Hello I have a question about AD authentication that I can't seem to find an answer to in the documentation. The question simply boils down to this: who do I specify a configuration when dealing with domain.com and subdomain.domain.com? We currently use 802.1x on all network ports and have three login scenarios: 1. 802.1x using PEAP-MSCHAPv2 (domain computers) 2. 802.1x using MD5 (yes I know this is older but that is what the devices support) 3. MAC address authentication (printers, cameras, etc) Right now NPS is the first RADIUS server inline and handles all the PEAP requests for machine authentication if the traffic does not conform a specific pattern - if it does conform the traffic is forwarded to freeradius for scenarios 2 & 3. The end goal is to get down to a single server instead of a relayed configuration. What is required is the ability to support both domain.com and subdomain.domain.com or domain A and domain B and computers could be a member from either domain. I also need to find a way to not have these users defined in freeradius as most of the guides seem to point to but instead validate the return results based on the group membership (Domain Computers) from either group, each domain gets a unique vlan assignment from NPS based on this relationship. I pulled this from FreeRADIUS guides: exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" } Which leads to the questions about multi domain configurations which I can't find mentioned anywhere in the wiki's, faqs or internet in general which leads me to think that this is one of three cases: 1. This configuration is uncommon 2. This configuration is not possible 3. I am just being dense in the head (I prefer to believe this is not the scenario). Using the NTLM_AUTH test tool I am able to specify the domain and get a successful auth as there is a trust between these parent and child domains but because everything is based on the samaccountname the domain has to be specified with the tool. I also understand that calling the ntlm_auth program may not be the best way to go and that a library exists but I believe the base question(s) are still relevant in both cases. Any guidance would greatly be appreciated even if it is stick what you got. Thanks Jeremy
fairly easily done - and quite common - had different requirements when, for example, we migrated from one domain to another. you dont want the exec ntlm_auth thing - thats a diversion, you just use the mschap module (and configure the ntlm line in that- you want to use unlang and then in the authorise section of the inner-tunnel, call different mschap modules eg pseudo-code: (untested, quickly typed) if (%{User-Name} ~= "@domain.com$"){ mschap-one } if (%{User-Name} ~= "@other.domain.com$"){ mschap-two } but right now you just send (proxy) all this to NPS? your aim is to move the authentication to the FR system? alan
Thanks for the feedback, makes sense. I will just need to mutate the username from “host/machine.domain.com” to “machine$” which I can handle. To attempt to answer your question as I understand it: rrght now this is proxied from NPS to freeradius as the NPS server existed before freeradius and only implemented freeradius when the MD5 requirement came along as it was removed from NPS some time ago and reimplementing it did make it work “sometimes” other times it would just fail so rather than spend time on a removed and unsupported feature we decided to move all the mac and MD5 dot1x authentication to a freeradius server. Now I would like to get down to just the single radius server gain now that it has been proven in production it is time to scale out for resilancy but would like to finish the project off by authenticating the PEAP/MSCHAPv2 stuff back to ad where a machine is authenticated once it is joined to the domain.
On Dec 30, 2017, at 1:19 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
fairly easily done - and quite common - had different requirements when, for example, we migrated from one domain to another.
you dont want the exec ntlm_auth thing - thats a diversion, you just use the mschap module (and configure the ntlm line in that- you want to use unlang and then in the authorise section of the inner-tunnel, call different mschap modules eg
pseudo-code: (untested, quickly typed)
if (%{User-Name} ~= "@domain.com$"){ mschap-one } if (%{User-Name} ~= "@other.domain.com$"){ mschap-two }
but right now you just send (proxy) all this to NPS? your aim is to move the authentication to the FR system?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Don't mess with username, it'll break the EAP authentication. The server and ntlm_auth will handle those forms of IDs fine, just use the mschap module and ensure that the NT name stuff (prefix module IIRC) is enabled alan On 30 Dec 2017 7:43 pm, "Martin, Jeremy" <jmartin@emcc.edu> wrote:
Thanks for the feedback, makes sense. I will just need to mutate the username from “host/machine.domain.com” to “machine$” which I can handle.
To attempt to answer your question as I understand it: rrght now this is proxied from NPS to freeradius as the NPS server existed before freeradius and only implemented freeradius when the MD5 requirement came along as it was removed from NPS some time ago and reimplementing it did make it work “sometimes” other times it would just fail so rather than spend time on a removed and unsupported feature we decided to move all the mac and MD5 dot1x authentication to a freeradius server. Now I would like to get down to just the single radius server gain now that it has been proven in production it is time to scale out for resilancy but would like to finish the project off by authenticating the PEAP/MSCHAPv2 stuff back to ad where a machine is authenticated once it is joined to the domain.
On Dec 30, 2017, at 1:19 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
fairly easily done - and quite common - had different requirements when, for example, we migrated from one domain to another.
you dont want the exec ntlm_auth thing - thats a diversion, you just use the mschap module (and configure the ntlm line in that- you want to use unlang and then in the authorise section of the inner-tunnel, call different mschap modules eg
pseudo-code: (untested, quickly typed)
if (%{User-Name} ~= "@domain.com$"){ mschap-one } if (%{User-Name} ~= "@other.domain.com$"){ mschap-two }
but right now you just send (proxy) all this to NPS? your aim is to move the authentication to the FR system?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
So I greatly appreciate the pointers and help thus far but unfortunately this part of the the project keeps running into wall after wall. So I decided to take a step back and start with a single domain on a nice clean install but come up with the same error from the inner-tunnel test.
&Module-Failure-Message += 'Rejected: User-Name contains multiple ..s’
When researching this error it seems to point to issues people had when upgrading from v2 to v3 but this is not the case in this instance and am not able to find any useful information after many hours of exhausting the resources that I did find.
So I now have two questions:
1. As we are largely required to use FR due to the MD5 EAP requirement of a solution we need to support and the difficulties and other issues of getting this implemented I am seriously considering the viability of the product without commercial support options. Does anyone have any rough idea of cost for the commercial support option for a FR server in a educational production environment?
2. In the event we decide to go the commercial route, and honestly I am heavily leaning that way after the amount of time invested this weekend, I still really need to do a proof of concept before coming so any pointers on the following error?
radtest -t mschap testuser simplepass 127.0.0.1:18120 0 testing123
Received Access-Request Id 74 from 127.0.0.1:52096 to 127.0.0.1:18120 length 142
(1) User-Name = “testuser"
(1) NAS-IP-Address = 10.40.0.199
(1) NAS-Port = 0
(1) Message-Authenticator = 0xd61679269ea9b90bf0e38f138bd9a1a4
(1) MS-CHAP-Challenge = 0x1b48d5a1841beb78
(1) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000a76b216d255f8f4b4b039e309a93b5e58e52e6fdc5feaf1e
(1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> TRUE
(1) if (&User-Name =~ /\.\./ ) {
(1) update request {
(1) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(1) } # update request = noop
(1) [reject] = reject
(1) } # if (&User-Name =~ /\.\./ ) = reject
(1) } # if (&User-Name) = reject
(1) } # policy filter_username = reject
(1) } # authorize = reject
(1) Invalid user (Rejected: User-Name contains multiple ..s): [testuser/<no User-Password attribute>] (from client localhost port 0)
(1) Using Post-Auth-Type Reject
> On Dec 30, 2017, at 4:29 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
>
> Don't mess with username, it'll break the EAP authentication. The server
> and ntlm_auth will handle those forms of IDs fine, just use the mschap
> module and ensure that the NT name stuff (prefix module IIRC) is enabled
>
> alan
>
> On 30 Dec 2017 7:43 pm, "Martin, Jeremy" <jmartin@emcc.edu> wrote:
>
>> Thanks for the feedback, makes sense. I will just need to mutate the
>> username from “host/machine.domain.com” to “machine$” which I can handle.
>>
>> To attempt to answer your question as I understand it: rrght now this is
>> proxied from NPS to freeradius as the NPS server existed before freeradius
>> and only implemented freeradius when the MD5 requirement came along as it
>> was removed from NPS some time ago and reimplementing it did make it work
>> “sometimes” other times it would just fail so rather than spend time on a
>> removed and unsupported feature we decided to move all the mac and MD5
>> dot1x authentication to a freeradius server. Now I would like to get down
>> to just the single radius server gain now that it has been proven in
>> production it is time to scale out for resilancy but would like to finish
>> the project off by authenticating the PEAP/MSCHAPv2 stuff back to ad where
>> a machine is authenticated once it is joined to the domain.
>>
>>> On Dec 30, 2017, at 1:19 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
>>>
>>> fairly easily done - and quite common - had different requirements
>>> when, for example, we migrated from one domain to another.
>>>
>>> you dont want the exec ntlm_auth thing - thats a diversion, you just
>>> use the mschap module (and configure the ntlm line in that- you want
>>> to use unlang
>>> and then in the authorise section of the inner-tunnel, call different
>>> mschap modules eg
>>>
>>> pseudo-code: (untested, quickly typed)
>>>
>>> if (%{User-Name} ~= "@domain.com$"){
>>> mschap-one
>>> }
>>> if (%{User-Name} ~= "@other.domain.com$"){
>>> mschap-two
>>> }
>>>
>>>
>>> but right now you just send (proxy) all this to NPS? your aim is to
>>> move the authentication to the FR system?
>>>
>>> alan
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 1/01/2018, at 2:20 PM, Martin, Jeremy <jmartin@emcc.edu> wrote:
So I greatly appreciate the pointers and help thus far but unfortunately this part of the the project keeps running into wall after wall. So I decided to take a step back and start with a single domain on a nice clean install but come up with the same error from the inner-tunnel test.
&Module-Failure-Message += 'Rejected: User-Name contains multiple ..s’
When researching this error it seems to point to issues people had when upgrading from v2 to v3 but this is not the case in this instance and am not able to find any useful information after many hours of exhausting the resources that I did find.
So I now have two questions:
1. As we are largely required to use FR due to the MD5 EAP requirement of a solution we need to support and the difficulties and other issues of getting this implemented I am seriously considering the viability of the product without commercial support options. Does anyone have any rough idea of cost for the commercial support option for a FR server in a educational production environment?
2. In the event we decide to go the commercial route, and honestly I am heavily leaning that way after the amount of time invested this weekend, I still really need to do a proof of concept before coming so any pointers on the following error?
radtest -t mschap testuser simplepass 127.0.0.1:18120 0 testing123
Received Access-Request Id 74 from 127.0.0.1:52096 to 127.0.0.1:18120 length 142 (1) User-Name = “testuser" (1) NAS-IP-Address = 10.40.0.199 (1) NAS-Port = 0 (1) Message-Authenticator = 0xd61679269ea9b90bf0e38f138bd9a1a4 (1) MS-CHAP-Challenge = 0x1b48d5a1841beb78 (1) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000a76b216d255f8f4b4b039e309a93b5e58e52e6fdc5feaf1e (1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> TRUE (1) if (&User-Name =~ /\.\./ ) { (1) update request { (1) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' (1) } # update request = noop (1) [reject] = reject (1) } # if (&User-Name =~ /\.\./ ) = reject (1) } # if (&User-Name) = reject (1) } # policy filter_username = reject (1) } # authorize = reject (1) Invalid user (Rejected: User-Name contains multiple ..s): [testuser/<no User-Password attribute>] (from client localhost port 0) (1) Using Post-Auth-Type Reject
What version of FreeRADIUS are you running? What is correct_escapes set to in your radiusd.conf file? -- Nathan Ward
radiusd: FreeRADIUS Version 3.0.13, for host x86_64-redhat-linux-gnu, built on Aug 23 2017 at 15:18:22 FreeRADIUS Version 3.0.13 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Jeremy
On Dec 31, 2017, at 8:32 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 1/01/2018, at 2:20 PM, Martin, Jeremy <jmartin@emcc.edu> wrote:
So I greatly appreciate the pointers and help thus far but unfortunately this part of the the project keeps running into wall after wall. So I decided to take a step back and start with a single domain on a nice clean install but come up with the same error from the inner-tunnel test.
&Module-Failure-Message += 'Rejected: User-Name contains multiple ..s’
When researching this error it seems to point to issues people had when upgrading from v2 to v3 but this is not the case in this instance and am not able to find any useful information after many hours of exhausting the resources that I did find.
So I now have two questions:
1. As we are largely required to use FR due to the MD5 EAP requirement of a solution we need to support and the difficulties and other issues of getting this implemented I am seriously considering the viability of the product without commercial support options. Does anyone have any rough idea of cost for the commercial support option for a FR server in a educational production environment?
2. In the event we decide to go the commercial route, and honestly I am heavily leaning that way after the amount of time invested this weekend, I still really need to do a proof of concept before coming so any pointers on the following error?
radtest -t mschap testuser simplepass 127.0.0.1:18120 0 testing123
Received Access-Request Id 74 from 127.0.0.1:52096 to 127.0.0.1:18120 length 142 (1) User-Name = “testuser" (1) NAS-IP-Address = 10.40.0.199 (1) NAS-Port = 0 (1) Message-Authenticator = 0xd61679269ea9b90bf0e38f138bd9a1a4 (1) MS-CHAP-Challenge = 0x1b48d5a1841beb78 (1) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000a76b216d255f8f4b4b039e309a93b5e58e52e6fdc5feaf1e (1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> TRUE (1) if (&User-Name =~ /\.\./ ) { (1) update request { (1) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' (1) } # update request = noop (1) [reject] = reject (1) } # if (&User-Name =~ /\.\./ ) = reject (1) } # if (&User-Name) = reject (1) } # policy filter_username = reject (1) } # authorize = reject (1) Invalid user (Rejected: User-Name contains multiple ..s): [testuser/<no User-Password attribute>] (from client localhost port 0) (1) Using Post-Auth-Type Reject
What version of FreeRADIUS are you running?
What is correct_escapes set to in your radiusd.conf file?
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 1/01/2018, at 2:36 PM, Martin, Jeremy <jmartin@emcc.edu> wrote:
radiusd: FreeRADIUS Version 3.0.13, for host x86_64-redhat-linux-gnu, built on Aug 23 2017 at 15:18:22 FreeRADIUS Version 3.0.13 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT
Jeremy
On Dec 31, 2017, at 8:32 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
<snip>
What is correct_escapes set to in your radiusd.conf file?
-- Nathan Ward
I don’t see any reference to this in that file. Full file below. jeremy ###################################################################### # # Read "man radiusd" before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. # # Run the server in debugging mode, and READ the output. # # $ radiusd -X # # We cannot emphasize this point strongly enough. The vast # majority of problems can be solved by carefully reading the # debugging output, which includes warnings about common issues, # and suggestions for how they may be fixed. # # There may be a lot of output, but look carefully for words like: # "warning", "error", "reject", or "failure". The messages there # will usually be enough to guide you to a solution. # # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to "post the output of radiusd -X". ###################################################################### # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See "man radiusd.conf" for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that "man" page. They are only documented here, # in the comments. # # The "unlang" policy language can be used to create complex # if / else policies. See "man unlang" for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # # name of the running server. See also the "-n" command-line option. name = radiusd # Location of config and logfiles. confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} db_dir = ${localstatedir}/lib/radiusd # # libdir: Where to find the rlm_* modules. # # This should be automatically set at configuration time. # # If the server builds and installs, but fails at execution time # with an 'undefined symbol' error, then you can use the libdir # directive to work around the problem. # # The cause is usually that a library has been installed on your # system in a place where the dynamic linker CANNOT find it. When # executing as root (or another user), your personal environment MAY # be set up to allow the dynamic linker to find the library. When # executing as a daemon, FreeRADIUS MAY NOT have the same # personalized configuration. # # To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the directory names. NO spaces are allowed. # # e.g. libdir = /usr/local/lib:/opt/package/lib # # You can also try setting the LD_LIBRARY_PATH environment variable # in a script which starts the server. # # If that does not work, then you can re-configure and re-build the # server to NOT use shared libraries, via: # # ./configure --disable-shared # make # make install # libdir = /usr/lib64/freeradius # pidfile: Where to place the PID of the RADIUS server. # # The server may be signalled while it's running by using this # file. # # This file is written when ONLY running in daemon mode. # # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` # pidfile = ${run_dir}/${name}.pid # panic_action: Command to execute if the server dies unexpectedly. # # FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. # AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. # AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. # # THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE # PATTACH CAN BE USED AS AN ATTACK VECTOR. # # The panic action is a command which will be executed if the server # receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, # SIGABRT or SIGFPE. # # This can be used to start an interactive debugging session so # that information regarding the current state of the server can # be acquired. # # The following string substitutions are available: # - %e The currently executing program e.g. /sbin/radiusd # - %p The PID of the currently executing program e.g. 12345 # # Standard ${} substitutions are also allowed. # # An example panic action for opening an interactive session in GDB would be: # #panic_action = "gdb %e %p" # # Again, don't use that on a production system. # # An example panic action for opening an automated session in GDB would be: # #panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" # # That command can be used on a production system. # # max_request_time: The maximum time (in seconds) to handle a request. # # Requests which take more time than this to process may be killed, and # a REJECT message is returned. # # WARNING: If you notice that requests take a long time to be handled, # then this MAY INDICATE a bug in the server, in one of the modules # used to handle a request, OR in your local configuration. # # This problem is most often seen when using an SQL database. If it takes # more than a second or two to receive an answer from the SQL database, # then it probably means that you haven't indexed the database. See your # SQL server documentation for more information. # # Useful range of values: 5 to 120 # max_request_time = 30 # cleanup_delay: The time to wait (in seconds) before cleaning up # a reply which was sent to the NAS. # # The RADIUS request is normally cached internally for a short period # of time, after the reply is sent to the NAS. The reply packet may be # lost in the network, and the NAS will not see it. The NAS will then # re-send the request, and the server will respond quickly with the # cached reply. # # If this value is set too low, then duplicate requests from the NAS # MAY NOT be detected, and will instead be handled as separate requests. # # If this value is set too high, then the server will cache too many # requests, and some new requests may get blocked. (See 'max_requests'.) # # Useful range of values: 2 to 10 # cleanup_delay = 5 # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. # # If this number is too low, then when the server becomes busy, # it will not respond to any new requests, until the 'cleanup_delay' # time has passed, and it has removed the old requests. # # If this number is set too high, then the server will use a bit more # memory for no real benefit. # # If you aren't sure what it should be set to, it's better to set it # too high than too low. Setting it to 1000 per client is probably # the highest it should be. # # Useful range of values: 256 to infinity # max_requests = 1024 # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). # # The default is 'off' because it would be overall better for the net # if people had to knowingly turn this feature on, since enabling it # means that each client request will result in AT LEAST one lookup # request to the nameserver. Enabling hostname_lookups will also # mean that your server may stop randomly for 30 seconds from time # to time, if the DNS requests take too long. # # Turning hostname lookups off also means that the server won't block # for 30 seconds, if it sees an IP address which has no name associated # with it. # # allowed values: {no, yes} # hostname_lookups = no # # Logging section. The various "log_*" configuration items # will eventually be moved here. # log { # # Destination for log messages. This can be one of: # # files - log to "file", as defined below. # syslog - to syslog (see also the "syslog_facility", below. # stdout - standard output # stderr - standard error. # # The command-line option "-X" over-rides this option, and forces # logging to go to stdout. # destination = files # # Highlight important messages sent to stderr and stdout. # # Option will be ignored (disabled) if output if TERM is not # an xterm or output is not to a TTY. # colourise = yes # # The logging messages for the server are appended to the # tail of this file if destination == "files" # # If the server is running in debugging mode, this file is # NOT used. # file = ${logdir}/radius.log # # If this configuration parameter is set, then log messages for # a *request* go to this file, rather than to radius.log. # # i.e. This is a log file per request, once the server has accepted # the request as being from a valid client. Messages that are # not associated with a request still go to radius.log. # # Not all log messages in the server core have been updated to use # this new internal API. As a result, some messages will still # go to radius.log. Please submit patches to fix this behavior. # # The file name is expanded dynamically. You should ONLY user # server-side attributes for the filename (e.g. things you control). # Using this feature MAY also slow down the server substantially, # especially if you do thinks like SQL calls as part of the # expansion of the filename. # # The name of the log file should use attributes that don't change # over the lifetime of a request, such as User-Name, # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log # messages will be distributed over multiple files. # # Logging can be enabled for an individual request by a special # dynamic expansion macro: %{debug: 1}, where the debug level # for this request is set to '1' (or 2, 3, etc.). e.g. # # ... # update control { # Tmp-String-0 = "%{debug:1}" # } # ... # # The attribute that the value is assigned to is unimportant, # and should be a "throw-away" attribute with no side effects. # #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log # # Which syslog facility to use, if ${destination} == "syslog" # # The exact values permitted here are OS-dependent. You probably # don't want to change this. # syslog_facility = daemon # Log the full User-Name attribute, as it was found in the request. # # allowed values: {no, yes} # stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # auth = yes # Log passwords with the authentication requests. # auth_badpass - logs password if it's rejected # auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # auth_badpass = yes auth_goodpass = yes # Log additional text at the end of the "Login OK" messages. # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" # configurations above have to be set to "yes". # # The strings below are dynamically expanded, which means that # you can put anything you want in them. However, note that # this expansion can be slow, and can negatively impact server # performance. # # msg_goodpass = "" # msg_badpass = "" # The message when the user exceeds the Simultaneous-Use limit. # msg_denied = "You are already logged in - access denied" } # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This # section holds the configuration items which minimize the impact # of those attacks # security { # chroot: directory where the server does "chroot". # # The chroot is done very early in the process of starting # the server. After the chroot has been performed it # switches to the "user" listed below (which MUST be # specified). If "group" is specified, it switches to that # group, too. Any other groups listed for the specified # "user" in "/etc/group" are also added as part of this # process. # # The current working directory (chdir / cd) is left # *outside* of the chroot until all of the modules have been # initialized. This allows the "raddb" directory to be left # outside of the chroot. Once the modules have been # initialized, it does a "chdir" to ${logdir}. This means # that it should be impossible to break out of the chroot. # # If you are worried about security issues related to this # use of chdir, then simply ensure that the "raddb" directory # is inside of the chroot, end be sure to do "cd raddb" # BEFORE starting the server. # # If the server is statically linked, then the only files # that have to exist in the chroot are ${run_dir} and # ${logdir}. If you do the "cd raddb" as discussed above, # then the "raddb" directory has to be inside of the chroot # directory, too. # # chroot = /path/to/chroot/directory # user/group: The name (or #number) of the user/group to run radiusd as. # # If these are commented out, the server will run as the # user/group that started it. In order to change to a # different user/group, you MUST be root ( or have root # privileges ) to start the server. # # We STRONGLY recommend that you run the server with as few # permissions as possible. That is, if you're not using # shadow passwords, the user and group items below should be # set to radius'. # # NOTE that some kernels refuse to setgid(group) when the # value of (unsigned)group is above 60000; don't use group # "nobody" on these systems! # # On systems with shadow passwords, you might have to set # 'group = shadow' for the server to be able to read the # shadow password file. If you can authenticate users while # in debug mode, but not in daemon mode, it may be that the # debugging mode server is running as a user that can read # the shadow info, and the user listed below can not. # # The server will also try to use "initgroups" to read # /etc/groups. It will join all groups where "user" is a # member. This can allow for some finer-grained access # controls. # user = radiusd group = radiusd # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. # # allowed values: {no, yes} # allow_core_dumps = no # # max_attributes: The maximum number of attributes # permitted in a RADIUS packet. Packets which have MORE # than this number of attributes in them will be dropped. # # If this number is set too low, then no RADIUS packets # will be accepted. # # If this number is set too high, then an attacker may be # able to send a small number of packets which will cause # the server to use all available memory on the machine. # # Setting this number to 0 means "allow any number of attributes" max_attributes = 200 # # reject_delay: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # # Setting this number to 0 means "send rejects immediately" # # If this number is set higher than 'cleanup_delay', then the # rejects will be sent at 'cleanup_delay' time, when the request # is deleted from the internal cache of requests. # # Useful ranges: 1 to 5 reject_delay = 1 # # status_server: Whether or not the server will respond # to Status-Server requests. # # When sent a Status-Server message, the server responds with # an Access-Accept or Accounting-Response packet. # # This is mainly useful for administrators who want to "ping" # the server, without adding test users, or creating fake # accounting packets. # # It's also useful when a NAS marks a RADIUS server "dead". # The NAS can periodically "ping" the server with a Status-Server # packet. If the server responds, it must be alive, and the # NAS can start using it for real requests. # # See also raddb/sites-available/status # status_server = yes } # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = yes $INCLUDE proxy.conf # CLIENTS CONFIGURATION # # Client configuration is defined in "clients.conf". # # The 'clients.conf' file contains all of the information from the old # 'clients' and 'naslist' configuration files. We recommend that you # do NOT use 'client's or 'naslist', although they are still # supported. # # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # $INCLUDE clients.conf # THREAD POOL CONFIGURATION # # The thread pool is a long-lived group of threads which # take turns (round-robin) handling any incoming requests. # # You probably want to have a few spare threads around, # so that high-load situations can be handled immediately. If you # don't have any spare threads, then the request handling will # be delayed while a new thread is created, and added to the pool. # # You probably don't want too many spare threads around, # otherwise they'll be sitting there taking up resources, and # not doing anything productive. # # The numbers given below should be adequate for most situations. # thread pool { # Number of servers to start initially --- should be a reasonable # ballpark figure. start_servers = 5 # Limit on the total number of servers running. # # If this limit is ever reached, clients will be LOCKED OUT, so it # should NOT BE SET TOO LOW. It is intended mainly as a brake to # keep a runaway server from taking the system with it as it spirals # down... # # You may find that the server is regularly reaching the # 'max_servers' number of threads, and that increasing # 'max_servers' doesn't seem to make much difference. # # If this is the case, then the problem is MOST LIKELY that # your back-end databases are taking too long to respond, and # are preventing the server from responding in a timely manner. # # The solution is NOT do keep increasing the 'max_servers' # value, but instead to fix the underlying cause of the # problem: slow database, or 'hostname_lookups=yes'. # # For more information, see 'max_request_time', above. # max_servers = 32 # Server-pool size regulation. Rather than making you guess # how many servers you need, FreeRADIUS dynamically adapts to # the load it sees, that is, it tries to maintain enough # servers to handle the current load, plus a few spare # servers to handle transient load spikes. # # It does this by periodically checking how many servers are # waiting for a request. If there are fewer than # min_spare_servers, it creates a new spare. If there are # more than max_spare_servers, some of the spares die off. # The default values are probably OK for most sites. # min_spare_servers = 3 max_spare_servers = 10 # When the server receives a packet, it places it onto an # internal queue, where the worker threads (configured above) # pick it up for processing. The maximum size of that queue # is given here. # # When the queue is full, any new packets will be silently # discarded. # # The most common cause of the queue being full is that the # server is dependent on a slow database, and it has received # a large "spike" of traffic. When that happens, there is # very little you can do other than make sure the server # receives less traffic, or make sure that the database can # handle the load. # # max_queue_size = 65536 # There may be memory leaks or resource allocation problems with # the server. If so, set this value to 300 or so, so that the # resources will be cleaned up periodically. # # This should only be necessary if there are serious bugs in the # server which have not yet been fixed. # # '0' is a special value meaning 'infinity', or 'the servers never # exit' max_requests_per_server = 0 # Automatically limit the number of accounting requests. # This configuration item tracks how many requests per second # the server can handle. It does this by tracking the # packets/s received by the server for processing, and # comparing that to the packets/s handled by the child # threads. # # If the received PPS is larger than the processed PPS, *and* # the queue is more than half full, then new accounting # requests are probabilistically discarded. This lowers the # number of packets that the server needs to process. Over # time, the server will "catch up" with the traffic. # # Throwing away accounting packets is usually safe and low # impact. The NAS will retransmit them in a few seconds, or # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 # to see how accounting packets should be retransmitted. Using # any other method is likely to cause network meltdowns. # auto_limit_acct = no } ###################################################################### # # SNMP notifications. Uncomment the following line to enable # snmptraps. Note that you MUST also configure the full path # to the "snmptrap" command in the "trigger.conf" file. # #$INCLUDE trigger.conf # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # for an example. # # # As of 3.0, modules are in mods-enabled/. Files matching # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are # initialized ONLY if they are referenced in a processing # section, such as authorize, authenticate, accounting, # pre/post-proxy, etc. # $INCLUDE mods-enabled/ } # Instantiation # # This section orders the loading of the modules. Modules # listed here will get loaded BEFORE the later sections like # authorize, authenticate, etc. get examined. # # This section is not strictly needed. When a section like # authorize refers to a module, it's automatically loaded and # initialized. However, some modules may not be listed in any # of the following sections, so they can be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initialized. If one module needs # something defined by another module, you can list them in order # here, and ensure that the configuration will be OK. # # After the modules listed here have been loaded, all of the modules # in the "mods-enabled" directory will be loaded. Loading the # "mods-enabled" directory means that unlike Version 2, you usually # don't need to list modules here. # instantiate { # # We list the counter module here so that it registers # the check_name attribute before any module which sets # it # daily # subsections here can be thought of as "virtual" modules. # # e.g. If you have two redundant SQL servers, and you want to # use them in the authorize and accounting sections, you could # place a "redundant" block in each section, containing the # exact same text. Or, you could uncomment the following # lines, and list "redundant_sql" in the authorize and # accounting sections. # #redundant redundant_sql { # sql1 # sql2 #} } ###################################################################### # # Policies are virtual modules, similar to those defined in the # "instantiate" section above. # # Defining a policy in one of the policy.d files means that it can be # referenced in multiple places as a *name*, rather than as a series of # conditions to match, and actions to take. # # Policies are something like subroutines in a normal language, but # they cannot be called recursively. They MUST be defined in order. # If policy A calls policy B, then B MUST be defined before A. # ###################################################################### policy { $INCLUDE policy.d/ } ###################################################################### # # Load virtual servers. # # This next $INCLUDE line loads files in the directory that # match the regular expression: /[a-zA-Z0-9_.]+/ # # It allows you to define new virtual servers simply by placing # a file into the raddb/sites-enabled/ directory. # $INCLUDE sites-enabled/ ###################################################################### # # All of the other configuration sections like "authorize {}", # "authenticate {}", "accounting {}", have been moved to the # the file: # # raddb/sites-available/default # # This is the "default" virtual server that has the same # configuration as in version 1.0.x and 1.1.x. The default # installation enables this virtual server. You should # edit it to create policies for your local site. # # For more documentation on virtual servers, see: # # raddb/sites-available/README # ######################################################################
On Dec 31, 2017, at 8:43 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 1/01/2018, at 2:36 PM, Martin, Jeremy <jmartin@emcc.edu> wrote:
radiusd: FreeRADIUS Version 3.0.13, for host x86_64-redhat-linux-gnu, built on Aug 23 2017 at 15:18:22 FreeRADIUS Version 3.0.13 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT
Jeremy
On Dec 31, 2017, at 8:32 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
<snip>
What is correct_escapes set to in your radiusd.conf file?
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 1/01/2018, at 2:50 PM, Martin, Jeremy <jmartin@emcc.edu> wrote:
I don’t see any reference to this in that file.
Full file below.
<snip> I think you have a radiusd.conf from an older version of FreeRADIUS, this has been in the radiusd.conf file since 3.0.5. I would strongly recommend that you figure out whether you really do have a clean install - how are you installing FreeRADIUS? The default unless it is configured is false. Set it to true and it should work - don’t do that for anything more than a quick test, though. As I say, go through and figure out if you really do have a clean 3.0.13 install. Perhaps you installed < 3.0.5 then upgraded and there’s a radiusd.rpmnew or something kicking around? I’d suggest installing 3.0.13 from scratch, and avoiding an upgrade. Perhaps your “clean” install wasn’t on a fresh system, but was rather you removing (or thinking you were removing) FreeRADIUS, then reinstalling it again? If so, between the removal and the reinstall steps, make sure you remove all the config. -- Nathan Ward
Ok so this is correct the version that gets distributed with RHEL is 3.0.4 which was installed when the system was deployed and was updated to 3.0.13 as that is the current release within the system. So now I have two questions based on this and the work that I have put in while continuing to work on this issue: 1. Is it common practice to have to destroy the configurations for FR updates? I would seem this could become an issue to put everything back in the configuration files if we can’t upgrade one from version to the next. Is there a utility that is included to account for these types of issues so that FR doesn’t need to “redeployed” repeatedly? 2. Putting in that missing statement, at least for testing, seem to get this moving forward for a bit not all the way. I was able to get the "radtest -t mschap testuser simplepass 127.0.0.1:18120 0 testing123” to work as well as a eapol_test mschapv2 test to work so at least I can connect to a single directory for the moment but here is the ugly part: the client seems to stop communicating part way through the process, from reading the available resources it would seem that this can indicate a “trust” issue when the client just stops communicating. I would agree as this appears to be the case from checking the clients event viewer: Intel(R) Ethernet Connection I217-LM host/lellis.emcc.edu - - 0 327685 Explicit Eap failure received 0 I am assuming that is what is going on here anyways. So I went back and regenerated a certificate request on the FR server signed it with the appropriate OID for sever authentication, double checked the output to make sure the chain is valid and the extended uses are correct then double checked the configuration files to make sure I was pointing to the new files and tried it again, same result. So I then went to great effort to export the keys and certificates from my NPS server as I know these are trusted and working as they are currently doing the authentication and assignment for this process and put them on the FR server, same result the client generates the same error client side. So at this point I know I have a good working trust, good working certificates and a good working client when used against a known working server. So this leads me to the question, how do I verify and validate that FR is encrypting data correctly as the client seems to indicate it is not by its behavior. I could disable client validation to test but this would effect hundreds of computers in production and I don’t think I am willing to take a chance on changing that GPO. If anyone has some thoughts on this particular road block I am open to any suggestions, I am including the FR trace incase it helps inspire some thoughts. Jeremy radiusd -X FreeRADIUS Version 3.0.13 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/sql including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf including configuration file /etc/raddb/mods-enabled/date including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 10.40.0.0/16 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.40.0.0/16. Please fix your configuration Support for old-style clients will be removed in a future release client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = mschap radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_dhcp # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüà âæçèéêëîïôÅùûüaÿà ÃÃÃÃÃÃÃÃÃÃÃÃÃÃÃÅÃß" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=EMCC" passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_sql # Loading module "sql" from file /etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "networkaccess" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate, nasid, nasportid, stationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S', '%{NAS-Identifier}', '%{NAS-Port-ID}', '%{Calling-Station-Id}')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" } instantiate { } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/emcc/emlnx-nps1.pem" certificate_file = "/etc/raddb/certs/emcc/emlnx-nps1_short.cer" ca_file = "/etc/raddb/certs/emcc/ca.cer" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): authenticating by calling 'ntlm_auth' # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /etc/raddb/mods-enabled/sql rlm_sql_mysql: libmysql version: 5.5.56-MariaDB mysql { tls { } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "networkaccess" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'networkaccess' on Localhost via UNIX socket, server version 5.5.56-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'networkaccess' on Localhost via UNIX socket, server version 5.5.56-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'networkaccess' on Localhost via UNIX socket, server version 5.5.56-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'networkaccess' on Localhost via UNIX socket, server version 5.5.56-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'networkaccess' on Localhost via UNIX socket, server version 5.5.56-MariaDB, protocol version 10 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:330 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 58431 Listening on proxy address :: port 37446 Ready to process requests (0) Received Access-Request Id 65 from 10.40.10.30:1055 to 10.40.0.199:1812 length 161 (0) User-Name = "host/lellis.emcc.edu" (0) Service-Type = Framed-User (0) Framed-MTU = 1500 (0) NAS-IP-Address = 10.40.10.30 (0) NAS-Port-Type = Ethernet (0) NAS-Port = 295 (0) NAS-Port-Id = "2/1/39" (0) NAS-Identifier = "MH-RM221-Stack1" (0) Calling-Station-Id = "A0-48-1C-8E-94-26" (0) EAP-Message = 0x0201001901686f73742f6c656c6c69732e656d63632e656475 (0) Message-Authenticator = 0xcbbb11ec268db7d8db337af77c77e5b1 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) { (0) EXPAND %{User-Name} (0) --> host/lellis.emcc.edu (0) SQL-User-Name set to 'host/lellis.emcc.edu' rlm_sql (sql): Reserved connection (0) (0) Executing select query: CALL rejecteduser('host/lellis.emcc.edu') rlm_sql (sql): Released connection (0) (0) EXPAND %{sql:CALL rejecteduser('%{User-Name}')} (0) --> 0 (0) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) -> FALSE (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "host/lellis.emcc.edu", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 25 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x03b86a1803ba6e18 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 65 from 10.40.0.199:1812 to 10.40.10.30:1055 length 0 (0) EAP-Message = 0x010200160410898a88c898c1e4ef10ebf3541db47daa (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x03b86a1803ba6e1814b763fe93032a17 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 66 from 10.40.10.30:1055 to 10.40.0.199:1812 length 160 (1) User-Name = "host/lellis.emcc.edu" (1) Service-Type = Framed-User (1) Framed-MTU = 1500 (1) NAS-IP-Address = 10.40.10.30 (1) NAS-Port-Type = Ethernet (1) NAS-Port = 295 (1) NAS-Port-Id = "2/1/39" (1) NAS-Identifier = "MH-RM221-Stack1" (1) Calling-Station-Id = "A0-48-1C-8E-94-26" (1) State = 0x03b86a1803ba6e1814b763fe93032a17 (1) EAP-Message = 0x020200060319 (1) Message-Authenticator = 0x7375aec73121e9e89e2ba0bcbf2634a1 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) { (1) EXPAND %{User-Name} (1) --> host/lellis.emcc.edu (1) SQL-User-Name set to 'host/lellis.emcc.edu' rlm_sql (sql): Reserved connection (1) (1) Executing select query: CALL rejecteduser('host/lellis.emcc.edu') rlm_sql (sql): Released connection (1) (1) EXPAND %{sql:CALL rejecteduser('%{User-Name}')} (1) --> 0 (1) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) -> FALSE (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "host/lellis.emcc.edu", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) sql: EXPAND %{User-Name} (1) sql: --> host/lellis.emcc.edu (1) sql: SQL-User-Name set to 'host/lellis.emcc.edu' rlm_sql (sql): Reserved connection (2) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'host/lellis.emcc.edu' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'host/lellis.emcc.edu' ORDER BY id (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'host/lellis.emcc.edu' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'host/lellis.emcc.edu' ORDER BY priority (1) sql: User not found in any groups rlm_sql (sql): Released connection (2) (1) [sql] = notfound (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x03b86a1803ba6e18 (1) eap: Finished EAP session with state 0x03b86a1803ba6e18 (1) eap: Previous EAP request found for state 0x03b86a1803ba6e18, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 3 length 6 (1) eap: EAP session adding &reply:State = 0x03b86a1802bb7318 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 66 from 10.40.0.199:1812 to 10.40.10.30:1055 length 0 (1) EAP-Message = 0x010300061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x03b86a1802bb731814b763fe93032a17 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 67 from 10.40.10.30:1055 to 10.40.0.199:1812 length 299 (2) User-Name = "host/lellis.emcc.edu" (2) Service-Type = Framed-User (2) Framed-MTU = 1500 (2) NAS-IP-Address = 10.40.10.30 (2) NAS-Port-Type = Ethernet (2) NAS-Port = 295 (2) NAS-Port-Id = "2/1/39" (2) NAS-Identifier = "MH-RM221-Stack1" (2) Calling-Station-Id = "A0-48-1C-8E-94-26" (2) State = 0x03b86a1802bb731814b763fe93032a17 (2) EAP-Message = 0x0203009119800000008716030100820100007e03015a4a1594608fc5e4df9fa1b507ae22267e43e622111650c56ae61820566fe12f20ba120000a297e54b0dfe946b6539031c9be736d5fe83a94b146df951d52bc669001cc014c013003900330035002fc00ac00900380032000a001300050004010000 (2) Message-Authenticator = 0x7f61613003b8dc320c141d82cfe0a47f (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) { (2) EXPAND %{User-Name} (2) --> host/lellis.emcc.edu (2) SQL-User-Name set to 'host/lellis.emcc.edu' rlm_sql (sql): Reserved connection (3) (2) Executing select query: CALL rejecteduser('host/lellis.emcc.edu') rlm_sql (sql): Released connection (3) (2) EXPAND %{sql:CALL rejecteduser('%{User-Name}')} (2) --> 0 (2) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) -> FALSE (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "host/lellis.emcc.edu", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 145 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x03b86a1802bb7318 (2) eap: Finished EAP session with state 0x03b86a1802bb7318 (2) eap: Previous EAP request found for state 0x03b86a1802bb7318, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 135 bytes (2) eap_peap: Got complete TLS record (135 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before/accept initialization (2) eap_peap: TLS_accept: before/accept initialization (2) eap_peap: <<< recv TLS 1.0 Handshake [length 0082], ClientHello (2) eap_peap: TLS_accept: SSLv3 read client hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0039], ServerHello (2) eap_peap: TLS_accept: SSLv3 write server hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0c60], Certificate (2) eap_peap: TLS_accept: SSLv3 write certificate A (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap: TLS_accept: SSLv3 write key exchange A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap: TLS_accept: SSLv3 write server done A (2) eap_peap: TLS_accept: SSLv3 flush data (2) eap_peap: TLS_accept: SSLv3 read client certificate A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 1004 (2) eap: EAP session adding &reply:State = 0x03b86a1801bc7318 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 67 from 10.40.0.199:1812 to 10.40.10.30:1055 length 0 (2) EAP-Message = 0x010403ec19c000000dfc1603010039020000350301af9f0ae6b1f4eef8a92de3f7ee7844da8b2002656c58b3f31bd6fb345043e61f00c01400000dff01000100000b0004030001021603010c600b000c5c000c590006d9308206d5308204bda00302010202137d00002b8a1d52bc94096a585a00000000 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x03b86a1801bc731814b763fe93032a17 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 68 from 10.40.10.30:1055 to 10.40.0.199:1812 length 160 (3) User-Name = "host/lellis.emcc.edu" (3) Service-Type = Framed-User (3) Framed-MTU = 1500 (3) NAS-IP-Address = 10.40.10.30 (3) NAS-Port-Type = Ethernet (3) NAS-Port = 295 (3) NAS-Port-Id = "2/1/39" (3) NAS-Identifier = "MH-RM221-Stack1" (3) Calling-Station-Id = "A0-48-1C-8E-94-26" (3) State = 0x03b86a1801bc731814b763fe93032a17 (3) EAP-Message = 0x020400061900 (3) Message-Authenticator = 0x1be8a4bc58b4e69f4ee5a92f13e13d20 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) { (3) EXPAND %{User-Name} (3) --> host/lellis.emcc.edu (3) SQL-User-Name set to 'host/lellis.emcc.edu' rlm_sql (sql): Reserved connection (4) (3) Executing select query: CALL rejecteduser('host/lellis.emcc.edu') rlm_sql (sql): Released connection (4) (3) EXPAND %{sql:CALL rejecteduser('%{User-Name}')} (3) --> 0 (3) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) -> FALSE (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "host/lellis.emcc.edu", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x03b86a1801bc7318 (3) eap: Finished EAP session with state 0x03b86a1801bc7318 (3) eap: Previous EAP request found for state 0x03b86a1801bc7318, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 5 length 1000 (3) eap: EAP session adding &reply:State = 0x03b86a1800bd7318 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 68 from 10.40.0.199:1812 to 10.40.10.30:1055 length 0 (3) EAP-Message = 0x010503e819406461703a2f2f2f434e3d656d7372762d646f6d636572742c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d656d63632c44433d6564753f6341436572746966696361 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x03b86a1800bd731814b763fe93032a17 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 69 from 10.40.10.30:1055 to 10.40.0.199:1812 length 160 (4) User-Name = "host/lellis.emcc.edu" (4) Service-Type = Framed-User (4) Framed-MTU = 1500 (4) NAS-IP-Address = 10.40.10.30 (4) NAS-Port-Type = Ethernet (4) NAS-Port = 295 (4) NAS-Port-Id = "2/1/39" (4) NAS-Identifier = "MH-RM221-Stack1" (4) Calling-Station-Id = "A0-48-1C-8E-94-26" (4) State = 0x03b86a1800bd731814b763fe93032a17 (4) EAP-Message = 0x020500061900 (4) Message-Authenticator = 0xb231a0efd577966ae680e111f17197de (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) { (4) EXPAND %{User-Name} (4) --> host/lellis.emcc.edu (4) SQL-User-Name set to 'host/lellis.emcc.edu' rlm_sql (sql): Reserved connection (0) (4) Executing select query: CALL rejecteduser('host/lellis.emcc.edu') rlm_sql (sql): Released connection (0) (4) EXPAND %{sql:CALL rejecteduser('%{User-Name}')} (4) --> 0 (4) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) -> FALSE (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "host/lellis.emcc.edu", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 5 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x03b86a1800bd7318 (4) eap: Finished EAP session with state 0x03b86a1800bd7318 (4) eap: Previous EAP request found for state 0x03b86a1800bd7318, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 6 length 1000 (4) eap: EAP session adding &reply:State = 0x03b86a1807be7318 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 69 from 10.40.0.199:1812 to 10.40.10.30:1055 length 0 (4) EAP-Message = 0x010603e819400992268993f22c640119160365647531143012060a0992268993f22c6401191604656d6363311630140603550403130d656d7372762d646f6d6365727430820222300d06092a864886f70d01010105000382020f003082020a0282020100a3edfe3d3ba457cc7881fcb294d6dda4525bbe (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x03b86a1807be731814b763fe93032a17 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 70 from 10.40.10.30:1055 to 10.40.0.199:1812 length 160 (5) User-Name = "host/lellis.emcc.edu" (5) Service-Type = Framed-User (5) Framed-MTU = 1500 (5) NAS-IP-Address = 10.40.10.30 (5) NAS-Port-Type = Ethernet (5) NAS-Port = 295 (5) NAS-Port-Id = "2/1/39" (5) NAS-Identifier = "MH-RM221-Stack1" (5) Calling-Station-Id = "A0-48-1C-8E-94-26" (5) State = 0x03b86a1807be731814b763fe93032a17 (5) EAP-Message = 0x020600061900 (5) Message-Authenticator = 0x3b0c97fff9af475f80e3de8f5f9b60fe (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) { (5) EXPAND %{User-Name} (5) --> host/lellis.emcc.edu (5) SQL-User-Name set to 'host/lellis.emcc.edu' rlm_sql (sql): Reserved connection (1) (5) Executing select query: CALL rejecteduser('host/lellis.emcc.edu') rlm_sql (sql): Released connection (1) (5) EXPAND %{sql:CALL rejecteduser('%{User-Name}')} (5) --> 0 (5) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) -> FALSE (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "host/lellis.emcc.edu", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x03b86a1807be7318 (5) eap: Finished EAP session with state 0x03b86a1807be7318 (5) eap: Previous EAP request found for state 0x03b86a1807be7318, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment (5) eap_peap: [eaptls verify] = request (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 7 length 604 (5) eap: EAP session adding &reply:State = 0x03b86a1806bf7318 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Sent Access-Challenge Id 70 from 10.40.0.199:1812 to 10.40.10.30:1055 length 0 (5) EAP-Message = 0x0107025c190095563efc6a8b68d993848ffcfef14e09ff65f4313851715d81378ddeff1d1c2e3bf50670c552797095139905b94856225f4b5310548b2def3ae31ca93a937886ce9e1e8990c1353bce29c84fad1372945d45fef169a3831038648e825e023b88c313950d51b2c4a4505d90ce57f54f0a43 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x03b86a1806bf731814b763fe93032a17 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 71 from 10.40.10.30:1055 to 10.40.0.199:1812 length 160 (6) User-Name = "host/lellis.emcc.edu" (6) Service-Type = Framed-User (6) Framed-MTU = 1500 (6) NAS-IP-Address = 10.40.10.30 (6) NAS-Port-Type = Ethernet (6) NAS-Port = 295 (6) NAS-Port-Id = "2/1/39" (6) NAS-Identifier = "MH-RM221-Stack1" (6) Calling-Station-Id = "A0-48-1C-8E-94-26" (6) State = 0x03b86a1806bf731814b763fe93032a17 (6) EAP-Message = 0x020700061900 (6) Message-Authenticator = 0x50a95987912ee6bb02138c87b0f56266 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) { (6) EXPAND %{User-Name} (6) --> host/lellis.emcc.edu (6) SQL-User-Name set to 'host/lellis.emcc.edu' rlm_sql (sql): Reserved connection (2) (6) Executing select query: CALL rejecteduser('host/lellis.emcc.edu') rlm_sql (sql): Released connection (2) (6) EXPAND %{sql:CALL rejecteduser('%{User-Name}')} (6) --> 0 (6) if ("%{sql:CALL rejecteduser('%{User-Name}')}" > 0) -> FALSE (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "host/lellis.emcc.edu", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x03b86a1806bf7318 (6) eap: Finished EAP session with state 0x03b86a1806bf7318 (6) eap: Previous EAP request found for state 0x03b86a1806bf7318, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment (6) eap_peap: [eaptls verify] = request (6) eap_peap: [eaptls process] = handled (6) eap: Sending EAP Request (code 1) ID 8 length 6 (6) eap: EAP session adding &reply:State = 0x03b86a1805b07318 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Sent Access-Challenge Id 71 from 10.40.0.199:1812 to 10.40.10.30:1055 length 0 (6) EAP-Message = 0x010800061900 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x03b86a1805b0731814b763fe93032a17 (6) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 65 with timestamp +9 (1) Cleaning up request packet ID 66 with timestamp +9 (2) Cleaning up request packet ID 67 with timestamp +9 (3) Cleaning up request packet ID 68 with timestamp +9 (4) Cleaning up request packet ID 69 with timestamp +9 (5) Cleaning up request packet ID 70 with timestamp +9 (6) Cleaning up request packet ID 71 with timestamp +9 Ready to process requests
On Dec 31, 2017, at 10:17 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 1/01/2018, at 2:50 PM, Martin, Jeremy <jmartin@emcc.edu> wrote:
I don’t see any reference to this in that file.
Full file below.
<snip>
I think you have a radiusd.conf from an older version of FreeRADIUS, this has been in the radiusd.conf file since 3.0.5.
I would strongly recommend that you figure out whether you really do have a clean install - how are you installing FreeRADIUS?
The default unless it is configured is false. Set it to true and it should work - don’t do that for anything more than a quick test, though. As I say, go through and figure out if you really do have a clean 3.0.13 install. Perhaps you installed < 3.0.5 then upgraded and there’s a radiusd.rpmnew or something kicking around? I’d suggest installing 3.0.13 from scratch, and avoiding an upgrade. Perhaps your “clean” install wasn’t on a fresh system, but was rather you removing (or thinking you were removing) FreeRADIUS, then reinstalling it again? If so, between the removal and the reinstall steps, make sure you remove all the config.
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
On 2/01/2018, at 1:38 AM, Martin, Jeremy <jmartin@emcc.edu> wrote:
Ok so this is correct the version that gets distributed with RHEL is 3.0.4 which was installed when the system was deployed and was updated to 3.0.13 as that is the current release within the system. So now I have two questions based on this and the work that I have put in while continuing to work on this issue:
1. Is it common practice to have to destroy the configurations for FR updates? I would seem this could become an issue to put everything back in the configuration files if we can’t upgrade one from version to the next. Is there a utility that is included to account for these types of issues so that FR doesn’t need to “redeployed” repeatedly?
You can use whatever configuration management system you’re comfortable with to manage the config. I use Puppet. Others use other things, including copying tar balls of config around. As you’re on RHEL, when you install an RPM and there is a config file change, it will install an ‘rpmnew’ version of the config along side the old (current) config. When you manage RHEL boxes and you update packages, looking out for those rpmnew files and seeing if they need to be tweaked is pretty fundamental thing. Same goes for rpmsave files, but I don’t think I’ve seen the RedHat shipped FreeRADIUS packages create those. You can have a look here and see the logic for when rpmnew and rpmsave files are created in different RPM spec file situations: http://people.ds.cam.ac.uk/jw35/docs/rpm_config.html <http://people.ds.cam.ac.uk/jw35/docs/rpm_config.html> Typically, when I do an update, I’ll look at a diff between the rpm(new|save) and the config I have written. Depending on how many changes there are, there’s different approaches you can take: 1) Copy the changes from the new config to your config. 2) Re-apply your changes on top of the new config (it helps if you have git, or you use Augeas or something), and replace your config with this. This is all basic systems admin sort of stuff though - not at all specific to FreeRADIUS so probably not the right place to discuss this in detail. I don’t have any operational experience with EAP so won’t be much help with the rest of your message sorry ! -- Nathan Ward
Nathan Thanks for your input I will have to step back and think on this piece as it is honestly the first time on any package in RHEL where I have ever run into this type of thing over the last 20 years in using it so I am just a bit surprised that it came up. So I think the avenue for this once I get it solved may be to never ever update the server as we have had to implement some custom checking with the md5 portion of eap to deal with the crappy way avaya deals with the supplicant on their ip phones. So thanks again for the insight. Jeremy
On Jan 1, 2018, at 7:54 AM, Nathan Ward <lists+freeradius@daork.net> wrote:
Hi,
On 2/01/2018, at 1:38 AM, Martin, Jeremy <jmartin@emcc.edu> wrote:
Ok so this is correct the version that gets distributed with RHEL is 3.0.4 which was installed when the system was deployed and was updated to 3.0.13 as that is the current release within the system. So now I have two questions based on this and the work that I have put in while continuing to work on this issue:
1. Is it common practice to have to destroy the configurations for FR updates? I would seem this could become an issue to put everything back in the configuration files if we can’t upgrade one from version to the next. Is there a utility that is included to account for these types of issues so that FR doesn’t need to “redeployed” repeatedly?
You can use whatever configuration management system you’re comfortable with to manage the config. I use Puppet. Others use other things, including copying tar balls of config around.
As you’re on RHEL, when you install an RPM and there is a config file change, it will install an ‘rpmnew’ version of the config along side the old (current) config. When you manage RHEL boxes and you update packages, looking out for those rpmnew files and seeing if they need to be tweaked is pretty fundamental thing. Same goes for rpmsave files, but I don’t think I’ve seen the RedHat shipped FreeRADIUS packages create those.
You can have a look here and see the logic for when rpmnew and rpmsave files are created in different RPM spec file situations: http://people.ds.cam.ac.uk/jw35/docs/rpm_config.html <http://people.ds.cam.ac.uk/jw35/docs/rpm_config.html>
Typically, when I do an update, I’ll look at a diff between the rpm(new|save) and the config I have written. Depending on how many changes there are, there’s different approaches you can take: 1) Copy the changes from the new config to your config. 2) Re-apply your changes on top of the new config (it helps if you have git, or you use Augeas or something), and replace your config with this.
This is all basic systems admin sort of stuff though - not at all specific to FreeRADIUS so probably not the right place to discuss this in detail.
I don’t have any operational experience with EAP so won’t be much help with the rest of your message sorry !
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi,
Thanks for your input I will have to step back and think on this piece as it is honestly the first time on any package in RHEL where I have ever run into this type of thing over the last 20 years in using it so I am just a bit surprised that it came up. So I think the avenue for this once I get it solved may be to never ever update the server as we have had to implement some custom checking with the md5 portion of eap to deal with the crappy way avaya deals with the supplicant on their ip phones.
really? I've had it all the time with eg apache, modprobe changes, etc - my file systems are constantly populated with .rpmnew and .rpmsave files :) you shouldnt stick on a version because of a config requirement - theres always security fixes, bug fixes etc. for your custom md5 requirement you would simply have your own local module config to deal with that and not stick it into the standard files. thus making migration or upgrades easier. as noted, new configs wouldnt overwrite yours - you need to check for .rpmnew and use 'diff' etc to check for changes/updates alan
Really really. But yes I agree if there is a need then to update makes sense but largely once it is stable it will probably go untouched unless needed as there is one job per machine in most cases and this type of machine tends to sit behind a secured network were users themselves don’t interact with them and once deployed little extra functionality is needed, when it is - then we tend to look at them otherwise it gets harden and secured from users so for this type of deployment once it is up and working if it isn’t broke don’t fix it seems to be appropriate for machines that can’t be logged into or otherwise connected to by end users. But for machines such as databases and web servers etc I would agree content updates and patches are a normal procedure but I moved them from Linux to Windows just because when I started to keep track of the actual hours and updates applied it was more time efficient to patch the windows side then the linux side. Jeremy On Jan 1, 2018, at 10:03 AM, Alan Buxey <alan.buxey@gmail.com> wrote: hi, Thanks for your input I will have to step back and think on this piece as it is honestly the first time on any package in RHEL where I have ever run into this type of thing over the last 20 years in using it so I am just a bit surprised that it came up. So I think the avenue for this once I get it solved may be to never ever update the server as we have had to implement some custom checking with the md5 portion of eap to deal with the crappy way avaya deals with the supplicant on their ip phones. really? I've had it all the time with eg apache, modprobe changes, etc - my file systems are constantly populated with .rpmnew and .rpmsave files :) you shouldnt stick on a version because of a config requirement - theres always security fixes, bug fixes etc. for your custom md5 requirement you would simply have your own local module config to deal with that and not stick it into the standard files. thus making migration or upgrades easier. as noted, new configs wouldnt overwrite yours - you need to check for .rpmnew and use 'diff' etc to check for changes/updates alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, On 1 January 2018 at 12:38, Martin, Jeremy <jmartin@emcc.edu> wrote:
Ok so this is correct the version that gets distributed with RHEL is 3.0.4 which was installed when the system was deployed and was updated to 3.0.13 as that is the current release within the system. So now I have two questions based on this and the work that I have put in while continuing to work on this issue:
1. Is it common practice to have to destroy the configurations for FR updates? I would seem this could become an issue to put everything back in the configuration files if we can’t upgrade one from version to the next. Is there a utility that is included to account for these types of issues so that FR doesn’t need to “redeployed” repeatedly?
for 2.x to 2.x or 3.x to 3.x no - but for 2.x to 3.x yes, you need to start with new config and make your changes to the new config to match what the old 2.x did - the same will be true for 4.x (from 2.x or from 3.x!) note, however, that if you you do a 3.x to 3.x upgrade, there may be new features/methods/options etc options that wont be in your old config...i always keep a copy of the vanilla source configs to use as a reference. I also avoid, where possible, using the default files (apart from the main radiusd.conf etc - for the virtual machines, make your own copies, change/modify and use those.... then use the default/inner etc as reference guides... nicely left in sites-available/ - do the same for modules that you need to heavily customise. define your OWN policy.d file and use that for local requirements - dont adjust the provided ones (they just have useful templates and basic things ready for best practice - use those as is :) )
2. Putting in that missing statement, at least for testing, seem to get this moving forward for a bit not all the way. I was able to get the "radtest -t mschap testuser simplepass 127.0.0.1:18120 0 testing123” to work as well as a eapol_test mschapv2 test to work so at least I can connect to a single directory for the moment but here is the ugly part: the client seems to stop communicating part way through the process, from reading the available resources it would seem that this can indicate a “trust” issue when the client just stops communicating. I would agree as this appears to be the case from checking the clients event viewer:
Intel(R) Ethernet Connection I217-LM host/lellis.emcc.edu - - 0 327685 Explicit Eap failure received 0
I am assuming that is what is going on here anyways. So I went back and regenerated a certificate request on the FR server signed it with the appropriate OID for sever authentication, double checked the output to make sure the chain is valid and the extended uses are correct then double checked the configuration files to make sure I was pointing to the new files and tried it again, same result. So I then went to great effort to export the keys and certificates from my NPS server as I know these are trusted and working as they are currently doing the authentication and assignment for this process and put them on the FR server, same result the client generates the same error client side.
firstly, you will need the right certs for the job on your RADIUS server if it is terminating EAP - and you will need to ensure that the client has the relevant/trusted root (and intermediates if you are not serving those from the FR server) installed in the relevant place for that client....eg machine trusted root store - this will be the same for any RADIUS server you use..its the basics of EAP and RADIUS
So at this point I know I have a good working trust, good working certificates and a good working client when used against a known working server. So this leads me to the question, how do I verify and validate that FR is encrypting data correctly as the client seems to indicate it is not by its behavior. I could disable client validation to test but this would effect hundreds of computers in production and I don’t think I am willing to take a chance on changing that GPO.
?? please explain what you meab - there is no option in EAP to not encrypt the data - the data will be, by its TLS nature, encrypted between the client and the server that is terminating EAP what behaviour on the client are you talking about? your debug output shows an EAP conversation that doesnt complete - hanging on the challenge repsonse part. alan
Allan So at this point I am beyond certain that I have valid certificates and that those are trusted. The ca is the ca for the domain and the server certificate has the correct oid attributes to support the authentication, they paths on the server have been verified and as previously mentioned I have even used certs from my Windows NPS server on this server to make sure trust and certs were good. I think there is little disagreement that the issues on the challenge response part as comparing the trace and the event log of the client has the client generating the “Explicit Eap failure received”. When I mentioned disabling validation on the client I am referring to the need for the client to validate the trust of the certificates being used by the server i.e under the clients 802.1x profile on the security tab, properties and then the “Verify the server’s identity by validating the certificate”. In this case I know the certificate I have specified is valid and issued from a trusted ca, my question really is how to I validate that FR is actually using the certificate and is generating valid data using the specified certificate as the behavior of the client seems to indicate that it is not as I know the following: 1. The behavior of the client is correct using NPS 2. The client has a trust of the ca 3. The FR certificates validate against the ca 4. When viewing the certificate of FR on the client (file copy) the certificate indicates that it is trusted and has the correct extended use attributes 5. The client has the same behavior against FR when both) A. the certificates created for FR or; B) the certificates and private key from NPS are loaded on the FR are used I would use the certificates on NPS that I generated for FR to prove but the system would not use them as the name of that host does not match the certificate and you can’t specify a non matched certificate to be used in NPS. I just had a thought that perhaps FR didn’t have permission to read the certificates in the folder but I just checked that and it does: so that is not it. I know we have the radtest and eapol_test just wondering if there is a utility for verifying encrypted data FR is sending so I can track down where the issue is as I have pretty much eliminated the client by all available means thus far, which just leaves me one place - FR. Again thanks for the time and attention. Jeremy
On Jan 1, 2018, at 8:32 AM, Alan Buxey <alan.buxey@gmail.com> wrote:
hi,
On 1 January 2018 at 12:38, Martin, Jeremy <jmartin@emcc.edu> wrote:
Ok so this is correct the version that gets distributed with RHEL is 3.0.4 which was installed when the system was deployed and was updated to 3.0.13 as that is the current release within the system. So now I have two questions based on this and the work that I have put in while continuing to work on this issue:
1. Is it common practice to have to destroy the configurations for FR updates? I would seem this could become an issue to put everything back in the configuration files if we can’t upgrade one from version to the next. Is there a utility that is included to account for these types of issues so that FR doesn’t need to “redeployed” repeatedly?
for 2.x to 2.x or 3.x to 3.x no - but for 2.x to 3.x yes, you need to start with new config and make your changes to the new config to match what the old 2.x did - the same will be true for 4.x (from 2.x or from 3.x!)
note, however, that if you you do a 3.x to 3.x upgrade, there may be new features/methods/options etc options that wont be in your old config...i always keep a copy of the vanilla source configs to use as a reference. I also avoid, where possible, using the default files (apart from the main radiusd.conf etc - for the virtual machines, make your own copies, change/modify and use those.... then use the default/inner etc as reference guides... nicely left in sites-available/ - do the same for modules that you need to heavily customise. define your OWN policy.d file and use that for local requirements - dont adjust the provided ones (they just have useful templates and basic things ready for best practice - use those as is :) )
2. Putting in that missing statement, at least for testing, seem to get this moving forward for a bit not all the way. I was able to get the "radtest -t mschap testuser simplepass 127.0.0.1:18120 0 testing123” to work as well as a eapol_test mschapv2 test to work so at least I can connect to a single directory for the moment but here is the ugly part: the client seems to stop communicating part way through the process, from reading the available resources it would seem that this can indicate a “trust” issue when the client just stops communicating. I would agree as this appears to be the case from checking the clients event viewer:
Intel(R) Ethernet Connection I217-LM host/lellis.emcc.edu - - 0 327685 Explicit Eap failure received 0
I am assuming that is what is going on here anyways. So I went back and regenerated a certificate request on the FR server signed it with the appropriate OID for sever authentication, double checked the output to make sure the chain is valid and the extended uses are correct then double checked the configuration files to make sure I was pointing to the new files and tried it again, same result. So I then went to great effort to export the keys and certificates from my NPS server as I know these are trusted and working as they are currently doing the authentication and assignment for this process and put them on the FR server, same result the client generates the same error client side.
firstly, you will need the right certs for the job on your RADIUS server if it is terminating EAP - and you will need to ensure that the client has the relevant/trusted root (and intermediates if you are not serving those from the FR server) installed in the relevant place for that client....eg machine trusted root store - this will be the same for any RADIUS server you use..its the basics of EAP and RADIUS
So at this point I know I have a good working trust, good working certificates and a good working client when used against a known working server. So this leads me to the question, how do I verify and validate that FR is encrypting data correctly as the client seems to indicate it is not by its behavior. I could disable client validation to test but this would effect hundreds of computers in production and I don’t think I am willing to take a chance on changing that GPO.
?? please explain what you meab - there is no option in EAP to not encrypt the data - the data will be, by its TLS nature, encrypted between the client and the server that is terminating EAP what behaviour on the client are you talking about?
your debug output shows an EAP conversation that doesnt complete - hanging on the challenge repsonse part.
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 1, 2018, at 9:04 AM, Martin, Jeremy <jmartin@emcc.edu> wrote:
So at this point I am beyond certain that I have valid certificates and that those are trusted. The ca is the ca for the domain and the server certificate has the correct oid attributes to support the authentication, they paths on the server have been verified and as previously mentioned I have even used certs from my Windows NPS server on this server to make sure trust and certs were good.
Then something else is going on. Maybe OpenSSL / TLS related?
I think there is little disagreement that the issues on the challenge response part as comparing the trace and the event log of the client has the client generating the “Explicit Eap failure received”.
The client is lying to you. If FreeRADIUS had sent an EAP failure, you would see the EAP failure in the debug log.
When I mentioned disabling validation on the client I am referring to the need for the client to validate the trust of the certificates being used by the server i.e under the clients 802.1x profile on the security tab, properties and then the “Verify the server’s identity by validating the certificate”. In this case I know the certificate I have specified is valid and issued from a trusted ca, my question really is how to I validate that FR is actually using the certificate and is generating valid data using the specified certificate
If it's the only certificate you configured in FreeRADIUS... FreeRADIUS is using it. As for "generating valid data", that's a larger problem. The TLS portions of EAP-TLS or PEAP is implemented by OpenSSL. It has more code than FreeRADIUS. It's also full of what can only be described as TLS magic... There are a LOT of things going on in TLS. FreeRADIUS tells you all of that in the debug log. Windows doesn't. So people blame FreeRADIUS.
as the behavior of the client seems to indicate that it is not as I know the following:
1. The behavior of the client is correct using NPS 2. The client has a trust of the ca 3. The FR certificates validate against the ca 4. When viewing the certificate of FR on the client (file copy) the certificate indicates that it is trusted and has the correct extended use attributes 5. The client has the same behavior against FR when both) A. the certificates created for FR or; B) the certificates and private key from NPS are loaded on the FR are used
Then it's a TLS / OpenSSL issue. Try disabling tls 1.2. That might help. There have been a lot of interoperability issues there.
I would use the certificates on NPS that I generated for FR to prove but the system would not use them as the name of that host does not match the certificate
EAP doesn't use host names. FreeRADIUS doesn't care about certificate names matching host names.
and you can’t specify a non matched certificate to be used in NPS.
I just had a thought that perhaps FR didn’t have permission to read the certificates in the folder but I just checked that and it does: so that is not it.
If it didn't have permission to read the certs, you would see that in the debug output.
I know we have the radtest and eapol_test just wondering if there is a utility for verifying encrypted data FR is sending so I can track down where the issue is as I have pretty much eliminated the client by all available means thus far, which just leaves me one place - FR.
Or OpenSSL. Which implements *all* of the TLS stack. We just implement EAP, and link to / use the TLS bits. TBH, I'd try using 3.0.15, which has other fixes over 3.0.13. And, disable tls 1.2. See raddb/mods-available/eap in newer versions of the server. Alan DeKok.
hi,
So at this point I am beyond certain that I have valid certificates and that those are trusted. The ca is the ca for the domain and the server certificate has the correct oid attributes to support the authentication, they paths on the server have been verified and as previously mentioned I have even used certs from my Windows NPS server on this server to make sure trust and certs were good.
if FR starts up, doesnt complain or chuck errors about certs (and in the debug output you will see the file its reading) then the issue lies elsewhere - could be an OpenSSL issue, could be that the openssl libraries are not negotiating with your client correctly
I think there is little disagreement that the issues on the challenge response part as comparing the trace and the event log of the client has the client generating the “Explicit Eap failure received”. When I mentioned disabling validation on the client I am referring to the need for the client to validate the trust of the certificates being used by the server i.e under the clients 802.1x profile on the security tab, properties and then the “Verify the server’s identity by validating the certificate”. In this case I know the certificate I have specified is valid and issued from a trusted ca, my question really is how to I validate that FR is actually using the certificate and is generating valid data using the specified certificate as the behavior of the client seems to indicate that it is not as I know the following:
okay - easy check here - use the eapol_test (its part of the wpa_supplicant package) - FreeRADIUS comes with example files to use with eapol_test (in the src/tests directory of the main source code archive) take the relevant one - eg the PEAP test, modify to your requirements and then use eapol_test with the local server cert saving option - you will then see whats going on eg with eapol_test running on the FR server itself eapol_test -c eap-peap.conf -s testing123 -h localhost -o ca_cert.pem (arguments might not be quite correct...this is from memory and last time i used that command was a couple of months back) now read/check that ca_cert.pem (openssl x509 -in ca_cert.pem -noout -text )
4. When viewing the certificate of FR on the client (file copy) the certificate indicates that it is trusted and has the correct extended use attributes
which store?
I would use the certificates on NPS that I generated for FR to prove but the system would not use them as the name of that host does not match the certificate and you can’t specify a non matched certificate to be used in NPS.
note that host name has nothing to do with cert name in RADIUS/EAP world - its just a certificate that is being presented to the client which is checked locally for basic things - unlike eg web (HTTPS) where DNS etc is used to check things match. its usually a quite basic/overlooked thing that causes these initial issues.....then you just carry on and forget about the issue until something similar hits you the next time you create a server ;-) alan
Alan Great I info I will grab the files from the source online and run the eapol_test. Not sure what you mean by: which store? And finally:
I would use the certificates on NPS that I generated for FR to prove but the system would not use them as the name of that host does not match the certificate and you can’t specify a non matched certificate to be used in NPS.
note that host name has nothing to do with cert name in RADIUS/EAP world - its just a certificate that is being presented to the client which is checked locally for basic things - unlike eg web (HTTPS) where DNS etc is used to check things match.
its usually a quite basic/overlooked thing that causes these initial issues.....then you just carry on and forget about the issue until something similar hits you the next time you create a server ;-)
Correct, that is why I tried the NPS cert on FR, was just stating that I can't try the FR cert on NPS. Here's to hopping that this is not an openssl or openssl library issue as pretty much means I am going to be stuck with two different types of radius servers but will hopefully know more after some additional testing that you provided. Thanks Jeremy -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Monday, January 1, 2018 10:10 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: AD Auth Question hi,
So at this point I am beyond certain that I have valid certificates and that those are trusted. The ca is the ca for the domain and the server certificate has the correct oid attributes to support the authentication, they paths on the server have been verified and as previously mentioned I have even used certs from my Windows NPS server on this server to make sure trust and certs were good.
if FR starts up, doesnt complain or chuck errors about certs (and in the debug output you will see the file its reading) then the issue lies elsewhere - could be an OpenSSL issue, could be that the openssl libraries are not negotiating with your client correctly
I think there is little disagreement that the issues on the challenge response part as comparing the trace and the event log of the client has the client generating the “Explicit Eap failure received”. When I mentioned disabling validation on the client I am referring to the need for the client to validate the trust of the certificates being used by the server i.e under the clients 802.1x profile on the security tab, properties and then the “Verify the server’s identity by validating the certificate”. In this case I know the certificate I have specified is valid and issued from a trusted ca, my question really is how to I validate that FR is actually using the certificate and is generating valid data using the specified certificate as the behavior of the client seems to indicate that it is not as I know the following:
okay - easy check here - use the eapol_test (its part of the wpa_supplicant package) - FreeRADIUS comes with example files to use with eapol_test (in the src/tests directory of the main source code archive) take the relevant one - eg the PEAP test, modify to your requirements and then use eapol_test with the local server cert saving option - you will then see whats going on eg with eapol_test running on the FR server itself eapol_test -c eap-peap.conf -s testing123 -h localhost -o ca_cert.pem (arguments might not be quite correct...this is from memory and last time i used that command was a couple of months back) now read/check that ca_cert.pem (openssl x509 -in ca_cert.pem -noout -text )
4. When viewing the certificate of FR on the client (file copy) the certificate indicates that it is trusted and has the correct extended use attributes
which store?
I would use the certificates on NPS that I generated for FR to prove but the system would not use them as the name of that host does not match the certificate and you can’t specify a non matched certificate to be used in NPS.
note that host name has nothing to do with cert name in RADIUS/EAP world - its just a certificate that is being presented to the client which is checked locally for basic things - unlike eg web (HTTPS) where DNS etc is used to check things match. its usually a quite basic/overlooked thing that causes these initial issues.....then you just carry on and forget about the issue until something similar hits you the next time you create a server ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan Buxey -
Alan DeKok -
Martin, Jeremy -
Nathan Ward