect" (5) NAS-IP-Address = 192.168.0.1 (5) EAP-Message = 0x02e600061900 (5) State = 0x05018d0013280e7289558d518d7bb3b9 (5) Message-Authenticator = 0xaa9bd0de2ab4c9a24039a10d8964adf3 (5) Packet-Type = Access-Request (5) Restored &session-state (5) &session-state.Session-State-User-Name = "testuser@testuser.ca" (5) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default (5) recv Access-Request { (5) policy filter_username { (5) if (&State) { (5) if (&User-Name) { (5) if (!&session-state.Session-State-User-Name) { (5) ... (5) } (5) if (&User-Name != &session-state.Session-State-User-Name) { (5) ... (5) } (5) } # if (&User-Name) (noop) (5) } # if (&State) (noop) (5) } # policy filter_username (noop) (5) chap (noop) (5) mschap (noop) (5) digest (noop) (5) eap - Peer sent EAP Response (code 2) ID 230 length 6 (5) eap - Continuing tunnel setup (5) eap - Setting &control.Auth-Type = eap (5) eap (ok) (5) } # recv Access-Request (ok) (5) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default (5) authenticate eap { (5) eap - Continuing EAP session (5) eap - Peer sent packet with EAP method PEAP (25) (5) eap - Calling submodule eap_peap (5) subrequest { (5.0) eap.peap - Continuing EAP-TLS (5.0) eap.peap - Peer ACKed our handshake fragment. handshake is finished (5.0) eap.peap - [eap-tls verify] = established (5.0) eap.peap - [eap-tls process] = established (5.0) eap.peap - Session established. Decoding tunneled data (5.0) eap.peap - PEAP state TUNNEL ESTABLISHED (5.0) eap.peap - TLS application data to encrypt (5 bytes) (5.0) eap.peap - Sending complete TLS record (34 bytes) (5.0) eap.peap (handled) (5) subrequest - Resuming execution (5) } # subrequest (noop) (5) eap - Sending EAP Request (code 1) ID 231 length 40 (5) eap (handled) (5) } # authenticate eap (handled) (5) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default (5) send Access-Challenge { (5) attr_filter.access_challenge - EXPAND %{User-Name} (5) attr_filter.access_challenge - --> testuser@testuser.ca (5) attr_filter.access_challenge - --> testuser@testuser.ca (5) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (5) attr_filter.access_challenge.post-auth (updated) (5) handled (handled) (5) } # send Access-Challenge (handled) (5) radius - Saving &session-state (5) radius - &session-state.Session-State-User-Name = "testuser@testuser.ca" (5) radius (ok) (5) } # default (ok) (5) Done request (5) Sending Access-Challenge ID 5 from 172.17.0.2:1812 to 172.17.0.1:49022 length 98 via socket radius_udp server * port 1812 (5) EAP-Message = 0x01e700281900170303001d55e89feef9aefa2eddf781269ef2298c0b711bd2d99a629cc468e62cca (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x06038d008bd3a65c89558d518d7bb3b9 (5) Packet-Type = Access-Challenge (5) Finished request proto_radius_udp - cleaning up request in 5.068620s proto_radius_udp - Received Access-Request ID 6 length 231 radius_udp server * port 1812 (6) default { (6) Received Access-Request ID 6 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0 (6) User-Name = "testuser@testuser.ca" (6) Calling-Station-Id = "DE-AD-BE-EF-42-42" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) Called-Station-Id = "00:11:22:33:44:55:UConnect" (6) NAS-IP-Address = 192.168.0.1 (6) EAP-Message = 0x02e700381900170303002df54dfcc389a7197b019fe17a87ecd0b81c18c14ca1e4037c6fe4b296706a65ddb4acef536fc00eb2744373cacb (6) State = 0x06038d008bd3a65c89558d518d7bb3b9 (6) Message-Authenticator = 0xf56634caef4bef32092ba0e149273533 (6) Packet-Type = Access-Request (6) Restored &session-state (6) &session-state.Session-State-User-Name = "testuser@testuser.ca" (6) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default (6) recv Access-Request { (6) policy filter_username { (6) if (&State) { (6) if (&User-Name) { (6) if (!&session-state.Session-State-User-Name) { (6) ... (6) } (6) if (&User-Name != &session-state.Session-State-User-Name) { (6) ... (6) } (6) } # if (&User-Name) (noop) (6) } # if (&State) (noop) (6) } # policy filter_username (noop) (6) chap (noop) (6) mschap (noop) (6) digest (noop) (6) eap - Peer sent EAP Response (code 2) ID 231 length 56 (6) eap - Continuing tunnel setup (6) eap - Setting &control.Auth-Type = eap (6) eap (ok) (6) } # recv Access-Request (ok) (6) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default (6) authenticate eap { (6) eap - Continuing EAP session (6) eap - Peer sent packet with EAP method PEAP (25) (6) eap - Calling submodule eap_peap (6) subrequest { (6.0) eap.peap - Continuing EAP-TLS (6.0) eap.peap - Got complete TLS record (50 bytes) (6.0) eap.peap - [eap-tls verify] = complete (6.0) eap.peap - Decrypted TLS application data (21 bytes) (6.0) eap.peap - [eap-tls process] = complete (6.0) eap.peap - Session established. Decoding tunneled data (6.0) eap.peap - PEAP state WAITING FOR INNER IDENTITY (6.0) eap.peap - Received EAP-Identity-Response (6.0) eap.peap - Got inner identity "testuser@testuser.ca" (6.0) eap.peap - Got tunneled request (6.0) eap.peap - EAP-Message = 0x02e700190174657374757365724074657374757365722e6361 (6.0) eap.peap - Setting &request.User-Name from tunneled (inner) identity "testuser@testuser.ca" (6.0) eap.peap - Running request through virtual server "(null)" (6.0) eap.peap - Virtual server (null) received request (6.0) eap.peap - EAP-Identity = "testuser@testuser.ca" (6.0) eap.peap - EAP-Type = PEAP (6.0) eap.peap - server (null) { CAUGHT SIGNAL: Segmentation fault Backtrace of last 2 frames: /opt/freeradius/lib/libfreeradius-util.so(fr_fault+0xe8)[0x7f6ea5a1106b] /lib/x86_64-linux-gnu/libpthread.so.0(+0x14140)[0x7f6ea5797140] No panic action set _EXIT(139) CALLED src/lib/util/debug.c[1052] ``` Fabrice Durand Software Engineer Principal Office: +1.514.447.4918Akamai Technologies 7000 Parc Avenue Montreal, QC H3N1X1 Canada Connect with Us:
On Apr 20, 2022, at 3:30 PM, Fabrice Durand <fdurand@inverse.ca> wrote:
I started to play with FreeRADIUS v4 and i use the Dockerfile (Debian 11) in order to have the lastest FreeRADIUS v4 version (last commit id) running.
The only thing i changed from the default configuration is the clients.conf file just to add my my source ip: ... (6.0) eap.peap - Virtual server (null) received request
PEAP / TTLS / FAST don't yet work. They require some more architectural changes, unfortunately.
Not sure what happen exactly, but can it be a configuration issue or is it too early to start to test FreeRADIUS 4 ?
Still too early for some things. Alan DeKok.
participants (2)
-
Alan DeKok -
Fabrice Durand