Simultaneous-Use and UserName sent from NAS
Hello All, I am want to enable Simultaneous-Use for our users. I have been stuck for many many days trying to figure this out, any help is greatly appreciated. This is my first time posting, so sorry if my netiquette is not correct I. Configuration of System: FreeRADIUS Version 2.1.1, built on May 9 2010 at 12:09:29 Novell SUSE Linux Enterprise Server 11 SP1 Cisco Wireless AP's Cisco Wireless Controller - Cisco 4400 Series Authentication using Novell e-Directory LDAP Protocol - EAP-PEAP MSCHAPV2 mysql 5.0.67 is installed and radius database is created with correct schema II. Description: I am using Free Radius to authenticate Wireless Users. Users are authenticated to the SSID by entering in their LDAP Username/Password (stored in Novell e-Directory) The users are using the standard WPA2 client on Windows machines (with the EAP-PEAP MSCHAPv2 Protocol) In addition, I have enabled checkval module to Check for Valid MAC Addresses & DialupAccess=TRUE III. Problem: In looking at the debug logs, randomly generated UserName Accounting-Request packets are being sent from the NAS to the FreeRADIUS, before and after the successful authentication of the UserName (ziggy) using the EAP-PEAP-MSCHAPV2 protocol (during which time the correct UserName is sent by NAS). When I issue the radwho command or look at the RADACCT tables, I see the randomly generated UserNames in both tables. But when I check in the radpostauth table, I see the UserName (Ziggy) in it. vm-32laars:/var/tmp # radwho Login Name What TTY When From Location 8c58770ca7 8c58770ca708 shell S29 Wed 10:55 10.32.156.5 vm-32laars:/var/tmp # radwho Login Name What TTY When From Location d830628b05 d830628b050e shell S29 Wed 10:56 10.32.156.5 mysql> select * from radpostauth; +----+-----------+---------+---------------+---------------------+ | id | username | pass | reply | authdate | +----+-----------+---------+---------------+---------------------+ | 28 | ziggy | | Access-Accept | 2011-06-08 10:54:22 | +----+-----------+---------+---------------+---------------------+ mysql> select * from radacct order by RadAcctID desc limit 1; +-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+---- ---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------ -----------+------------------+-----------------+------------------+--------------------+-------------+----------------+------------- ----+----------------+---------------+----------------------+ | radacctid | acctsessionid | acctuniqueid | username | groupname | realm | nasipaddress | nasportid | nas porttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | accti nputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddr ess | acctstartdelay | acctstopdelay | xascendsessionsvrkey | +-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+---- ---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------ -----------+------------------+-----------------+------------------+--------------------+-------------+----------------+------------- ----+---------------- +---------------+----------------------+ | 10247 | 4defbb0d/8c:7b:9d:9f:d4:16/12409 | 60370f84e1b169c1 | 8c7b9d9fd416 | | | 10.32.156.5 | 29 | | 2011-06-08 10:55:51 | NULL | 0 | Remote | | | 0 | 0 | 10.32.156.5 | 0.0.0.0 | | | | | 0 | 0 | | | 10246 | 4defb9c7/8c:58:77:0c:a7:08/12392 | e19aebd88b0eafbf | 8c58770ca708 | | | 10.32.156.5 | 29 | | 2011-06-08 10:50:24 | 2011-06-08 10:55:37 | 313 | Remote | | | 21002 | 3206 | 10.32.156.5 | 0.0.0.0 | User-Request | | | | 0 | 0 | NULL | +-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+---- ---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------ -----------+------------------+-----------------+------------------+--------------------+-------------+----------------+------------- ----+----------------+---------------+----------------------+ IV. Questions: 1) Why is the NAS sending so many randomly generated numeric "UserName" in the Accounting-Request? 2) How can I get the NAS to send the correct Username (Ziggy) instead of the randomly generated numbers in the Accounting-Request packets to update in SQL? 3) I'm confused, should I use radutmp or sql to get Simultaenous-Use to work? If only sql, can I disable radutmp in configuration files? 4) What do I need to do to get Simultaneous-Use to work properly? 5) Should the default & inner-tunnel files that have the same parameters match? (i.e. in authorize {sql} in the default file and the authorize {sql} in the inner-tunnel file) 6) Why do I see so many packets for Ziggy trying to authenticate just once.. It is not until about Line 1389 in the debug log (see below ITEM# 6) that the tunnel actually get's established and the next packet on Line 1453 has the Acct-Status-Type = Start? There is a total of about 3174 lines for just one login attempt. V: Configuration relating to Simulatenous-Use: =================================================================== /etc/raddb/sites-enabled/default =================================================================== authorize { preprocess chap mschap suffix eap { ok = return } unix ldap sql checkval expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql attr_filter.accounting_response } session { radutmp sql } post-auth { sql ldap exec Post-Auth-Type REJECT { ldap attr_filter.access_reject } } pre-proxy { } post-proxy { eap } =================================================================== /etc/raddb/sites-enabled/inner-tunnel =================================================================== authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap #sql # checkval expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp sql } post-auth { # sql # sql_log ldap Post-Auth-Type REJECT { attr_filter.access_reject ldap } update outer.reply { User-Name = "%{request:User-Name}" } } pre-proxy { } post-proxy { eap } } # inner-tunnel server block =================================================================== /etc/raddb/sql.conf =================================================================== sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" login = "radius" password = "password" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 #readclients = yes nas_table = "nas" $INCLUDE sql/${database}/dialup.conf } =================================================================== /etc/raddb/sql/mysql/dialup.conf =================================================================== ####################################################################### # Simultaneous Use Checking Queries ####################################################################### # simul_count_query - query for the number of current connections # - If this is not defined, no simultaneouls use checking # - will be performed by this module instance # simul_verify_query - query to return details of current connections for verification # - Leave blank or commented out to disable verification step # - Note that the returned field order should not be changed. ####################################################################### # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = "SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, \ nasipaddress, nasportid, framedipaddress, \ callingstationid, framedprotocol \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" =================================================================== /etc/raddb/eap.conf =================================================================== eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/serverkey.key certificate_file = ${certdir}/servercert.cert dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } ttls { default_eap_type=md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } mschapv2 { } } ==================================================== VI: Here is the DEBUG LOG (sorry there are so many lines) ==================================================== FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on May 9 2010 at 12:09:29 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.32.156.5/32 { require_message_authenticator = no secret = "code" shortname = "cw32ce0a.wifi.nm.ci.la.ca.us" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "10.32.197.139" port = 636 password = "Password" identity = "cn=admin,o=RALDAP" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = yes start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64" require_cert = "demand" } basedn = "ou=users,o=RALDAP" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "nspmPassword" auto_header = no access_attr = "dialupAccess" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 40 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0xb7961d90 Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_sql Module: Instantiating sql sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radius" password = "password" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_checkval Module: Instantiating checkval checkval { item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" notfound-reject = yes } rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768, id=93, length=153 User-Name = "9027e444744e" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 1 Acct-Session-Id = "4defba9b/90:27:e4:44:74:4e/12402" Acct-Authentic = Remote Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" Acct-Status-Type = Start Calling-Station-Id = "0.0.0.0" Called-Station-Id = "10.32.156.5" +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address = 10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id = "4defba9b/90:27:e4:44:74:4e/12402",User-Name = "9027e444744e"' [acct_unique] Acct-Unique-Session-ID = "b893f021ffab4937". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "9027e444744e", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.32.156.5/detail-20110608 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.32.156.5/detail-20110608 [detail] expand: %t -> Wed Jun 8 10:54:07 2011 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 9027e444744e ++[radutmp] returns ok [sql] expand: %{User-Name} -> 9027e444744e [sql] sql_set_user escaped user --> '9027e444744e' [sql] expand: %{Acct-Delay-Time} -> [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> 9027e444744e attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 93 to 10.32.156.5 port 32768 Finished request 1. Cleaning up request 1 ID 93 with timestamp +2 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768, id=95, length=153 User-Name = "a467068f617f" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 1 Acct-Session-Id = "4defbaad/a4:67:06:8f:61:7f/12403" Acct-Authentic = Remote Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" Acct-Status-Type = Start Calling-Station-Id = "0.0.0.0" Called-Station-Id = "10.32.156.5" +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address = 10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id = "4defbaad/a4:67:06:8f:61:7f/12403",User-Name = "a467068f617f"' [acct_unique] Acct-Unique-Session-ID = "a96fb9b5775cab4f". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "a467068f617f", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.32.156.5/detail-20110608 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.32.156.5/detail-20110608 [detail] expand: %t -> Wed Jun 8 10:54:14 2011 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> a467068f617f ++[radutmp] returns ok [sql] expand: %{User-Name} -> a467068f617f [sql] sql_set_user escaped user --> 'a467068f617f' [sql] expand: %{Acct-Delay-Time} -> [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> a467068f617f attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 95 to 10.32.156.5 port 32768 Finished request 2. Cleaning up request 2 ID 95 with timestamp +9 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=249, length=184 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x0202000a017a69676779 Message-Authenticator = 0x2d7411a0a70277876c359c8b4d67b798 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [ldap] performing user authorization for ziggy [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy) [ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.32.197.139:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as cn=admin,o=RALDAP/novell to 10.32.197.139:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy) [ldap] checking if remote access for ziggy is allowed by dialupAccess [ldap] Added the eDirectory password ziggy in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9" rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1 rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8" [ldap] looking for reply items in directory... [ldap] user ziggy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok [sql] expand: %{User-Name} -> ziggy [sql] sql_set_user escaped user --> 'ziggy' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ziggy' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'ziggy' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User ziggy not found ++[sql] returns notfound rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-fa-a1-ba-e8 rlm_checkval: Value Name: Calling-Station-Id, Value: 78-ca-39-b9-12-f9 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-22-fa-a1-ba-e8 ++[checkval] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 249 to 10.32.156.5 port 32768 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83e623a5da78451212e3283d83 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=250, length=311 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x0203007719800000006d16030100680100006403014defbab394ef0bf49e249034a8f7bd9769a69976d1734654ad86542a75ed2b32000018002f00350005000ac013c014c009c00a003200380013000401000023ff010001000000000a00080000057a69676779000a0006000400170018000b00020100 State = 0xe620bc83e623a5da78451212e3283d83 Message-Authenticator = 0x67139174caeb2bd6111e66658ae9da26 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 119 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 109 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0068], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 250 to 10.32.156.5 port 32768 EAP-Message = 0x0104040019c0000008a216030100310200002d03014defb74eca097d9d5f9de12b27867f05bb279f3b41b0d5f096742ed43b4205cd00002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3130303632393139323834315a170d3131303632393139323834315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d6469eb536013124569539d3e8c186e90de7d9ef492251ea1d694337fb2d4fcd4492d29a54e25740af4fc9580a88a4bc2f9e8ddc72a088 EAP-Message = 0x4910b9ffc1b899aea0078060c00099336a3260cf793fc7df0a1dabea863a017762807644fb82c3ffe5a82547ef57766021e53c9c9b1a1cd7b47f559854dce22812f752bd20f7a7d9280f68ad65f2d30909dcb38ab41921433fcb696c63dbad3b49a5f32ee13ec68ffa1af9662b0dbec130c3469281874ad71857141c6a935803e2ae72fd48c5c65ebfbf39cba8c76a89f25a6785ed61a8c4826d6092cfe55fbb6fb2d29aec987ec551078ac689469c07d3ecb16f9e3b04bc6cfa004fbeb5c05a057f6938850ec18fbf0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101002059 EAP-Message = 0xe7ff00e87350fe0b3266f50fa368ebdb9c8124b1cc9e6e07db3d5f495a4ab344ebb45f50770ed6c1723a43533f924e12d79d0d4982a1ae3b03923b97d0f767452c6995a6a523157d250ba3b918e598e93b4b87501e1b022b6e130d8ffc762c5a3d4035d8cdb057ac0fd12bd06a976618d88fc46efafbc990aa9a295fcd8b70f6c48139fdff53c35e0fb38c4db1f10f56054082aa53ce9e7c9bc5d5cbaa9eaf705ad917edee420c59ad70f658994fe18469e213085ca638ead1e8bd72a9e721901034a57d33badbe54bb92476bab7d89ff4c87882bf4f8114c812afc320b1dd68b9683011d32a46b4f17192e56c92ef213f99f6c6b7464103ecea2b0171 EAP-Message = 0x020004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83e724a5da78451212e3283d83 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=251, length=198 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x020400061900 State = 0xe620bc83e724a5da78451212e3283d83 Message-Authenticator = 0x05e641c1ed2dbfb0b9a0bc003ded62a0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 251 to 10.32.156.5 port 32768 EAP-Message = 0x010503fc1940a003020102020900ec81d7fdbd08b57f300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303632393139323834315a170d3130303732393139323834315a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c503568c9100eb4a533106a33bd1908feb4a8324db7e26fb401a9a01bd2f9834a7230b260e386dbecb5726d12d5a360d182bacc25cf8768a8c876598089c054cdf7fdd5b03241a2761a1ca0a970d820f0db8c79c16cc8c2704e0d07f1a9ab05060c7dc42cd01db61 EAP-Message = 0x6c5d107c8046cd2ef12e233bd35a4e2b477676934e34ac5813c75f4dc23301fece997d5aa08123c84b543cd45bc65fa9f1a3e8ef217d4b9f5d88e82eca7f1539946f4fd105b06d7211d2d65af67f266c9f1eb30248a56f2e26d0019a5c1ea497f4d0e7f547f8c61d2944de1551387b563e8481dbd7276fbaa0a6451ef65777c9cb3b6951f6efed6c5f696f08a03f2980779f90ff5dffdf7f0203010001a381fb3081f8301d0603551d0e0416041476cfd1a77faaafd0b29217ddec7f9888590af0f43081c80603551d230481c03081bd801476cfd1a77faaafd0b29217ddec7f9888590af0f4a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ec81d7fdbd08b57f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005b833733cc74015c776e5318978ffde37ceae715464c1183b82463c95957bc61c72d783a923fe70884a01208a04749183f0afc1393284259b0e848605447a7723437701d8a495f9130c6fb EAP-Message = 0xfd2a7aac200acb6a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83e425a5da78451212e3283d83 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=252, length=198 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x020500061900 State = 0xe620bc83e425a5da78451212e3283d83 Message-Authenticator = 0x2bd996782a861ab5f0e4318920573ce9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 252 to 10.32.156.5 port 32768 EAP-Message = 0x010600bc1900f2ab17a522f98a0885febb4ff3cb657112b10067895f114462e116b84ff52e461aaa436d80c5cc1184d51c44b67c3c648257a0929a4f6c4d895b47930901d4fe1576ed3296df98e3d9edd900aa0a41a39653932d77f570c5599129b33d1bf32cabf0dffa0ab0c366c5fcdb6f3d65a12df7269b9bb211c9feb0284e064ff51a1eadb7105302f0f2e1a57195e4522c1f26739b2da61de91672163a418fe25d17caa3446a139fed55c8d98cf3b04416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83e526a5da78451212e3283d83 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=253, length=530 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x0206015019800000014616030101061000010201006a27393ec43fea150a039f85ea376f584f8dc0069188328100ef31e34922ea71afc7bad9dcd521344a965f0bc349ca5b3f3ad1d8a110d985f6b3b37a562d7bf6e30422b56b4024a56b0e0caf08657680edca70fd5cfca3cac7b2b64fc21e1df7497888ace8a91a26325fb8297010a5ad6675aa89dc6a226a37e010880c28d7b071e1c9bec2b0fc532e1128992e47add8591a7056a942d6e48e8b0233a9a3384e51a4107105854a10dd61d441881f66c6adb6d9bfefa5e6adea93b2e4c58cee49b85446252a7a1dd4e63360023373983eeec36e27c7001511b4ea598b61d1c0fee7c78f1a012825f1 EAP-Message = 0x6a0da33f23a3db2b18e6a04e0f1c5821902a7f3b6d0c25a71403010001011603010030a93820cff9e6253dac65d3a219b134eb2fc85813c46c9203fdb38dd047e41e5b182733893ca45f6f4aba93a4d969338c State = 0xe620bc83e526a5da78451212e3283d83 Message-Authenticator = 0x5fadc4968a75cf5dffcdb32871abe493 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 253 to 10.32.156.5 port 32768 EAP-Message = 0x01070041190014030100010116030100303b450ec40b7584ae543440d814c44ae8e40f26ec51f917cb1bf1ca87ee319929d82566eb8c874843b7f2c270821b9a72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83e227a5da78451212e3283d83 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=254, length=198 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x020700061900 State = 0xe620bc83e227a5da78451212e3283d83 Message-Authenticator = 0x6711b49c21e05d9d0471f5cada5a673e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 254 to 10.32.156.5 port 32768 EAP-Message = 0x0108002b19001703010020d615b42fdceaf564c2458858918d9d99fa2a59075262b3b911249b9dbdaf854e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83e328a5da78451212e3283d83 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=255, length=235 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x0208002b1900170301002080e7daa50845a9cfa553bd5a213b34c81a694936a8086e9c41e845c2ee13adbe State = 0xe620bc83e328a5da78451212e3283d83 Message-Authenticator = 0xa23930f64ee0f25f0138d3be32faf555 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - ziggy [peap] Got tunnled request EAP-Message = 0x0208000a017a69676779 server (null) { PEAP: Got tunneled identity of ziggy PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to ziggy Sending tunneled request EAP-Message = 0x0208000a017a69676779 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for ziggy [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy) [ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy) [ldap] checking if remote access for ziggy is allowed by dialupAccess [ldap] Added the eDirectory password ziggy in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9" rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1 rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8" [ldap] looking for reply items in directory... [ldap] user ziggy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0109001f1a0109001a107c3fb260e0ff5fca049a623efeb652427a69676779 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7f5c17f37f550df77f9cb88e74ec1077 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0109001f1a0109001a107c3fb260e0ff5fca049a623efeb652427a69676779 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7f5c17f37f550df77f9cb88e74ec1077 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 255 to 10.32.156.5 port 32768 EAP-Message = 0x0109003b190017030100302ea4cc7d7bc8bdbbf752876a38a688a14fd819c650d6a76d55e9711dda0cdde12b238d04624ddc997de86bcd1d6a54a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83e029a5da78451212e3283d83 Finished request 9. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=0, length=299 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x0209006b190017030100606c7749f02b0698602b4d8c7391ead7367cb14ddbeaa33c1c345483f86a7a61965498be6823c24a50d0ee61499687e9b278e72700e5fb2c48d76db4393365e13bb5624897e58a7160a8164ba77d0ad762ae4dd872fb91b201aea14cdb08b127ec State = 0xe620bc83e029a5da78451212e3283d83 Message-Authenticator = 0x22d835d6fe511c9016fc9a2b9691f3cb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020900401a0209003b31ba23e5c1721898ca3954317553c86aba0000000000000000bd34249dc56ad087ff883aa9764c69f6d848f370f75db300007a69676779 server (null) { PEAP: Setting User-Name to ziggy Sending tunneled request EAP-Message = 0x020900401a0209003b31ba23e5c1721898ca3954317553c86aba0000000000000000bd34249dc56ad087ff883aa9764c69f6d848f370f75db300007a69676779 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ziggy" State = 0x7f5c17f37f550df77f9cb88e74ec1077 Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for ziggy [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy) [ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy) [ldap] checking if remote access for ziggy is allowed by dialupAccess [ldap] Added the eDirectory password ziggy in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9" rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1 rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8" [ldap] looking for reply items in directory... [ldap] user ziggy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for ziggy with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d35394543324543313042363837423735413339424133433941384445383036433041333933333741 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7f5c17f37e560df77f9cb88e74ec1077 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d35394543324543313042363837423735413339424133433941384445383036433041333933333741 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7f5c17f37e560df77f9cb88e74ec1077 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.32.156.5 port 32768 EAP-Message = 0x010a005b19001703010050c19cd32624e8cddabf0fa2387505602c4bc0164f92e8273d1849e420b04920d6d29e169b5f4fa18e031d3ac445c78f18bcb48b3c63a4cdd5f9dc9e4d07106ec30daedb164ac1fa19c911a240f1447684 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83e12aa5da78451212e3283d83 Finished request 10. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=1, length=235 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x020a002b1900170301002009cecc97373c0400e41ea22d3d29d81d3ff006fa9ecd4b3afca62b77fa8c953a State = 0xe620bc83e12aa5da78451212e3283d83 Message-Authenticator = 0xc7631b4d93c923d6460500dd33b4566d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020a00061a03 server (null) { PEAP: Setting User-Name to ziggy Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ziggy" State = 0x7f5c17f37e560df77f9cb88e74ec1077 Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for ziggy [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy) [ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy) [ldap] checking if remote access for ziggy is allowed by dialupAccess [ldap] Added the eDirectory password ziggy in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9" rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1 rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8" [ldap] looking for reply items in directory... [ldap] user ziggy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> ziggy ++[radutmp] returns ok +- entering group post-auth {...} rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.32.197.139:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as cn=ziggy,ou=users,o=RALDAP/ziggy to 10.32.197.139:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ziggy" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ziggy" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 1 to 10.32.156.5 port 32768 EAP-Message = 0x010b002b1900170301002049a52fa96dcb33d6f581b75f7657e1e6202fd2c7e22308df4d67c837775995ce Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe620bc83ee2ba5da78451212e3283d83 Finished request 11. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.156.5 port 32768, id=2, length=235 User-Name = "ziggy" Calling-Station-Id = "00-22-fa-a1-ba-e8" Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" EAP-Message = 0x020b002b19001703010020eea6cdab5fcb5553d5c76ec1ef19d42396ed439a838b0d35367cfdda86fef168 State = 0xe620bc83ee2ba5da78451212e3283d83 Message-Authenticator = 0xa6bc090d74217df806b10f83260e7a30 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ziggy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} [sql] expand: %{User-Name} -> ziggy [sql] sql_set_user escaped user --> 'ziggy' [sql] expand: %{User-Password} -> [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ziggy', '', 'Access-Accept', '2011-06-08 10:54:22') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ziggy', '', 'Access-Accept', '2011-06-08 10:54:22') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[ldap] returns noop ++[exec] returns noop Sending Access-Accept of id 2 to 10.32.156.5 port 32768 User-Name = "ziggy" MS-MPPE-Recv-Key = 0x24ed6bc6b1501b91115a0aebb258aa071975a0c24c0b284bafbb36992de2da7c MS-MPPE-Send-Key = 0xa0a91a481b11147334dc7c5019ac8aa906c8498bc9f165b56fdb1e495a65110c EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 12. Going to the next request Waking up in 4.8 seconds. rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768, id=96, length=153 User-Name = "0018de9a2a1a" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 1 Acct-Session-Id = "4defbab7/00:18:de:9a:2a:1a/12405" Acct-Authentic = Remote Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" Acct-Status-Type = Start Calling-Station-Id = "0.0.0.0" Called-Station-Id = "10.32.156.5" +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address = 10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id = "4defbab7/00:18:de:9a:2a:1a/12405",User-Name = "0018de9a2a1a"' [acct_unique] Acct-Unique-Session-ID = "7fab12adbf4fb3ac". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "0018de9a2a1a", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.32.156.5/detail-20110608 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.32.156.5/detail-20110608 [detail] expand: %t -> Wed Jun 8 10:54:25 2011 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 0018de9a2a1a ++[radutmp] returns ok [sql] expand: %{User-Name} -> 0018de9a2a1a [sql] sql_set_user escaped user --> '0018de9a2a1a' [sql] expand: %{Acct-Delay-Time} -> [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> 0018de9a2a1a attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 96 to 10.32.156.5 port 32768 Finished request 13. Cleaning up request 13 ID 96 with timestamp +20 Going to the next request Waking up in 2.1 seconds. Cleaning up request 3 ID 249 with timestamp +17 Cleaning up request 4 ID 250 with timestamp +17 Cleaning up request 5 ID 251 with timestamp +17 Cleaning up request 6 ID 252 with timestamp +17 Cleaning up request 7 ID 253 with timestamp +17 Cleaning up request 8 ID 254 with timestamp +17 Cleaning up request 9 ID 255 with timestamp +17 Cleaning up request 10 ID 0 with timestamp +17 Cleaning up request 11 ID 1 with timestamp +17 Cleaning up request 12 ID 2 with timestamp +17
Ziggy Bopster wrote:
I am want to enable Simultaneous-Use for our users. I have been stuck for many many days trying to figure this out, any help is greatly appreciated. This is my first time posting, so sorry if my netiquette is not correct
Read doc/Simultaneous-Use. It's a how-to, and most questions are answered there.
I. Configuration of System: FreeRADIUS Version 2.1.1, built on May 9 2010 at 12:09:29
Ugh. Upgrade to 2.1.10.
III. Problem: In looking at the debug logs, randomly generated UserName Accounting-Request packets are being sent from the NAS to the FreeRADIUS, before and after the successful authentication of the UserName (ziggy) using the EAP-PEAP-MSCHAPV2 protocol (during which time the correct UserName is sent by NAS).
Those look like MAC addresses, perhaps. And that doesn't matter, if you're trying to do Simultaneous-Use for use "ziggy". Do you get Accounting-Request packets for user "ziggy"? If not, then Simultaneous-Use will be hard to do. Alan DeKok.
Hi Alan,
Read doc/Simultaneous-Use. It's a how-to, and most questions are answered there.
Thank you.. I will re-read the Simultaneous-Use Doc again.. I may have to start from a simple configuration, before trying to integrate that with e-Directory.
Ugh. Upgrade to 2.1.10. I'll upgrade to 2.1.10 prior to trying again.
Those look like MAC addresses, perhaps. And that doesn't matter, if you're trying to do Simultaneous-Use for use "ziggy".
Those are not MAC addresses.. They are randomly generated numbers? Why? don't know.. But it doesn't matter I guess. Just makes it hard for me to understand the debug log, since I'm new at it.
Do you get Accounting-Request packets for user "ziggy"? If not, then Simultaneous-Use will be hard to do.
I looked at the debug log again using the http://networkradius.com/freeradius.html debugging output URL (wish I found it sooner). I see Access-Request packets with "Ziggy" from Packets 3-12 for the authentication portion. The next time I see anything with Username = "Ziggy" is the Accounting-Request packet when I disconnect from the SSID as indicated in the Acct-Status-Type = Stop. In this packet, the calling-station-ID becomes 0.0.0.0. though.. Is that how it is suppose to look? Since it should be "00-22-fa-a1-ba-e8" ? rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768, id=111, length=188 User-Name = "ziggy" NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = "CW32CE0A" Airespace-Wlan-Id = 3 Acct-Session-Id = "4defbab6/00:22:fa:a1:ba:e8/12404" Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "342" Acct-Status-Type = Stop Acct-Input-Octets = 68833 Acct-Output-Octets = 9551 Acct-Input-Packets = 559 Acct-Output-Packets = 47 Acct-Terminate-Cause = User-Request Acct-Session-Time = 117 Acct-Delay-Time = 0 Calling-Station-Id = "0.0.0.0" Called-Station-Id = "10.32.156.5" On Thu, Jun 9, 2011 at 8:19 PM, Alan DeKok <aland@deployingradius.com> wrote:
Ziggy Bopster wrote:
I am want to enable Simultaneous-Use for our users. I have been stuck for many many days trying to figure this out, any help is greatly appreciated. This is my first time posting, so sorry if my netiquette is not correct
Read doc/Simultaneous-Use. It's a how-to, and most questions are answered there.
I. Configuration of System: FreeRADIUS Version 2.1.1, built on May 9 2010 at 12:09:29
Ugh. Upgrade to 2.1.10.
III. Problem: In looking at the debug logs, randomly generated UserName Accounting-Request packets are being sent from the NAS to the FreeRADIUS, before and after the successful authentication of the UserName (ziggy) using the EAP-PEAP-MSCHAPV2 protocol (during which time the correct UserName is sent by NAS).
Those look like MAC addresses, perhaps. And that doesn't matter, if you're trying to do Simultaneous-Use for use "ziggy".
Do you get Accounting-Request packets for user "ziggy"? If not, then Simultaneous-Use will be hard to do.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Jun 10, 2011 at 2:26 AM, Ziggy Bopster <ziggybopster@gmail.com> wrote:
IV. Questions: 1) Why is the NAS sending so many randomly generated numeric "UserName" in the Accounting-Request? 2) How can I get the NAS to send the correct Username (Ziggy) instead of the randomly generated numbers in the Accounting-Request packets to update in SQL?
Ask the NAS vendor.
3) I'm confused, should I use radutmp or sql to get Simultaenous-Use to work?
SQL should be faster, and easier to manage
If only sql, can I disable radutmp in configuration files?
Sure. In fact, once I get EVERYTHING worked out just like I wanted, I usually remove unnecessary components. If your all your user configuration and acct data is on sql, then you should be able to remove some configuration lines (e.g. unix, radutmp, detail, etc.)
4) What do I need to do to get Simultaneous-Use to work properly?
As Alan ponted out, the included doc is a good start. You need to have radcct table populated with correct values (which is related to your question #1 and #2).
5) Should the default & inner-tunnel files that have the same parameters match? (i.e. in authorize {sql} in the default file and the authorize {sql} in the inner-tunnel file)
Depends. If you have some clients that authenticate using PAP while others using PEAP/802.1x, then yes. But if ALL your clients only use PEAP/802.1x, then it shouldn't matter much what you put on sites-available/default, as long as eap-related options are there.
6) Why do I see so many packets for Ziggy trying to authenticate just once.. It is not until about Line 1389 in the debug log (see below ITEM# 6) that the tunnel actually get's established and the next packet on Line 1453 has the Acct-Status-Type = Start? There is a total of about 3174 lines for just one login attempt.
The image on http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html might give some illustration on the packets involved in EAP/MSCHAPv2 works -- Fajar
Hi Fajar, Thanks for replying.. Really appreciate it.
Ask the NAS vendor. It's CISCO.. I do see one Accounting-Request packet for Username="Ziggy" when I terminate the connection.. But no Accounting-Request packet for the Start of Username="ziggy" logging in. I do see Access-Request packets for Ziggy. I'll have to check on that with them. ???
SQL should be faster, and easier to manage Great.. If I only want to use SQL for Simultaneous-Use checking (and not User Authentication), is that going to work? I want to use LDAP for Authenticaiton..
Sure.
In fact, once I get EVERYTHING worked out just like I wanted, I usually remove unnecessary components. If your all your user configuration and acct data is on sql, then you> should be able to remove some configuration lines (e.g. unix, radutmp, detail, etc.)
I will disable RADUTMP & other stuff after I get this SQL working. Thanks.
If you have some clients that authenticate using PAP while others using PEAP/802.1x, then yes. But if ALL your clients only use PEAP/802.1x, then it shouldn't matter much what you put on sites-available/default, as long as eap-related options are there.
All our clients will be using PEAP/802.1x.. So does that mean only the eap.conf file matters? Do I need to make changes in the sites-available/default and the inner-tunnel files?
The image on http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html might give some illustration on the packets involved in EAP/MSCHAPv2 works
Thanks so much for the link.. It is great.. That explains why I have 8 Packets for the PEAP authentication for Ziggy.. :) The rest of the DEBUG logs contain Accounting-Request Packets.. On Thu, Jun 9, 2011 at 9:16 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Fri, Jun 10, 2011 at 2:26 AM, Ziggy Bopster <ziggybopster@gmail.com> wrote:
IV. Questions: 1) Why is the NAS sending so many randomly generated numeric "UserName" in the Accounting-Request? 2) How can I get the NAS to send the correct Username (Ziggy) instead of the randomly generated numbers in the Accounting-Request packets to update in SQL?
Ask the NAS vendor.
3) I'm confused, should I use radutmp or sql to get Simultaenous-Use to work?
SQL should be faster, and easier to manage
If only sql, can I disable radutmp in configuration files?
Sure.
In fact, once I get EVERYTHING worked out just like I wanted, I usually remove unnecessary components. If your all your user configuration and acct data is on sql, then you should be able to remove some configuration lines (e.g. unix, radutmp, detail, etc.)
4) What do I need to do to get Simultaneous-Use to work properly?
As Alan ponted out, the included doc is a good start. You need to have radcct table populated with correct values (which is related to your question #1 and #2).
5) Should the default & inner-tunnel files that have the same parameters match? (i.e. in authorize {sql} in the default file and the authorize {sql} in the inner-tunnel file)
Depends.
If you have some clients that authenticate using PAP while others using PEAP/802.1x, then yes. But if ALL your clients only use PEAP/802.1x, then it shouldn't matter much what you put on sites-available/default, as long as eap-related options are there.
6) Why do I see so many packets for Ziggy trying to authenticate just once.. It is not until about Line 1389 in the debug log (see below ITEM# 6) that the tunnel actually get's established and the next packet on Line 1453 has the Acct-Status-Type = Start? There is a total of about 3174 lines for just one login attempt.
The image on http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html might give some illustration on the packets involved in EAP/MSCHAPv2 works
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Fajar A. Nugraha -
Ziggy Bopster