Incorrect username being registered by freeradius
Hi everyone, My freeradius (FreeRADIUS Version 3.0.12) sometimes accept users and logs at postgre some username that just don’t exist at Active Directory. I just couldn’t debug and stopped at dead end now. Here to illustrate: Mon Jun 22 18:35:06 2020 : Auth: (82485) Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 0 via TLS tunnel) Mon Jun 22 18:35:06 2020 : Auth: (82486) Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 2 cli E0-5F-45-###) -[ RECORD 1 ]------+--------------------------------- radacctid | 5993772 acctsessionid | 38ED2133-00000040 acctuniqueid | 2e3edbe1aa2069c36ac67cf96384219c username | e05f4588a57d groupname | realm | nasipaddress | 10.34.27.223 nasportid | 2 nasporttype | Wireless-802.11 acctstarttime | 2020-06-22 18:35:05-03 acctupdatetime | 2020-06-22 18:35:05-03 acctstoptime | 2020-06-22 18:35:05-03 Mon Jun 22 19:04:09 2020 : Auth: (89109) Login OK: [flaviol] (from client AP-SD2-A07-Q04 port 0 via TLS tunnel) Mon Jun 22 19:04:09 2020 : Auth: (89111) Login OK: [flaviol] (from client AP-SD2-A07-Q04 port 1 cli E0-5F-45-###) -[ RECORD 1 ]------+--------------------------------- radacctid | 5994474 acctsessionid | 38FCC022-00000000 acctuniqueid | c980c8b18ff062712f838541c50d9d83 username | flaviol realm | nasipaddress | 10.34.58.220 nasportid | 1 nasporttype | Wireless-802.11 acctstarttime | 2020-06-22 19:04:09-03 acctupdatetime | 2020-06-22 19:04:11-03 acctstoptime | 2020-06-22 19:04:11-03 Both entries are from the same device (same MAC address), received Login OK, but the first one got that string as username. Client is not the same. But there is a lot of entries with the correct username for that client. The odd thing is when it happens, the same string appears to the that user all the time. For other user, a different string appears and it will be always the same. Sorry, but this is a difficult problem to explain... Even the title of thread was difficult to choose =[ Anyway, can anyone help me debug this problem? # lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 9.12 (stretch) Release: 9.12 Codename: stretch # dpkg -l freeradius Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-========================-=================-=================-===================================================== ii freeradius 3.0.12+dfsg-5+deb amd64 high-performance and highly configurable RADIUS serve # =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.22 22:51:13 =~=~=~=~=~=~=~=~=~=~=~= freeradius -X FreeRADIUS Version 3.0.12 Copyright (C) 1999-2016 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/date including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/replicate including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/control-socket including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel including configuration file /etc/freeradius/3.0/sites-enabled/status main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 204800 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = NTLM_AUTH # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Acct-Type = Status-Server # Creating Autz-Type = Status-Server radiusd: #### Instantiating modules #### modules { # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_exec # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "notice" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "notice" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 204800 } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_date # Loading module "date" from file /etc/freeradius/3.0/mods-enabled/date date { format = "%a, %d-%m-%Y %H:%M:%S" } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MPDFT --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql sql { driver = "rlm_sql_postgresql" server = "localhost" port = 5432 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}" type { accounting-on { query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp" } accounting-off { query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp" } start { query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)" } interim-update { query = "UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, AcctInterval = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM (COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL" } stop { query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = '%{Acct-Terminate-Cause}', FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp}))" } } rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Creating attribute SQL-Group # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" ntlm_auth_username = "username: %{mschap:User-Name}" ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" } allow_retry = yes } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate instantiate { # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime } # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key" certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject /etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". /etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql postgresql { send_application_name = no } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius' Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13108 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius' Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13109 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius' Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13110 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius' Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13111 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius' Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13112 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 179 , fields = 6 rlm_sql (sql): Adding client 10.34.158.220 (AP-AGC-A03-220) to global clients list rlm_sql (10.34.158.220): Client "AP-AGC-A03-220" (sql) added rlm_sql (sql): Adding client 10.34.158.221 (AP-AGC-A03-221) to global clients list rlm_sql (10.34.158.221): Client "AP-AGC-A03-221" (sql) added rlm_sql (sql): Adding client 10.35.93.224 (AP-BR2-A01-Q01) to global clients list rlm_sql (10.35.93.224): Client "AP-BR2-A01-Q01" (sql) added rlm_sql (sql): Adding client 10.35.93.225 (AP-BR2-A01-Q02) to global clients list rlm_sql (10.35.93.225): Client "AP-BR2-A01-Q02" (sql) added rlm_sql (sql): Adding client 10.35.93.226 (AP-BR2-A01-Q03) to global clients list rlm_sql (10.35.93.226): Client "AP-BR2-A01-Q03" (sql) added rlm_sql (sql): Adding client 10.35.93.227 (AP-BR2-A01-Q04) to global clients list rlm_sql (10.35.93.227): Client "AP-BR2-A01-Q04" (sql) added rlm_sql (sql): Adding client 10.35.93.228 (AP-BR2-A02-Q01) to global clients list rlm_sql (10.35.93.228): Client "AP-BR2-A02-Q01" (sql) added rlm_sql (sql): Adding client 10.35.93.229 (AP-BR2-A02-Q02) to global clients list rlm_sql (10.35.93.229): Client "AP-BR2-A02-Q02" (sql) added rlm_sql (sql): Adding client 10.35.93.230 (AP-BR2-A02-Q03) to global clients list rlm_sql (10.35.93.230): Client "AP-BR2-A02-Q03" (sql) added rlm_sql (sql): Adding client 10.35.93.231 (AP-BR2-A02-Q04) to global clients list rlm_sql (10.35.93.231): Client "AP-BR2-A02-Q04" (sql) added rlm_sql (sql): Adding client 10.35.93.223 (AP-BR2-TER-223) to global clients list rlm_sql (10.35.93.223): Client "AP-BR2-TER-223" (sql) added rlm_sql (sql): Adding client 10.35.93.221 (AP-BR2-TER-Q02) to global clients list rlm_sql (10.35.93.221): Client "AP-BR2-TER-Q02" (sql) added rlm_sql (sql): Adding client 10.35.93.222 (AP-BR2-TER-Q03) to global clients list rlm_sql (10.35.93.222): Client "AP-BR2-TER-Q03" (sql) added rlm_sql (sql): Adding client 10.34.82.220 (AP-BRZ-TER-220) to global clients list rlm_sql (10.34.82.220): Client "AP-BRZ-TER-220" (sql) added rlm_sql (sql): Adding client 10.34.82.221 (AP-BRZ-TER-221) to global clients list rlm_sql (10.34.82.221): Client "AP-BRZ-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.82.222 (AP-BRZ-TER-222) to global clients list rlm_sql (10.34.82.222): Client "AP-BRZ-TER-222" (sql) added rlm_sql (sql): Adding client 10.34.87.220 (AP-CEI-A01-220) to global clients list rlm_sql (10.34.87.220): Client "AP-CEI-A01-220" (sql) added rlm_sql (sql): Adding client 10.34.87.222 (AP-CEI-A01-222) to global clients list rlm_sql (10.34.87.222): Client "AP-CEI-A01-222" (sql) added rlm_sql (sql): Adding client 10.34.87.224 (AP-CEI-SUB-224) to global clients list rlm_sql (10.34.87.224): Client "AP-CEI-SUB-224" (sql) added rlm_sql (sql): Adding client 10.34.87.221 (AP-CEI-TER-221) to global clients list rlm_sql (10.34.87.221): Client "AP-CEI-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.87.223 (AP-CEI-TER-223) to global clients list rlm_sql (10.34.87.223): Client "AP-CEI-TER-223" (sql) added rlm_sql (sql): Adding client 10.34.92.225 (AP-CRI-A01-225) to global clients list rlm_sql (10.34.92.225): Client "AP-CRI-A01-225" (sql) added rlm_sql (sql): Adding client 10.34.92.226 (AP-CRI-A01-226) to global clients list rlm_sql (10.34.92.226): Client "AP-CRI-A01-226" (sql) added rlm_sql (sql): Adding client 10.34.92.223 (AP-CRI-A02-223) to global clients list rlm_sql (10.34.92.223): Client "AP-CRI-A02-223" (sql) added rlm_sql (sql): Adding client 10.34.92.227 (AP-CRI-A02-227) to global clients list rlm_sql (10.34.92.227): Client "AP-CRI-A02-227" (sql) added rlm_sql (sql): Adding client 10.34.92.234 (AP-CRI-A02-234) to global clients list rlm_sql (10.34.92.234): Client "AP-CRI-A02-234" (sql) added rlm_sql (sql): Adding client 10.34.97.221 (AP-GAM-A01-221) to global clients list rlm_sql (10.34.97.221): Client "AP-GAM-A01-221" (sql) added rlm_sql (sql): Adding client 10.34.97.223 (AP-GAM-A01-223) to global clients list rlm_sql (10.34.97.223): Client "AP-GAM-A01-223" (sql) added rlm_sql (sql): Adding client 10.34.97.220 (AP-GAM-SUB-220) to global clients list rlm_sql (10.34.97.220): Client "AP-GAM-SUB-220" (sql) added rlm_sql (sql): Adding client 10.34.97.222 (AP-GAM-TER-222) to global clients list rlm_sql (10.34.97.222): Client "AP-GAM-TER-222" (sql) added rlm_sql (sql): Adding client 10.34.102.220 (AP-GAR-A01-220) to global clients list rlm_sql (10.34.102.220): Client "AP-GAR-A01-220" (sql) added rlm_sql (sql): Adding client 10.34.117.221 (AP-INF-A01-221) to global clients list rlm_sql (10.34.117.221): Client "AP-INF-A01-221" (sql) added rlm_sql (sql): Adding client 10.34.117.222 (AP-INF-A01-222) to global clients list rlm_sql (10.34.117.222): Client "AP-INF-A01-222" (sql) added rlm_sql (sql): Adding client 10.34.121.100 (AP-INF-SUB-121) to global clients list rlm_sql (10.34.121.100): Client "AP-INF-SUB-121" (sql) added rlm_sql (sql): Adding client 10.34.117.224 (AP-INF-SUB-224) to global clients list rlm_sql (10.34.117.224): Client "AP-INF-SUB-224" (sql) added rlm_sql (sql): Adding client 10.34.117.225 (AP-INF-SUB-225) to global clients list rlm_sql (10.34.117.225): Client "AP-INF-SUB-225" (sql) added rlm_sql (sql): Adding client 10.34.117.220 (AP-INF-TER-220) to global clients list rlm_sql (10.34.117.220): Client "AP-INF-TER-220" (sql) added rlm_sql (sql): Adding client 10.34.117.223 (AP-INF-TER-223) to global clients list rlm_sql (10.34.117.223): Client "AP-INF-TER-223" (sql) added rlm_sql (sql): Adding client 10.34.177.220 (AP-NAI-A01-220) to global clients list rlm_sql (10.34.177.220): Client "AP-NAI-A01-220" (sql) added rlm_sql (sql): Adding client 10.34.127.221 (AP-PAR-A01-221) to global clients list rlm_sql (10.34.127.221): Client "AP-PAR-A01-221" (sql) added rlm_sql (sql): Adding client 10.34.127.224 (AP-PAR-A01-224) to global clients list rlm_sql (10.34.127.224): Client "AP-PAR-A01-224" (sql) added rlm_sql (sql): Adding client 10.34.127.223 (AP-PAR-SUB-223) to global clients list rlm_sql (10.34.127.223): Client "AP-PAR-SUB-223" (sql) added rlm_sql (sql): Adding client 10.34.127.225 (AP-PAR-SUB-225) to global clients list rlm_sql (10.34.127.225): Client "AP-PAR-SUB-225" (sql) added rlm_sql (sql): Adding client 10.34.127.220 (AP-PAR-TER-220) to global clients list rlm_sql (10.34.127.220): Client "AP-PAR-TER-220" (sql) added rlm_sql (sql): Adding client 10.34.127.222 (AP-PAR-TER-222) to global clients list rlm_sql (10.34.127.222): Client "AP-PAR-TER-222" (sql) added rlm_sql (sql): Adding client 10.34.132.222 (AP-PLA-A01-222) to global clients list rlm_sql (10.34.132.222): Client "AP-PLA-A01-222" (sql) added rlm_sql (sql): Adding client 10.34.132.223 (AP-PLA-A01-223) to global clients list rlm_sql (10.34.132.223): Client "AP-PLA-A01-223" (sql) added rlm_sql (sql): Adding client 10.34.132.224 (AP-PLA-SUB-224) to global clients list rlm_sql (10.34.132.224): Client "AP-PLA-SUB-224" (sql) added rlm_sql (sql): Adding client 10.34.132.220 (AP-PLA-TER-220) to global clients list rlm_sql (10.34.132.220): Client "AP-PLA-TER-220" (sql) added rlm_sql (sql): Adding client 10.34.132.221 (AP-PLA-TER-221) to global clients list rlm_sql (10.34.132.221): Client "AP-PLA-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.187.222 (AP-REM-A01-222) to global clients list rlm_sql (10.34.187.222): Client "AP-REM-A01-222" (sql) added rlm_sql (sql): Adding client 10.34.187.223 (AP-REM-A01-223) to global clients list rlm_sql (10.34.187.223): Client "AP-REM-A01-223" (sql) added rlm_sql (sql): Adding client 10.34.187.220 (AP-REM-SUB-220) to global clients list rlm_sql (10.34.187.220): Client "AP-REM-SUB-220" (sql) added rlm_sql (sql): Adding client 10.34.187.221 (AP-REM-TER-221) to global clients list rlm_sql (10.34.187.221): Client "AP-REM-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.137.223 (AP-SAM-A01-223) to global clients list rlm_sql (10.34.137.223): Client "AP-SAM-A01-223" (sql) added rlm_sql (sql): Adding client 10.34.137.224 (AP-SAM-A01-224) to global clients list rlm_sql (10.34.137.224): Client "AP-SAM-A01-224" (sql) added rlm_sql (sql): Adding client 10.34.137.222 (AP-SAM-SUB-222) to global clients list rlm_sql (10.34.137.222): Client "AP-SAM-SUB-222" (sql) added rlm_sql (sql): Adding client 10.34.137.225 (AP-SAM-SUB-225) to global clients list rlm_sql (10.34.137.225): Client "AP-SAM-SUB-225" (sql) added rlm_sql (sql): Adding client 10.34.137.226 (AP-SAM-SUB-226) to global clients list rlm_sql (10.34.137.226): Client "AP-SAM-SUB-226" (sql) added rlm_sql (sql): Adding client 10.34.137.220 (AP-SAM-TER-220) to global clients list rlm_sql (10.34.137.220): Client "AP-SAM-TER-220" (sql) added rlm_sql (sql): Adding client 10.34.137.221 (AP-SAM-TER-221) to global clients list rlm_sql (10.34.137.221): Client "AP-SAM-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.9.222 (AP-SD1-A01-Q01) to global clients list rlm_sql (10.34.9.222): Client "AP-SD1-A01-Q01" (sql) added rlm_sql (sql): Adding client 10.34.9.223 (AP-SD1-A01-Q02) to global clients list rlm_sql (10.34.9.223): Client "AP-SD1-A01-Q02" (sql) added rlm_sql (sql): Adding client 10.34.9.220 (AP-SD1-A01-Q03) to global clients list rlm_sql (10.34.9.220): Client "AP-SD1-A01-Q03" (sql) added rlm_sql (sql): Adding client 10.34.9.221 (AP-SD1-A01-Q04) to global clients list rlm_sql (10.34.9.221): Client "AP-SD1-A01-Q04" (sql) added rlm_sql (sql): Adding client 10.34.12.222 (AP-SD1-A02-Q01) to global clients list rlm_sql (10.34.12.222): Client "AP-SD1-A02-Q01" (sql) added rlm_sql (sql): Adding client 10.34.12.223 (AP-SD1-A02-Q02) to global clients list rlm_sql (10.34.12.223): Client "AP-SD1-A02-Q02" (sql) added rlm_sql (sql): Adding client 10.34.12.220 (AP-SD1-A02-Q03) to global clients list rlm_sql (10.34.12.220): Client "AP-SD1-A02-Q03" (sql) added rlm_sql (sql): Adding client 10.34.12.221 (AP-SD1-A02-Q04) to global clients list rlm_sql (10.34.12.221): Client "AP-SD1-A02-Q04" (sql) added rlm_sql (sql): Adding client 10.34.15.221 (AP-SD1-A03-Q01) to global clients list rlm_sql (10.34.15.221): Client "AP-SD1-A03-Q01" (sql) added rlm_sql (sql): Adding client 10.34.15.220 (AP-SD1-A03-Q02) to global clients list rlm_sql (10.34.15.220): Client "AP-SD1-A03-Q02" (sql) added rlm_sql (sql): Adding client 10.34.15.223 (AP-SD1-A03-Q03) to global clients list rlm_sql (10.34.15.223): Client "AP-SD1-A03-Q03" (sql) added rlm_sql (sql): Adding client 10.34.15.222 (AP-SD1-A03-Q04) to global clients list rlm_sql (10.34.15.222): Client "AP-SD1-A03-Q04" (sql) added rlm_sql (sql): Adding client 10.34.18.222 (AP-SD1-A04-Q01) to global clients list rlm_sql (10.34.18.222): Client "AP-SD1-A04-Q01" (sql) added rlm_sql (sql): Adding client 10.34.18.223 (AP-SD1-A04-Q02) to global clients list rlm_sql (10.34.18.223): Client "AP-SD1-A04-Q02" (sql) added rlm_sql (sql): Adding client 10.34.18.220 (AP-SD1-A04-Q03) to global clients list rlm_sql (10.34.18.220): Client "AP-SD1-A04-Q03" (sql) added rlm_sql (sql): Adding client 10.34.21.223 (AP-SD1-A05-Q01) to global clients list rlm_sql (10.34.21.223): Client "AP-SD1-A05-Q01" (sql) added rlm_sql (sql): Adding client 10.34.21.222 (AP-SD1-A05-Q02) to global clients list rlm_sql (10.34.21.222): Client "AP-SD1-A05-Q02" (sql) added rlm_sql (sql): Adding client 10.34.21.221 (AP-SD1-A05-Q03) to global clients list rlm_sql (10.34.21.221): Client "AP-SD1-A05-Q03" (sql) added rlm_sql (sql): Adding client 10.34.21.220 (AP-SD1-A05-Q04) to global clients list rlm_sql (10.34.21.220): Client "AP-SD1-A05-Q04" (sql) added rlm_sql (sql): Adding client 10.34.24.223 (AP-SD1-A06-Q01) to global clients list rlm_sql (10.34.24.223): Client "AP-SD1-A06-Q01" (sql) added rlm_sql (sql): Adding client 10.34.24.222 (AP-SD1-A06-Q02) to global clients list rlm_sql (10.34.24.222): Client "AP-SD1-A06-Q02" (sql) added rlm_sql (sql): Adding client 10.34.24.221 (AP-SD1-A06-Q03) to global clients list rlm_sql (10.34.24.221): Client "AP-SD1-A06-Q03" (sql) added rlm_sql (sql): Adding client 10.34.24.220 (AP-SD1-A06-Q04) to global clients list rlm_sql (10.34.24.220): Client "AP-SD1-A06-Q04" (sql) added rlm_sql (sql): Adding client 10.34.27.220 (AP-SD1-A07-Q01) to global clients list rlm_sql (10.34.27.220): Client "AP-SD1-A07-Q01" (sql) added rlm_sql (sql): Adding client 10.34.27.221 (AP-SD1-A07-Q02) to global clients list rlm_sql (10.34.27.221): Client "AP-SD1-A07-Q02" (sql) added rlm_sql (sql): Adding client 10.34.27.222 (AP-SD1-A07-Q03) to global clients list rlm_sql (10.34.27.222): Client "AP-SD1-A07-Q03" (sql) added rlm_sql (sql): Adding client 10.34.27.223 (AP-SD1-A07-Q04) to global clients list rlm_sql (10.34.27.223): Client "AP-SD1-A07-Q04" (sql) added rlm_sql (sql): Adding client 10.34.30.220 (AP-SD1-A08-Q01) to global clients list rlm_sql (10.34.30.220): Client "AP-SD1-A08-Q01" (sql) added rlm_sql (sql): Adding client 10.34.30.221 (AP-SD1-A08-Q02) to global clients list rlm_sql (10.34.30.221): Client "AP-SD1-A08-Q02" (sql) added rlm_sql (sql): Adding client 10.34.30.222 (AP-SD1-A08-Q03) to global clients list rlm_sql (10.34.30.222): Client "AP-SD1-A08-Q03" (sql) added rlm_sql (sql): Adding client 10.34.30.223 (AP-SD1-A08-Q04) to global clients list rlm_sql (10.34.30.223): Client "AP-SD1-A08-Q04" (sql) added rlm_sql (sql): Adding client 10.34.33.221 (AP-SD1-A09-Q01) to global clients list rlm_sql (10.34.33.221): Client "AP-SD1-A09-Q01" (sql) added rlm_sql (sql): Adding client 10.34.33.220 (AP-SD1-A09-Q02) to global clients list rlm_sql (10.34.33.220): Client "AP-SD1-A09-Q02" (sql) added rlm_sql (sql): Adding client 10.34.33.222 (AP-SD1-A09-Q03) to global clients list rlm_sql (10.34.33.222): Client "AP-SD1-A09-Q03" (sql) added rlm_sql (sql): Adding client 10.34.33.223 (AP-SD1-A09-Q04) to global clients list rlm_sql (10.34.33.223): Client "AP-SD1-A09-Q04" (sql) added rlm_sql (sql): Adding client 10.34.7.220 (AP-SD1-MEZ-220) to global clients list rlm_sql (10.34.7.220): Client "AP-SD1-MEZ-220" (sql) added rlm_sql (sql): Adding client 10.34.5.220 (AP-SD1-SUB-Q02) to global clients list rlm_sql (10.34.5.220): Client "AP-SD1-SUB-Q02" (sql) added rlm_sql (sql): Adding client 10.34.5.223 (AP-SD1-SUB-Q03) to global clients list rlm_sql (10.34.5.223): Client "AP-SD1-SUB-Q03" (sql) added rlm_sql (sql): Adding client 10.34.5.222 (AP-SD1-SUB-Q04) to global clients list rlm_sql (10.34.5.222): Client "AP-SD1-SUB-Q04" (sql) added rlm_sql (sql): Adding client 10.34.7.221 (AP-SD1-TER-221) to global clients list rlm_sql (10.34.7.221): Client "AP-SD1-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.7.222 (AP-SD1-TER-222) to global clients list rlm_sql (10.34.7.222): Client "AP-SD1-TER-222" (sql) added rlm_sql (sql): Adding client 10.34.7.223 (AP-SD1-TER-223) to global clients list rlm_sql (10.34.7.223): Client "AP-SD1-TER-223" (sql) added rlm_sql (sql): Adding client 10.34.7.224 (AP-SD1-TER-224) to global clients list rlm_sql (10.34.7.224): Client "AP-SD1-TER-224" (sql) added rlm_sql (sql): Adding client 10.34.40.222 (AP-SD2-A01-Q01) to global clients list rlm_sql (10.34.40.222): Client "AP-SD2-A01-Q01" (sql) added rlm_sql (sql): Adding client 10.34.40.223 (AP-SD2-A01-Q02) to global clients list rlm_sql (10.34.40.223): Client "AP-SD2-A01-Q02" (sql) added rlm_sql (sql): Adding client 10.34.40.221 (AP-SD2-A01-Q03) to global clients list rlm_sql (10.34.40.221): Client "AP-SD2-A01-Q03" (sql) added rlm_sql (sql): Adding client 10.34.40.220 (AP-SD2-A01-Q04) to global clients list rlm_sql (10.34.40.220): Client "AP-SD2-A01-Q04" (sql) added rlm_sql (sql): Adding client 10.34.43.222 (AP-SD2-A02-Q01) to global clients list rlm_sql (10.34.43.222): Client "AP-SD2-A02-Q01" (sql) added rlm_sql (sql): Adding client 10.34.43.223 (AP-SD2-A02-Q02) to global clients list rlm_sql (10.34.43.223): Client "AP-SD2-A02-Q02" (sql) added rlm_sql (sql): Adding client 10.34.43.221 (AP-SD2-A02-Q03) to global clients list rlm_sql (10.34.43.221): Client "AP-SD2-A02-Q03" (sql) added rlm_sql (sql): Adding client 10.34.43.220 (AP-SD2-A02-Q04) to global clients list rlm_sql (10.34.43.220): Client "AP-SD2-A02-Q04" (sql) added rlm_sql (sql): Adding client 10.34.46.222 (AP-SD2-A03-Q01) to global clients list rlm_sql (10.34.46.222): Client "AP-SD2-A03-Q01" (sql) added rlm_sql (sql): Adding client 10.34.46.223 (AP-SD2-A03-Q02) to global clients list rlm_sql (10.34.46.223): Client "AP-SD2-A03-Q02" (sql) added rlm_sql (sql): Adding client 10.34.46.221 (AP-SD2-A03-Q03) to global clients list rlm_sql (10.34.46.221): Client "AP-SD2-A03-Q03" (sql) added rlm_sql (sql): Adding client 10.34.46.220 (AP-SD2-A03-Q04) to global clients list rlm_sql (10.34.46.220): Client "AP-SD2-A03-Q04" (sql) added rlm_sql (sql): Adding client 10.34.49.222 (AP-SD2-A04-Q01) to global clients list rlm_sql (10.34.49.222): Client "AP-SD2-A04-Q01" (sql) added rlm_sql (sql): Adding client 10.34.49.223 (AP-SD2-A04-Q02) to global clients list rlm_sql (10.34.49.223): Client "AP-SD2-A04-Q02" (sql) added rlm_sql (sql): Adding client 10.34.49.221 (AP-SD2-A04-Q03) to global clients list rlm_sql (10.34.49.221): Client "AP-SD2-A04-Q03" (sql) added rlm_sql (sql): Adding client 10.34.49.220 (AP-SD2-A04-Q04) to global clients list rlm_sql (10.34.49.220): Client "AP-SD2-A04-Q04" (sql) added rlm_sql (sql): Adding client 10.34.52.222 (AP-SD2-A05-Q01) to global clients list rlm_sql (10.34.52.222): Client "AP-SD2-A05-Q01" (sql) added rlm_sql (sql): Adding client 10.34.52.223 (AP-SD2-A05-Q02) to global clients list rlm_sql (10.34.52.223): Client "AP-SD2-A05-Q02" (sql) added rlm_sql (sql): Adding client 10.34.52.221 (AP-SD2-A05-Q03) to global clients list rlm_sql (10.34.52.221): Client "AP-SD2-A05-Q03" (sql) added rlm_sql (sql): Adding client 10.34.52.220 (AP-SD2-A05-Q04) to global clients list rlm_sql (10.34.52.220): Client "AP-SD2-A05-Q04" (sql) added rlm_sql (sql): Adding client 10.34.55.222 (AP-SD2-A06-Q01) to global clients list rlm_sql (10.34.55.222): Client "AP-SD2-A06-Q01" (sql) added rlm_sql (sql): Adding client 10.34.55.223 (AP-SD2-A06-Q02) to global clients list rlm_sql (10.34.55.223): Client "AP-SD2-A06-Q02" (sql) added rlm_sql (sql): Adding client 10.34.55.221 (AP-SD2-A06-Q03) to global clients list rlm_sql (10.34.55.221): Client "AP-SD2-A06-Q03" (sql) added rlm_sql (sql): Adding client 10.34.55.220 (AP-SD2-A06-Q04) to global clients list rlm_sql (10.34.55.220): Client "AP-SD2-A06-Q04" (sql) added rlm_sql (sql): Adding client 10.34.58.222 (AP-SD2-A07-Q01) to global clients list rlm_sql (10.34.58.222): Client "AP-SD2-A07-Q01" (sql) added rlm_sql (sql): Adding client 10.34.58.223 (AP-SD2-A07-Q02) to global clients list rlm_sql (10.34.58.223): Client "AP-SD2-A07-Q02" (sql) added rlm_sql (sql): Adding client 10.34.58.221 (AP-SD2-A07-Q03) to global clients list rlm_sql (10.34.58.221): Client "AP-SD2-A07-Q03" (sql) added rlm_sql (sql): Adding client 10.34.58.220 (AP-SD2-A07-Q04) to global clients list rlm_sql (10.34.58.220): Client "AP-SD2-A07-Q04" (sql) added rlm_sql (sql): Adding client 10.34.61.222 (AP-SD2-A08-Q01) to global clients list rlm_sql (10.34.61.222): Client "AP-SD2-A08-Q01" (sql) added rlm_sql (sql): Adding client 10.34.61.223 (AP-SD2-A08-Q02) to global clients list rlm_sql (10.34.61.223): Client "AP-SD2-A08-Q02" (sql) added rlm_sql (sql): Adding client 10.34.61.221 (AP-SD2-A08-Q03) to global clients list rlm_sql (10.34.61.221): Client "AP-SD2-A08-Q03" (sql) added rlm_sql (sql): Adding client 10.34.61.220 (AP-SD2-A08-Q04) to global clients list rlm_sql (10.34.61.220): Client "AP-SD2-A08-Q04" (sql) added rlm_sql (sql): Adding client 10.34.64.222 (AP-SD2-A09-Q01) to global clients list rlm_sql (10.34.64.222): Client "AP-SD2-A09-Q01" (sql) added rlm_sql (sql): Adding client 10.34.64.223 (AP-SD2-A09-Q02) to global clients list rlm_sql (10.34.64.223): Client "AP-SD2-A09-Q02" (sql) added rlm_sql (sql): Adding client 10.34.64.221 (AP-SD2-A09-Q03) to global clients list rlm_sql (10.34.64.221): Client "AP-SD2-A09-Q03" (sql) added rlm_sql (sql): Adding client 10.34.64.220 (AP-SD2-A09-Q04) to global clients list rlm_sql (10.34.64.220): Client "AP-SD2-A09-Q04" (sql) added rlm_sql (sql): Adding client 10.34.38.221 (AP-SD2-MEZ-Q01) to global clients list rlm_sql (10.34.38.221): Client "AP-SD2-MEZ-Q01" (sql) added rlm_sql (sql): Adding client 10.34.38.220 (AP-SD2-MEZ-Q04) to global clients list rlm_sql (10.34.38.220): Client "AP-SD2-MEZ-Q04" (sql) added rlm_sql (sql): Adding client 10.34.36.219 (AP-SD2-S02-Q01) to global clients list rlm_sql (10.34.36.219): Client "AP-SD2-S02-Q01" (sql) added rlm_sql (sql): Adding client 10.34.36.220 (AP-SD2-SUB-220) to global clients list rlm_sql (10.34.36.220): Client "AP-SD2-SUB-220" (sql) added rlm_sql (sql): Adding client 10.34.36.222 (AP-SD2-TER-Q02) to global clients list rlm_sql (10.34.36.222): Client "AP-SD2-TER-Q02" (sql) added rlm_sql (sql): Adding client 10.34.36.221 (AP-SD2-TER-Q03) to global clients list rlm_sql (10.34.36.221): Client "AP-SD2-TER-Q03" (sql) added rlm_sql (sql): Adding client 10.34.36.224 (AP-SD2-TER-Q04) to global clients list rlm_sql (10.34.36.224): Client "AP-SD2-TER-Q04" (sql) added rlm_sql (sql): Adding client 10.34.147.219 (AP-SEB-A01-219) to global clients list rlm_sql (10.34.147.219): Client "AP-SEB-A01-219" (sql) added rlm_sql (sql): Adding client 10.34.147.222 (AP-SEB-A01-222) to global clients list rlm_sql (10.34.147.222): Client "AP-SEB-A01-222" (sql) added rlm_sql (sql): Adding client 10.34.147.224 (AP-SEB-A01-224) to global clients list rlm_sql (10.34.147.224): Client "AP-SEB-A01-224" (sql) added rlm_sql (sql): Adding client 10.34.147.225 (AP-SEB-A01-225) to global clients list rlm_sql (10.34.147.225): Client "AP-SEB-A01-225" (sql) added rlm_sql (sql): Adding client 10.34.147.223 (AP-SEB-SUB-223) to global clients list rlm_sql (10.34.147.223): Client "AP-SEB-SUB-223" (sql) added rlm_sql (sql): Adding client 10.34.147.227 (AP-SEB-SUB-227) to global clients list rlm_sql (10.34.147.227): Client "AP-SEB-SUB-227" (sql) added rlm_sql (sql): Adding client 10.34.147.218 (AP-SEB-TER-218) to global clients list rlm_sql (10.34.147.218): Client "AP-SEB-TER-218" (sql) added rlm_sql (sql): Adding client 10.34.147.220 (AP-SEB-TER-220) to global clients list rlm_sql (10.34.147.220): Client "AP-SEB-TER-220" (sql) added rlm_sql (sql): Adding client 10.34.147.221 (AP-SEB-TER-221) to global clients list rlm_sql (10.34.147.221): Client "AP-SEB-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.147.226 (AP-SEB-TER-226) to global clients list rlm_sql (10.34.147.226): Client "AP-SEB-TER-226" (sql) added rlm_sql (sql): Adding client 10.34.152.219 (AP-SOB-A02-219) to global clients list rlm_sql (10.34.152.219): Client "AP-SOB-A02-219" (sql) added rlm_sql (sql): Adding client 10.34.152.221 (AP-SOB-TER-221) to global clients list rlm_sql (10.34.152.221): Client "AP-SOB-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.142.220 (AP-STA-A01-220) to global clients list rlm_sql (10.34.142.220): Client "AP-STA-A01-220" (sql) added rlm_sql (sql): Adding client 10.34.142.223 (AP-STA-A01-223) to global clients list rlm_sql (10.34.142.223): Client "AP-STA-A01-223" (sql) added rlm_sql (sql): Adding client 10.34.142.222 (AP-STA-SUB-222) to global clients list rlm_sql (10.34.142.222): Client "AP-STA-SUB-222" (sql) added rlm_sql (sql): Adding client 10.34.142.221 (AP-STA-TER-221) to global clients list rlm_sql (10.34.142.221): Client "AP-STA-TER-221" (sql) added rlm_sql (sql): Adding client 10.34.157.220 (AP-TAG-A01-220) to global clients list rlm_sql (10.34.157.220): Client "AP-TAG-A01-220" (sql) added rlm_sql (sql): Adding client 10.34.157.221 (AP-TAG-A01-221) to global clients list rlm_sql (10.34.157.221): Client "AP-TAG-A01-221" (sql) added rlm_sql (sql): Adding client 10.34.157.224 (AP-TAG-SUB-224) to global clients list rlm_sql (10.34.157.224): Client "AP-TAG-SUB-224" (sql) added rlm_sql (sql): Adding client 10.34.157.223 (AP-TAG-TER-223) to global clients list rlm_sql (10.34.157.223): Client "AP-TAG-TER-223" (sql) added rlm_sql (sql): Adding client 10.34.182.220 (AP-TJ-GUA-220) to global clients list rlm_sql (10.34.182.220): Client "AP-TJ-GUA-220" (sql) added rlm_sql (sql): Adding client 10.34.157.222 (AP-TAG-TER-222) to global clients list rlm_sql (10.34.157.222): Client "AP-TAG-TER-222" (sql) added rlm_sql (sql): Adding client 10.34.240.20 (nagios) to global clients list rlm_sql (10.34.240.20): Client "nagios" (sql) added rlm_sql (sql): Adding client 10.34.241.56 (nagios2) to global clients list rlm_sql (10.34.241.56): Client "nagios2" (sql) added rlm_sql (sql): Adding client 10.34.173.10 (nagiosCont) to global clients list rlm_sql (10.34.173.10): Client "nagiosCont" (sql) added rlm_sql (sql): Adding client 10.34.5.221 (AP-SD1-SUB-Q01) to global clients list rlm_sql (10.34.5.221): Client "AP-SD1-SUB-Q01" (sql) added rlm_sql (sql): Adding client 10.35.93.220 (AP-BR2-S01-220) to global clients list rlm_sql (10.35.93.220): Client "AP-BR2-S01-220" (sql) added rlm_sql (sql): Adding client 10.34.152.220 (AP-SOB-A01-220) to global clients list rlm_sql (10.34.152.220): Client "AP-SOB-A01-220" (sql) added rlm_sql (sql): Adding client 10.35.36.201 (AP-SD2-S02-201) to global clients list rlm_sql (10.35.36.201): Client "AP-SD2-S02-201" (sql) added rlm_sql (sql): Adding client 10.34.97.219 (AP-GAM-S01-219) to global clients list rlm_sql (10.34.97.219): Client "AP-GAM-S01-219" (sql) added rlm_sql (sql): Adding client 10.34.97.224 (AP-GAM-TER-224) to global clients list rlm_sql (10.34.97.224): Client "AP-GAM-TER-224" (sql) added rlm_sql (sql): Adding client 10.34.36.223 (AP-SD2-S01-Q01) to global clients list rlm_sql (10.34.36.223): Client "AP-SD2-S01-Q01" (sql) added rlm_sql (sql): Released connection (0) rlm_sql (sql): Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius' Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13113 # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 retry_delay = 30 spread = no } rlm_mschap (mschap): Opening additional connection (0), 1 of 32 pending slots used rlm_mschap (mschap): Opening additional connection (1), 1 of 31 pending slots used rlm_mschap (mschap): Opening additional connection (2), 1 of 30 pending slots used rlm_mschap (mschap): Opening additional connection (3), 1 of 29 pending slots used rlm_mschap (mschap): Opening additional connection (4), 1 of 28 pending slots used rlm_mschap (mschap): authenticating directly to winbind # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail rlm_detail (detail): 'User-Password' suppressed, will not appear in detail output } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading pre-proxy {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel server status { # from file /etc/freeradius/3.0/sites-enabled/status # Loading authorize {...} } # server status radiusd: #### Opening IP addresses and Ports #### listen { type = "control" listen { socket = "/var/run/freeradius/freeradius.sock" mode = "rw" peercred = yes } } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "status" ipaddr = 127.0.0.1 port = 18121 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } Listening on command file /var/run/freeradius/freeradius.sock Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on status address 127.0.0.1 port 18121 bound to server status Listening on proxy address * port 54845 Listening on proxy address :: port 40154 Ready to process requests
On Jun 22, 2020, at 10:04 PM, Daniel Guimaraes Pena <daniel.pena@mpdft.mp.br> wrote:
Hi everyone,
My freeradius (FreeRADIUS Version 3.0.12) sometimes accept users and logs at postgre some username that just don’t exist at Active Directory. I just couldn’t debug and stopped at dead end now.
FreeRADIUS doesn't accept *any* users by default. So if it accepts a user name, it's because your local system is configured to accept them.
Here to illustrate: Mon Jun 22 18:35:06 2020 : Auth: (82485) Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 0 via TLS tunnel) Mon Jun 22 18:35:06 2020 : Auth: (82486) Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 2 cli E0-5F-45-###) -[ RECORD 1 ]------+--------------------------------- radacctid | 5993772 acctsessionid | 38ED2133-00000040 acctuniqueid | 2e3edbe1aa2069c36ac67cf96384219c username | e05f4588a57d
That looks like a MAC address.
Both entries are from the same device (same MAC address),
So what's the MAC address?
received Login OK, but the first one got that string as username. Client is not the same. But there is a lot of entries with the correct username for that client. The odd thing is when it happens, the same string appears to the that user all the time. For other user, a different string appears and it will be always the same.
Yes, likely because it's the MAC address of the device.
Sorry, but this is a difficult problem to explain... Even the title of thread was difficult to choose =[ Anyway, can anyone help me debug this problem?
# lsb_release -a
None of that matters.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.22 22:51:13 =~=~=~=~=~=~=~=~=~=~=~= freeradius -X ... Ready to process requests
And... nothing. How can we debug the server when you don't provide debug logs? Read this: http://wiki.freeradius.org/list-help Alan DeKok.
Thanks for anwaring, Alan, you were right: that is his MAC Address. Sorry for that missing debug... I had just restarted server and lost all logs. Until this moment, no mac address appeared at radacct table, so I don’t have debug for that yet. For this, if I may ask, why user is registered in radacct table with mac address but in radius log appears his real username? And this one here, that is NOT a mac address: [local]:5432 radius@radius=> select * from radacct where radacctid = '6000795'; -[ RECORD 1 ]------+--------------------------------- radacctid | 6000795 acctsessionid | 38EBA713-00000041 acctuniqueid | 6b521bf17a61aa914f0f67b33c558e07 username | 347117 groupname | realm | nasipaddress | 10.34.15.221 nasportid | 2 nasporttype | Wireless-802.11 acctstarttime | 2020-06-23 11:18:40-03 acctupdatetime | 2020-06-23 11:18:40-03 acctstoptime | acctinterval | acctsessiontime | 0 acctauthentic | RADIUS connectinfo_start | CONNECT 54Mbps 802.11g connectinfo_stop | acctinputoctets | 0 acctoutputoctets | 0 calledstationid | 5C-D9-98-14-37-48:MPDFT callingstationid | 48-49-C7-71-79-66 acctterminatecause | servicetype | framedprotocol | framedipaddress | Time: 4.267 ms [local]:5432 radius@radius=> Reading debug, real login is "luciana.nogueira" Here the debug log for this entry: =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.23 12:21:07 =~=~=~=~=~=~=~=~=~=~=~= grep -E "\(4925[7-9]\)|\(4926[0-7]\)" debug.log (49257) Received Access-Request Id 151 from 10.34.15.221:1384 to 10.34.242.3:1812 length 151 (49257) User-Name = "347117" (49257) NAS-IP-Address = 10.34.15.221 (49257) NAS-Port = 2 (49257) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49257) Calling-Station-Id = "48-49-C7-71-79-66" (49257) Framed-MTU = 1400 (49257) NAS-Port-Type = Wireless-802.11 (49257) Connect-Info = "CONNECT 54Mbps 802.11g" (49257) EAP-Message = 0x0200000b01333437313137 (49257) Message-Authenticator = 0x05d29ff74e6c4903b1ab83208153a6ad (49257) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49257) authorize { (49257) policy filter_username { (49257) if (&User-Name) { (49257) if (&User-Name) -> TRUE (49257) if (&User-Name) { (49257) if (&User-Name != "%{tolower:%{User-Name}}") { (49257) EXPAND %{tolower:%{User-Name}} (49257) --> 347117 (49257) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49257) if (&User-Name =~ / /) { (49257) if (&User-Name =~ / /) -> FALSE (49257) if (&User-Name =~ /@[^@]*@/ ) { (49257) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49257) if (&User-Name =~ /\.\./ ) { (49257) if (&User-Name =~ /\.\./ ) -> FALSE (49257) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49257) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49257) if (&User-Name =~ /\.$/) { (49257) if (&User-Name =~ /\.$/) -> FALSE (49257) if (&User-Name =~ /@\./) { (49257) if (&User-Name =~ /@\./) -> FALSE (49257) } # if (&User-Name) = notfound (49257) } # policy filter_username = notfound (49257) [preprocess] = ok (49257) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49257) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49257) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49257) auth_log: EXPAND %t (49257) auth_log: --> Tue Jun 23 11:18:40 2020 (49257) [auth_log] = ok (49257) [chap] = noop (49257) [mschap] = noop (49257) [digest] = noop (49257) suffix: Checking for suffix after "@" (49257) suffix: No '@' in User-Name = "347117", looking up realm NULL (49257) suffix: No such realm "NULL" (49257) [suffix] = noop (49257) eap: Peer sent EAP Response (code 2) ID 0 length 11 (49257) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (49257) [eap] = ok (49257) } # authorize = ok (49257) Found Auth-Type = eap (49257) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49257) authenticate { (49257) eap: Peer sent packet with method EAP Identity (1) (49257) eap: Calling submodule eap_md5 to process data (49257) eap_md5: Issuing MD5 Challenge (49257) eap: Sending EAP Request (code 1) ID 1 length 22 (49257) eap: EAP session adding &reply:State = 0x343264483433605b (49257) [eap] = handled (49257) } # authenticate = handled (49257) Using Post-Auth-Type Challenge (49257) Post-Auth-Type sub-section not found. Ignoring. (49257) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49257) Sent Access-Challenge Id 151 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49257) EAP-Message = 0x010100160410f293b8de33b4c8cebe98befea9b4bfc6 (49257) Message-Authenticator = 0x00000000000000000000000000000000 (49257) State = 0x343264483433605baa04a227c6849a7d (49257) Finished request (49258) Received Access-Request Id 152 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164 (49258) User-Name = "347117" (49258) NAS-IP-Address = 10.34.15.221 (49258) NAS-Port = 2 (49258) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49258) Calling-Station-Id = "48-49-C7-71-79-66" (49258) Framed-MTU = 1400 (49258) NAS-Port-Type = Wireless-802.11 (49258) Connect-Info = "CONNECT 54Mbps 802.11g" (49258) EAP-Message = 0x020100060319 (49258) State = 0x343264483433605baa04a227c6849a7d (49258) Message-Authenticator = 0x2e74fdc7c9c9592fc2232375736fd39e (49258) session-state: No cached attributes (49258) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49258) authorize { (49258) policy filter_username { (49258) if (&User-Name) { (49258) if (&User-Name) -> TRUE (49258) if (&User-Name) { (49258) if (&User-Name != "%{tolower:%{User-Name}}") { (49258) EXPAND %{tolower:%{User-Name}} (49258) --> 347117 (49258) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49258) if (&User-Name =~ / /) { (49258) if (&User-Name =~ / /) -> FALSE (49258) if (&User-Name =~ /@[^@]*@/ ) { (49258) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49258) if (&User-Name =~ /\.\./ ) { (49258) if (&User-Name =~ /\.\./ ) -> FALSE (49258) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49258) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49258) if (&User-Name =~ /\.$/) { (49258) if (&User-Name =~ /\.$/) -> FALSE (49258) if (&User-Name =~ /@\./) { (49258) if (&User-Name =~ /@\./) -> FALSE (49258) } # if (&User-Name) = notfound (49258) } # policy filter_username = notfound (49258) [preprocess] = ok (49258) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49258) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49258) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49258) auth_log: EXPAND %t (49258) auth_log: --> Tue Jun 23 11:18:40 2020 (49258) [auth_log] = ok (49258) [chap] = noop (49258) [mschap] = noop (49258) [digest] = noop (49258) suffix: Checking for suffix after "@" (49258) suffix: No '@' in User-Name = "347117", looking up realm NULL (49258) suffix: No such realm "NULL" (49258) [suffix] = noop (49258) eap: Peer sent EAP Response (code 2) ID 1 length 6 (49258) eap: No EAP Start, assuming it's an on-going EAP conversation (49258) [eap] = updated (49258) files: Failed resolving UID: No error (49258) files: Failed resolving UID: No error (49258) files: Failed resolving UID: No error (49258) files: Failed resolving UID: No error (49258) files: Failed resolving UID: No error (49258) [files] = noop (49258) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (49258) sql: --> 347117 (49258) sql: SQL-User-Name set to '347117' (49258) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (49258) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '347117' ORDER BY id (49258) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '347117' ORDER BY id (49258) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (49258) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='347117' ORDER BY priority (49258) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='347117' ORDER BY priority (49258) sql: User not found in any groups (49258) [sql] = notfound (49258) [expiration] = noop (49258) [logintime] = noop (49258) if (ok) { (49258) if (ok) -> FALSE (49258) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (49258) pap: WARNING: Authentication will fail unless a "known good" password is available (49258) [pap] = noop (49258) } # authorize = updated (49258) Found Auth-Type = eap (49258) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49258) authenticate { (49258) eap: Expiring EAP session with state 0x9e6734429e602efe (49258) eap: Finished EAP session with state 0x343264483433605b (49258) eap: Previous EAP request found for state 0x343264483433605b, released from the list (49258) eap: Peer sent packet with method EAP NAK (3) (49258) eap: Found mutually acceptable type PEAP (25) (49258) eap: Calling submodule eap_peap to process data (49258) eap_peap: Initiating new EAP-TLS session (49258) eap_peap: [eaptls start] = request (49258) eap: Sending EAP Request (code 1) ID 2 length 6 (49258) eap: EAP session adding &reply:State = 0x3432644835307d5b (49258) [eap] = handled (49258) } # authenticate = handled (49258) Using Post-Auth-Type Challenge (49258) Post-Auth-Type sub-section not found. Ignoring. (49258) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49258) Sent Access-Challenge Id 152 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49258) EAP-Message = 0x010200061920 (49258) Message-Authenticator = 0x00000000000000000000000000000000 (49258) State = 0x3432644835307d5baa04a227c6849a7d (49258) Finished request (49259) Received Access-Request Id 153 from 10.34.15.221:1384 to 10.34.242.3:1812 length 326 (49259) User-Name = "347117" (49259) NAS-IP-Address = 10.34.15.221 (49259) NAS-Port = 2 (49259) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49259) Calling-Station-Id = "48-49-C7-71-79-66" (49259) Framed-MTU = 1400 (49259) NAS-Port-Type = Wireless-802.11 (49259) Connect-Info = "CONNECT 54Mbps 802.11g" (49259) EAP-Message = 0x020200a819800000009e1603010099010000950303262d96da74efd8b3abd9ea487f3eefd244880121eafd4d7ae21333a470c9fa8000003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff010000 (49259) State = 0x3432644835307d5baa04a227c6849a7d (49259) Message-Authenticator = 0x50041aeb08622f23641026170cf40598 (49259) session-state: No cached attributes (49259) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49259) authorize { (49259) policy filter_username { (49259) if (&User-Name) { (49259) if (&User-Name) -> TRUE (49259) if (&User-Name) { (49259) if (&User-Name != "%{tolower:%{User-Name}}") { (49259) EXPAND %{tolower:%{User-Name}} (49259) --> 347117 (49259) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49259) if (&User-Name =~ / /) { (49259) if (&User-Name =~ / /) -> FALSE (49259) if (&User-Name =~ /@[^@]*@/ ) { (49259) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49259) if (&User-Name =~ /\.\./ ) { (49259) if (&User-Name =~ /\.\./ ) -> FALSE (49259) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49259) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49259) if (&User-Name =~ /\.$/) { (49259) if (&User-Name =~ /\.$/) -> FALSE (49259) if (&User-Name =~ /@\./) { (49259) if (&User-Name =~ /@\./) -> FALSE (49259) } # if (&User-Name) = notfound (49259) } # policy filter_username = notfound (49259) [preprocess] = ok (49259) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49259) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49259) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49259) auth_log: EXPAND %t (49259) auth_log: --> Tue Jun 23 11:18:40 2020 (49259) [auth_log] = ok (49259) [chap] = noop (49259) [mschap] = noop (49259) [digest] = noop (49259) suffix: Checking for suffix after "@" (49259) suffix: No '@' in User-Name = "347117", looking up realm NULL (49259) suffix: No such realm "NULL" (49259) [suffix] = noop (49259) eap: Peer sent EAP Response (code 2) ID 2 length 168 (49259) eap: Continuing tunnel setup (49259) [eap] = ok (49259) } # authorize = ok (49259) Found Auth-Type = eap (49259) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49259) authenticate { (49259) eap: Expiring EAP session with state 0x9e6734429e602efe (49259) eap: Finished EAP session with state 0x3432644835307d5b (49259) eap: Previous EAP request found for state 0x3432644835307d5b, released from the list (49259) eap: Peer sent packet with method EAP PEAP (25) (49259) eap: Calling submodule eap_peap to process data (49259) eap_peap: Continuing EAP-TLS (49259) eap_peap: Peer indicated complete TLS record size will be 158 bytes (49259) eap_peap: Got complete TLS record (158 bytes) (49259) eap_peap: [eaptls verify] = length included (49259) eap_peap: (other): before SSL initialization (49259) eap_peap: TLS_accept: before SSL initialization (49259) eap_peap: TLS_accept: before SSL initialization (49259) eap_peap: <<< recv TLS 1.2 [length 0099] (49259) eap_peap: TLS_accept: SSLv3/TLS read client hello (49259) eap_peap: >>> send TLS 1.2 [length 003d] (49259) eap_peap: TLS_accept: SSLv3/TLS write server hello (49259) eap_peap: >>> send TLS 1.2 [length 0309] (49259) eap_peap: TLS_accept: SSLv3/TLS write certificate (49259) eap_peap: >>> send TLS 1.2 [length 014d] (49259) eap_peap: TLS_accept: SSLv3/TLS write key exchange (49259) eap_peap: >>> send TLS 1.2 [length 0004] (49259) eap_peap: TLS_accept: SSLv3/TLS write server done (49259) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (49259) eap_peap: In SSL Handshake Phase (49259) eap_peap: In SSL Accept mode (49259) eap_peap: [eaptls process] = handled (49259) eap: Sending EAP Request (code 1) ID 3 length 1004 (49259) eap: EAP session adding &reply:State = 0x3432644836317d5b (49259) [eap] = handled (49259) } # authenticate = handled (49259) Using Post-Auth-Type Challenge (49259) Post-Auth-Type sub-section not found. Ignoring. (49259) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49259) Sent Access-Challenge Id 153 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49259) EAP-Message = 0x010303ec19c0000004ab160303003d020000390303f241d7c71827a10f2a9b2a858a6aa1d49a9d9ac5b04e7214afadfd6e9e950a4500c030000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609 (49259) Message-Authenticator = 0x00000000000000000000000000000000 (49259) State = 0x3432644836317d5baa04a227c6849a7d (49259) Finished request (49260) Received Access-Request Id 154 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164 (49260) User-Name = "347117" (49260) NAS-IP-Address = 10.34.15.221 (49260) NAS-Port = 2 (49260) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49260) Calling-Station-Id = "48-49-C7-71-79-66" (49260) Framed-MTU = 1400 (49260) NAS-Port-Type = Wireless-802.11 (49260) Connect-Info = "CONNECT 54Mbps 802.11g" (49260) EAP-Message = 0x020300061900 (49260) State = 0x3432644836317d5baa04a227c6849a7d (49260) Message-Authenticator = 0x1f873dbabab484975e0fafe17930a45a (49260) session-state: No cached attributes (49260) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49260) authorize { (49260) policy filter_username { (49260) if (&User-Name) { (49260) if (&User-Name) -> TRUE (49260) if (&User-Name) { (49260) if (&User-Name != "%{tolower:%{User-Name}}") { (49260) EXPAND %{tolower:%{User-Name}} (49260) --> 347117 (49260) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49260) if (&User-Name =~ / /) { (49260) if (&User-Name =~ / /) -> FALSE (49260) if (&User-Name =~ /@[^@]*@/ ) { (49260) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49260) if (&User-Name =~ /\.\./ ) { (49260) if (&User-Name =~ /\.\./ ) -> FALSE (49260) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49260) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49260) if (&User-Name =~ /\.$/) { (49260) if (&User-Name =~ /\.$/) -> FALSE (49260) if (&User-Name =~ /@\./) { (49260) if (&User-Name =~ /@\./) -> FALSE (49260) } # if (&User-Name) = notfound (49260) } # policy filter_username = notfound (49260) [preprocess] = ok (49260) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49260) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49260) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49260) auth_log: EXPAND %t (49260) auth_log: --> Tue Jun 23 11:18:40 2020 (49260) [auth_log] = ok (49260) [chap] = noop (49260) [mschap] = noop (49260) [digest] = noop (49260) suffix: Checking for suffix after "@" (49260) suffix: No '@' in User-Name = "347117", looking up realm NULL (49260) suffix: No such realm "NULL" (49260) [suffix] = noop (49260) eap: Peer sent EAP Response (code 2) ID 3 length 6 (49260) eap: Continuing tunnel setup (49260) [eap] = ok (49260) } # authorize = ok (49260) Found Auth-Type = eap (49260) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49260) authenticate { (49260) eap: Expiring EAP session with state 0x9e6734429e602efe (49260) eap: Finished EAP session with state 0x3432644836317d5b (49260) eap: Previous EAP request found for state 0x3432644836317d5b, released from the list (49260) eap: Peer sent packet with method EAP PEAP (25) (49260) eap: Calling submodule eap_peap to process data (49260) eap_peap: Continuing EAP-TLS (49260) eap_peap: Peer ACKed our handshake fragment (49260) eap_peap: [eaptls verify] = request (49260) eap_peap: [eaptls process] = handled (49260) eap: Sending EAP Request (code 1) ID 4 length 207 (49260) eap: EAP session adding &reply:State = 0x3432644837367d5b (49260) [eap] = handled (49260) } # authenticate = handled (49260) Using Post-Auth-Type Challenge (49260) Post-Auth-Type sub-section not found. Ignoring. (49260) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49260) Sent Access-Challenge Id 154 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49260) EAP-Message = 0x010400cf1900305906ade17209efbcdb1498025ff3d98879761462b514b58ec19daff0e28525b8909274c327a5b9f22c77451d049714cbe1b8e95e49ff1eb91889a006f05bba93c0807640ba9eeb989f8c432facb809700019a772e41794c376b7529859d9e66686b46b10ac8917506a28b5c755f6f8b1 (49260) Message-Authenticator = 0x00000000000000000000000000000000 (49260) State = 0x3432644837367d5baa04a227c6849a7d (49260) Finished request (49261) Received Access-Request Id 155 from 10.34.15.221:1384 to 10.34.242.3:1812 length 294 (49261) User-Name = "347117" (49261) NAS-IP-Address = 10.34.15.221 (49261) NAS-Port = 2 (49261) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49261) Calling-Station-Id = "48-49-C7-71-79-66" (49261) Framed-MTU = 1400 (49261) NAS-Port-Type = Wireless-802.11 (49261) Connect-Info = "CONNECT 54Mbps 802.11g" (49261) EAP-Message = 0x0204008819800000007e1603030046100000424104e347c229d4720d030776a26d2195a9d2619346feaa947b8d43fe9fad8481577166a001a8d60a615e17594c4f5d1c555f15ad394a27ea517bd9a9ee202255842914030300010116030300280000000000000000129345887899d05232b771b7479ff7 (49261) State = 0x3432644837367d5baa04a227c6849a7d (49261) Message-Authenticator = 0x8f80e28e4efc8628917e8dcbe18e0622 (49261) session-state: No cached attributes (49261) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49261) authorize { (49261) policy filter_username { (49261) if (&User-Name) { (49261) if (&User-Name) -> TRUE (49261) if (&User-Name) { (49261) if (&User-Name != "%{tolower:%{User-Name}}") { (49261) EXPAND %{tolower:%{User-Name}} (49261) --> 347117 (49261) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49261) if (&User-Name =~ / /) { (49261) if (&User-Name =~ / /) -> FALSE (49261) if (&User-Name =~ /@[^@]*@/ ) { (49261) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49261) if (&User-Name =~ /\.\./ ) { (49261) if (&User-Name =~ /\.\./ ) -> FALSE (49261) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49261) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49261) if (&User-Name =~ /\.$/) { (49261) if (&User-Name =~ /\.$/) -> FALSE (49261) if (&User-Name =~ /@\./) { (49261) if (&User-Name =~ /@\./) -> FALSE (49261) } # if (&User-Name) = notfound (49261) } # policy filter_username = notfound (49261) [preprocess] = ok (49261) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49261) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49261) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49261) auth_log: EXPAND %t (49261) auth_log: --> Tue Jun 23 11:18:40 2020 (49261) [auth_log] = ok (49261) [chap] = noop (49261) [mschap] = noop (49261) [digest] = noop (49261) suffix: Checking for suffix after "@" (49261) suffix: No '@' in User-Name = "347117", looking up realm NULL (49261) suffix: No such realm "NULL" (49261) [suffix] = noop (49261) eap: Peer sent EAP Response (code 2) ID 4 length 136 (49261) eap: Continuing tunnel setup (49261) [eap] = ok (49261) } # authorize = ok (49261) Found Auth-Type = eap (49261) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49261) authenticate { (49261) eap: Expiring EAP session with state 0x9e6734429e602efe (49261) eap: Finished EAP session with state 0x3432644837367d5b (49261) eap: Previous EAP request found for state 0x3432644837367d5b, released from the list (49261) eap: Peer sent packet with method EAP PEAP (25) (49261) eap: Calling submodule eap_peap to process data (49261) eap_peap: Continuing EAP-TLS (49261) eap_peap: Peer indicated complete TLS record size will be 126 bytes (49261) eap_peap: Got complete TLS record (126 bytes) (49261) eap_peap: [eaptls verify] = length included (49261) eap_peap: TLS_accept: SSLv3/TLS write server done (49261) eap_peap: <<< recv TLS 1.2 [length 0046] (49261) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (49261) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (49261) eap_peap: <<< recv TLS 1.2 [length 0010] (49261) eap_peap: TLS_accept: SSLv3/TLS read finished (49261) eap_peap: >>> send TLS 1.2 [length 0001] (49261) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (49261) eap_peap: >>> send TLS 1.2 [length 0010] (49261) eap_peap: TLS_accept: SSLv3/TLS write finished (49261) eap_peap: (other): SSL negotiation finished successfully (49261) eap_peap: SSL Connection Established (49261) eap_peap: [eaptls process] = handled (49261) eap: Sending EAP Request (code 1) ID 5 length 57 (49261) eap: EAP session adding &reply:State = 0x3432644830377d5b (49261) [eap] = handled (49261) } # authenticate = handled (49261) Using Post-Auth-Type Challenge (49261) Post-Auth-Type sub-section not found. Ignoring. (49261) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49261) Sent Access-Challenge Id 155 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49261) EAP-Message = 0x01050039190014030300010116030300288ad05ce60e5ee56aa8fd940dbf64fb565398577f45d3a8687b23d15f21a95ece7c4c893f88783014 (49261) Message-Authenticator = 0x00000000000000000000000000000000 (49261) State = 0x3432644830377d5baa04a227c6849a7d (49261) Finished request (49262) Received Access-Request Id 156 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164 (49262) User-Name = "347117" (49262) NAS-IP-Address = 10.34.15.221 (49262) NAS-Port = 2 (49262) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49262) Calling-Station-Id = "48-49-C7-71-79-66" (49262) Framed-MTU = 1400 (49262) NAS-Port-Type = Wireless-802.11 (49262) Connect-Info = "CONNECT 54Mbps 802.11g" (49262) EAP-Message = 0x020500061900 (49262) State = 0x3432644830377d5baa04a227c6849a7d (49262) Message-Authenticator = 0x9a71a530fc4e39a0cda671f47b038d60 (49262) session-state: No cached attributes (49262) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49262) authorize { (49262) policy filter_username { (49262) if (&User-Name) { (49262) if (&User-Name) -> TRUE (49262) if (&User-Name) { (49262) if (&User-Name != "%{tolower:%{User-Name}}") { (49262) EXPAND %{tolower:%{User-Name}} (49262) --> 347117 (49262) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49262) if (&User-Name =~ / /) { (49262) if (&User-Name =~ / /) -> FALSE (49262) if (&User-Name =~ /@[^@]*@/ ) { (49262) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49262) if (&User-Name =~ /\.\./ ) { (49262) if (&User-Name =~ /\.\./ ) -> FALSE (49262) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49262) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49262) if (&User-Name =~ /\.$/) { (49262) if (&User-Name =~ /\.$/) -> FALSE (49262) if (&User-Name =~ /@\./) { (49262) if (&User-Name =~ /@\./) -> FALSE (49262) } # if (&User-Name) = notfound (49262) } # policy filter_username = notfound (49262) [preprocess] = ok (49262) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49262) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49262) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49262) auth_log: EXPAND %t (49262) auth_log: --> Tue Jun 23 11:18:40 2020 (49262) [auth_log] = ok (49262) [chap] = noop (49262) [mschap] = noop (49262) [digest] = noop (49262) suffix: Checking for suffix after "@" (49262) suffix: No '@' in User-Name = "347117", looking up realm NULL (49262) suffix: No such realm "NULL" (49262) [suffix] = noop (49262) eap: Peer sent EAP Response (code 2) ID 5 length 6 (49262) eap: Continuing tunnel setup (49262) [eap] = ok (49262) } # authorize = ok (49262) Found Auth-Type = eap (49262) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49262) authenticate { (49262) eap: Expiring EAP session with state 0x9e6734429e602efe (49262) eap: Finished EAP session with state 0x3432644830377d5b (49262) eap: Previous EAP request found for state 0x3432644830377d5b, released from the list (49262) eap: Peer sent packet with method EAP PEAP (25) (49262) eap: Calling submodule eap_peap to process data (49262) eap_peap: Continuing EAP-TLS (49262) eap_peap: Peer ACKed our handshake fragment. handshake is finished (49262) eap_peap: [eaptls verify] = success (49262) eap_peap: [eaptls process] = success (49262) eap_peap: Session established. Decoding tunneled attributes (49262) eap_peap: PEAP state TUNNEL ESTABLISHED (49262) eap: Sending EAP Request (code 1) ID 6 length 40 (49262) eap: EAP session adding &reply:State = 0x3432644831347d5b (49262) [eap] = handled (49262) } # authenticate = handled (49262) Using Post-Auth-Type Challenge (49262) Post-Auth-Type sub-section not found. Ignoring. (49262) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49262) Sent Access-Challenge Id 156 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49262) EAP-Message = 0x010600281900170303001d8ad05ce60e5ee56b04ae2e2e3b80438ad90309abe6117ae0e5da1b62b4 (49262) Message-Authenticator = 0x00000000000000000000000000000000 (49262) State = 0x3432644831347d5baa04a227c6849a7d (49262) Finished request (49263) Received Access-Request Id 157 from 10.34.15.221:1384 to 10.34.242.3:1812 length 210 (49263) User-Name = "347117" (49263) NAS-IP-Address = 10.34.15.221 (49263) NAS-Port = 2 (49263) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49263) Calling-Station-Id = "48-49-C7-71-79-66" (49263) Framed-MTU = 1400 (49263) NAS-Port-Type = Wireless-802.11 (49263) Connect-Info = "CONNECT 54Mbps 802.11g" (49263) EAP-Message = 0x0206003419001703030029000000000000000128fd4cc44d77dddfae0f69a41d8c6d206cad6d4b0935736eb8e7051c2e6845eeff (49263) State = 0x3432644831347d5baa04a227c6849a7d (49263) Message-Authenticator = 0x8eb9fb4fd0d08a9bab42661adcc8d699 (49263) session-state: No cached attributes (49263) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49263) authorize { (49263) policy filter_username { (49263) if (&User-Name) { (49263) if (&User-Name) -> TRUE (49263) if (&User-Name) { (49263) if (&User-Name != "%{tolower:%{User-Name}}") { (49263) EXPAND %{tolower:%{User-Name}} (49263) --> 347117 (49263) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49263) if (&User-Name =~ / /) { (49263) if (&User-Name =~ / /) -> FALSE (49263) if (&User-Name =~ /@[^@]*@/ ) { (49263) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49263) if (&User-Name =~ /\.\./ ) { (49263) if (&User-Name =~ /\.\./ ) -> FALSE (49263) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49263) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49263) if (&User-Name =~ /\.$/) { (49263) if (&User-Name =~ /\.$/) -> FALSE (49263) if (&User-Name =~ /@\./) { (49263) if (&User-Name =~ /@\./) -> FALSE (49263) } # if (&User-Name) = notfound (49263) } # policy filter_username = notfound (49263) [preprocess] = ok (49263) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49263) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49263) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49263) auth_log: EXPAND %t (49263) auth_log: --> Tue Jun 23 11:18:40 2020 (49263) [auth_log] = ok (49263) [chap] = noop (49263) [mschap] = noop (49263) [digest] = noop (49263) suffix: Checking for suffix after "@" (49263) suffix: No '@' in User-Name = "347117", looking up realm NULL (49263) suffix: No such realm "NULL" (49263) [suffix] = noop (49263) eap: Peer sent EAP Response (code 2) ID 6 length 52 (49263) eap: Continuing tunnel setup (49263) [eap] = ok (49263) } # authorize = ok (49263) Found Auth-Type = eap (49263) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49263) authenticate { (49263) eap: Expiring EAP session with state 0x9e6734429e602efe (49263) eap: Finished EAP session with state 0x3432644831347d5b (49263) eap: Previous EAP request found for state 0x3432644831347d5b, released from the list (49263) eap: Peer sent packet with method EAP PEAP (25) (49263) eap: Calling submodule eap_peap to process data (49263) eap_peap: Continuing EAP-TLS (49263) eap_peap: [eaptls verify] = ok (49263) eap_peap: Done initial handshake (49263) eap_peap: [eaptls process] = ok (49263) eap_peap: Session established. Decoding tunneled attributes (49263) eap_peap: PEAP state WAITING FOR INNER IDENTITY (49263) eap_peap: Identity - luciana.nogueira (49263) eap_peap: Got inner identity 'luciana.nogueira' (49263) eap_peap: Setting default EAP type for tunneled EAP session (49263) eap_peap: Got tunneled request (49263) eap_peap: EAP-Message = 0x02060015016c756369616e612e6e6f677565697261 (49263) eap_peap: Setting User-Name to luciana.nogueira (49263) eap_peap: Sending tunneled request to inner-tunnel (49263) eap_peap: EAP-Message = 0x02060015016c756369616e612e6e6f677565697261 (49263) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (49263) eap_peap: User-Name = "luciana.nogueira" (49263) Virtual server inner-tunnel received request (49263) EAP-Message = 0x02060015016c756369616e612e6e6f677565697261 (49263) FreeRADIUS-Proxied-To = 127.0.0.1 (49263) User-Name = "luciana.nogueira" (49263) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (49263) server inner-tunnel { (49263) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49263) authorize { (49263) policy filter_username { (49263) if (&User-Name) { (49263) if (&User-Name) -> TRUE (49263) if (&User-Name) { (49263) if (&User-Name != "%{tolower:%{User-Name}}") { (49263) EXPAND %{tolower:%{User-Name}} (49263) --> luciana.nogueira (49263) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49263) if (&User-Name =~ / /) { (49263) if (&User-Name =~ / /) -> FALSE (49263) if (&User-Name =~ /@[^@]*@/ ) { (49263) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49263) if (&User-Name =~ /\.\./ ) { (49263) if (&User-Name =~ /\.\./ ) -> FALSE (49263) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49263) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49263) if (&User-Name =~ /\.$/) { (49263) if (&User-Name =~ /\.$/) -> FALSE (49263) if (&User-Name =~ /@\./) { (49263) if (&User-Name =~ /@\./) -> FALSE (49263) } # if (&User-Name) = notfound (49263) } # policy filter_username = notfound (49263) [chap] = noop (49263) [mschap] = noop (49263) suffix: Checking for suffix after "@" (49263) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL (49263) suffix: No such realm "NULL" (49263) [suffix] = noop (49263) update control { (49263) &Proxy-To-Realm := LOCAL (49263) } # update control = noop (49263) eap: Peer sent EAP Response (code 2) ID 6 length 21 (49263) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (49263) [eap] = ok (49263) } # authorize = ok (49263) Found Auth-Type = eap (49263) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49263) authenticate { (49263) eap: Peer sent packet with method EAP Identity (1) (49263) eap: Calling submodule eap_mschapv2 to process data (49263) eap_mschapv2: Issuing Challenge (49263) eap: Sending EAP Request (code 1) ID 7 length 43 (49263) eap: EAP session adding &reply:State = 0x214671d321416b6e (49263) [eap] = handled (49263) } # authenticate = handled (49263) } # server inner-tunnel (49263) Virtual server sending reply (49263) EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132 (49263) Message-Authenticator = 0x00000000000000000000000000000000 (49263) State = 0x214671d321416b6e6c123acd822f47ac (49263) eap_peap: Got tunneled reply code 11 (49263) eap_peap: EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132 (49263) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (49263) eap_peap: State = 0x214671d321416b6e6c123acd822f47ac (49263) eap_peap: Got tunneled reply RADIUS code 11 (49263) eap_peap: EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132 (49263) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (49263) eap_peap: State = 0x214671d321416b6e6c123acd822f47ac (49263) eap_peap: Got tunneled Access-Challenge (49263) eap: Sending EAP Request (code 1) ID 7 length 74 (49263) eap: EAP session adding &reply:State = 0x3432644832357d5b (49263) [eap] = handled (49263) } # authenticate = handled (49263) Using Post-Auth-Type Challenge (49263) Post-Auth-Type sub-section not found. Ignoring. (49263) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49263) Sent Access-Challenge Id 157 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49263) EAP-Message = 0x0107004a1900170303003f8ad05ce60e5ee56c153fb28473439215526db8736ab97058edf5170bf7b140e9d16783b78ce6e18c1cb2d3fa04bb51df1ecdc736140a04d7d4e797dc3229c3 (49263) Message-Authenticator = 0x00000000000000000000000000000000 (49263) State = 0x3432644832357d5baa04a227c6849a7d (49263) Finished request (49264) Received Access-Request Id 158 from 10.34.15.221:1384 to 10.34.242.3:1812 length 264 (49264) User-Name = "347117" (49264) NAS-IP-Address = 10.34.15.221 (49264) NAS-Port = 2 (49264) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49264) Calling-Station-Id = "48-49-C7-71-79-66" (49264) Framed-MTU = 1400 (49264) NAS-Port-Type = Wireless-802.11 (49264) Connect-Info = "CONNECT 54Mbps 802.11g" (49264) EAP-Message = 0x0207006a1900170303005f0000000000000002d9c7a4e9ae59cfe3d90af91aa0aee002c3b4dc78422285bc88a8e33d7ffa1e58aa98f6fac7d72b4dbffe3a3b4aeccaeaa42df4ab91e78e2aeee31026e98609cd8b51b88663710a6bb29088279292a2cb18a4259c051294 (49264) State = 0x3432644832357d5baa04a227c6849a7d (49264) Message-Authenticator = 0x4b17fd5d5a9b8fd97344948d8a46de86 (49264) session-state: No cached attributes (49264) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49264) authorize { (49264) policy filter_username { (49264) if (&User-Name) { (49264) if (&User-Name) -> TRUE (49264) if (&User-Name) { (49264) if (&User-Name != "%{tolower:%{User-Name}}") { (49264) EXPAND %{tolower:%{User-Name}} (49264) --> 347117 (49264) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49264) if (&User-Name =~ / /) { (49264) if (&User-Name =~ / /) -> FALSE (49264) if (&User-Name =~ /@[^@]*@/ ) { (49264) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49264) if (&User-Name =~ /\.\./ ) { (49264) if (&User-Name =~ /\.\./ ) -> FALSE (49264) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49264) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49264) if (&User-Name =~ /\.$/) { (49264) if (&User-Name =~ /\.$/) -> FALSE (49264) if (&User-Name =~ /@\./) { (49264) if (&User-Name =~ /@\./) -> FALSE (49264) } # if (&User-Name) = notfound (49264) } # policy filter_username = notfound (49264) [preprocess] = ok (49264) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49264) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49264) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49264) auth_log: EXPAND %t (49264) auth_log: --> Tue Jun 23 11:18:40 2020 (49264) [auth_log] = ok (49264) [chap] = noop (49264) [mschap] = noop (49264) [digest] = noop (49264) suffix: Checking for suffix after "@" (49264) suffix: No '@' in User-Name = "347117", looking up realm NULL (49264) suffix: No such realm "NULL" (49264) [suffix] = noop (49264) eap: Peer sent EAP Response (code 2) ID 7 length 106 (49264) eap: Continuing tunnel setup (49264) [eap] = ok (49264) } # authorize = ok (49264) Found Auth-Type = eap (49264) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49264) authenticate { (49264) eap: Expiring EAP session with state 0x9e6734429e602efe (49264) eap: Finished EAP session with state 0x3432644832357d5b (49264) eap: Previous EAP request found for state 0x3432644832357d5b, released from the list (49264) eap: Peer sent packet with method EAP PEAP (25) (49264) eap: Calling submodule eap_peap to process data (49264) eap_peap: Continuing EAP-TLS (49264) eap_peap: [eaptls verify] = ok (49264) eap_peap: Done initial handshake (49264) eap_peap: [eaptls process] = ok (49264) eap_peap: Session established. Decoding tunneled attributes (49264) eap_peap: PEAP state phase2 (49264) eap_peap: EAP method MSCHAPv2 (26) (49264) eap_peap: Got tunneled request (49264) eap_peap: EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261 (49264) eap_peap: Setting User-Name to luciana.nogueira (49264) eap_peap: Sending tunneled request to inner-tunnel (49264) eap_peap: EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261 (49264) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (49264) eap_peap: User-Name = "luciana.nogueira" (49264) eap_peap: State = 0x214671d321416b6e6c123acd822f47ac (49264) Virtual server inner-tunnel received request (49264) EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261 (49264) FreeRADIUS-Proxied-To = 127.0.0.1 (49264) User-Name = "luciana.nogueira" (49264) State = 0x214671d321416b6e6c123acd822f47ac (49264) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (49264) server inner-tunnel { (49264) session-state: No cached attributes (49264) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49264) authorize { (49264) policy filter_username { (49264) if (&User-Name) { (49264) if (&User-Name) -> TRUE (49264) if (&User-Name) { (49264) if (&User-Name != "%{tolower:%{User-Name}}") { (49264) EXPAND %{tolower:%{User-Name}} (49264) --> luciana.nogueira (49264) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49264) if (&User-Name =~ / /) { (49264) if (&User-Name =~ / /) -> FALSE (49264) if (&User-Name =~ /@[^@]*@/ ) { (49264) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49264) if (&User-Name =~ /\.\./ ) { (49264) if (&User-Name =~ /\.\./ ) -> FALSE (49264) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49264) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49264) if (&User-Name =~ /\.$/) { (49264) if (&User-Name =~ /\.$/) -> FALSE (49264) if (&User-Name =~ /@\./) { (49264) if (&User-Name =~ /@\./) -> FALSE (49264) } # if (&User-Name) = notfound (49264) } # policy filter_username = notfound (49264) [chap] = noop (49264) [mschap] = noop (49264) suffix: Checking for suffix after "@" (49264) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL (49264) suffix: No such realm "NULL" (49264) [suffix] = noop (49264) update control { (49264) &Proxy-To-Realm := LOCAL (49264) } # update control = noop (49264) eap: Peer sent EAP Response (code 2) ID 7 length 75 (49264) eap: No EAP Start, assuming it's an on-going EAP conversation (49264) [eap] = updated (49264) files: users: Matched entry DEFAULT at line 90 (49264) [files] = ok (49264) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (49264) sql: --> luciana.nogueira (49264) sql: SQL-User-Name set to 'luciana.nogueira' (49264) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (49264) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id (49264) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id (49264) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (49264) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority (49264) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority (49264) sql: User not found in any groups (49264) [sql] = notfound (49264) [expiration] = noop (49264) [logintime] = noop (49264) [pap] = noop (49264) } # authorize = updated (49264) Found Auth-Type = eap (49264) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49264) authenticate { (49264) eap: Expiring EAP session with state 0x9e6734429e602efe (49264) eap: Finished EAP session with state 0x214671d321416b6e (49264) eap: Previous EAP request found for state 0x214671d321416b6e, released from the list (49264) eap: Peer sent packet with method EAP MSCHAPv2 (26) (49264) eap: Calling submodule eap_mschapv2 to process data (49264) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49264) eap_mschapv2: authenticate { (49264) mschap: Creating challenge hash with username: luciana.nogueira (49264) mschap: Client is using MS-CHAPv2 (49264) mschap: EXPAND %{mschap:User-Name} (49264) mschap: --> luciana.nogueira (49264) mschap: ERROR: No NT-Domain was found in the User-Name (49264) mschap: EXPAND %{mschap:NT-Domain} (49264) mschap: --> (49264) mschap: sending authentication request user='luciana.nogueira' domain='' (49264) mschap: Authenticated successfully (49264) mschap: Adding MS-CHAPv2 MPPE keys (49264) [mschap] = ok (49264) } # authenticate = ok (49264) MSCHAP Success (49264) eap: Sending EAP Request (code 1) ID 8 length 51 (49264) eap: EAP session adding &reply:State = 0x214671d3204e6b6e (49264) [eap] = handled (49264) } # authenticate = handled (49264) } # server inner-tunnel (49264) Virtual server sending reply (49264) Idle-Timeout = 300 (49264) EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630 (49264) Message-Authenticator = 0x00000000000000000000000000000000 (49264) State = 0x214671d3204e6b6e6c123acd822f47ac (49264) eap_peap: Got tunneled reply code 11 (49264) eap_peap: Idle-Timeout = 300 (49264) eap_peap: EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630 (49264) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (49264) eap_peap: State = 0x214671d3204e6b6e6c123acd822f47ac (49264) eap_peap: Got tunneled reply RADIUS code 11 (49264) eap_peap: Idle-Timeout = 300 (49264) eap_peap: EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630 (49264) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (49264) eap_peap: State = 0x214671d3204e6b6e6c123acd822f47ac (49264) eap_peap: Got tunneled Access-Challenge (49264) eap: Sending EAP Request (code 1) ID 8 length 82 (49264) eap: EAP session adding &reply:State = 0x34326448333a7d5b (49264) [eap] = handled (49264) } # authenticate = handled (49264) Using Post-Auth-Type Challenge (49264) Post-Auth-Type sub-section not found. Ignoring. (49264) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49264) Sent Access-Challenge Id 158 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49264) EAP-Message = 0x01080052190017030300478ad05ce60e5ee56dce23340a3be2c962cc4f7d1ee8e7ae9aef666bf4fac4aa03796c641f3b59020ff440d471af287ef622a0fb7b6e3775db7348671ab310c104c57ca5045628d7 (49264) Message-Authenticator = 0x00000000000000000000000000000000 (49264) State = 0x34326448333a7d5baa04a227c6849a7d (49264) Finished request (49265) Received Access-Request Id 159 from 10.34.15.221:1384 to 10.34.242.3:1812 length 195 (49265) User-Name = "347117" (49265) NAS-IP-Address = 10.34.15.221 (49265) NAS-Port = 2 (49265) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49265) Calling-Station-Id = "48-49-C7-71-79-66" (49265) Framed-MTU = 1400 (49265) NAS-Port-Type = Wireless-802.11 (49265) Connect-Info = "CONNECT 54Mbps 802.11g" (49265) EAP-Message = 0x020800251900170303001a00000000000000031247ab59722d1f524f21b21b65b88b21dc63 (49265) State = 0x34326448333a7d5baa04a227c6849a7d (49265) Message-Authenticator = 0x4e23dd00e538823df81cfcd85802e7d5 (49265) session-state: No cached attributes (49265) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49265) authorize { (49265) policy filter_username { (49265) if (&User-Name) { (49265) if (&User-Name) -> TRUE (49265) if (&User-Name) { (49265) if (&User-Name != "%{tolower:%{User-Name}}") { (49265) EXPAND %{tolower:%{User-Name}} (49265) --> 347117 (49265) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49265) if (&User-Name =~ / /) { (49265) if (&User-Name =~ / /) -> FALSE (49265) if (&User-Name =~ /@[^@]*@/ ) { (49265) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49265) if (&User-Name =~ /\.\./ ) { (49265) if (&User-Name =~ /\.\./ ) -> FALSE (49265) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49265) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49265) if (&User-Name =~ /\.$/) { (49265) if (&User-Name =~ /\.$/) -> FALSE (49265) if (&User-Name =~ /@\./) { (49265) if (&User-Name =~ /@\./) -> FALSE (49265) } # if (&User-Name) = notfound (49265) } # policy filter_username = notfound (49265) [preprocess] = ok (49265) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49265) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49265) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49265) auth_log: EXPAND %t (49265) auth_log: --> Tue Jun 23 11:18:40 2020 (49265) [auth_log] = ok (49265) [chap] = noop (49265) [mschap] = noop (49265) [digest] = noop (49265) suffix: Checking for suffix after "@" (49265) suffix: No '@' in User-Name = "347117", looking up realm NULL (49265) suffix: No such realm "NULL" (49265) [suffix] = noop (49265) eap: Peer sent EAP Response (code 2) ID 8 length 37 (49265) eap: Continuing tunnel setup (49265) [eap] = ok (49265) } # authorize = ok (49265) Found Auth-Type = eap (49265) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49265) authenticate { (49265) eap: Expiring EAP session with state 0x9e6734429e602efe (49265) eap: Finished EAP session with state 0x34326448333a7d5b (49265) eap: Previous EAP request found for state 0x34326448333a7d5b, released from the list (49265) eap: Peer sent packet with method EAP PEAP (25) (49265) eap: Calling submodule eap_peap to process data (49265) eap_peap: Continuing EAP-TLS (49265) eap_peap: [eaptls verify] = ok (49265) eap_peap: Done initial handshake (49265) eap_peap: [eaptls process] = ok (49265) eap_peap: Session established. Decoding tunneled attributes (49265) eap_peap: PEAP state phase2 (49265) eap_peap: EAP method MSCHAPv2 (26) (49265) eap_peap: Got tunneled request (49265) eap_peap: EAP-Message = 0x020800061a03 (49265) eap_peap: Setting User-Name to luciana.nogueira (49265) eap_peap: Sending tunneled request to inner-tunnel (49265) eap_peap: EAP-Message = 0x020800061a03 (49265) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (49265) eap_peap: User-Name = "luciana.nogueira" (49265) eap_peap: State = 0x214671d3204e6b6e6c123acd822f47ac (49265) Virtual server inner-tunnel received request (49265) EAP-Message = 0x020800061a03 (49265) FreeRADIUS-Proxied-To = 127.0.0.1 (49265) User-Name = "luciana.nogueira" (49265) State = 0x214671d3204e6b6e6c123acd822f47ac (49265) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (49265) server inner-tunnel { (49265) session-state: No cached attributes (49265) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49265) authorize { (49265) policy filter_username { (49265) if (&User-Name) { (49265) if (&User-Name) -> TRUE (49265) if (&User-Name) { (49265) if (&User-Name != "%{tolower:%{User-Name}}") { (49265) EXPAND %{tolower:%{User-Name}} (49265) --> luciana.nogueira (49265) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49265) if (&User-Name =~ / /) { (49265) if (&User-Name =~ / /) -> FALSE (49265) if (&User-Name =~ /@[^@]*@/ ) { (49265) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49265) if (&User-Name =~ /\.\./ ) { (49265) if (&User-Name =~ /\.\./ ) -> FALSE (49265) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49265) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49265) if (&User-Name =~ /\.$/) { (49265) if (&User-Name =~ /\.$/) -> FALSE (49265) if (&User-Name =~ /@\./) { (49265) if (&User-Name =~ /@\./) -> FALSE (49265) } # if (&User-Name) = notfound (49265) } # policy filter_username = notfound (49265) [chap] = noop (49265) [mschap] = noop (49265) suffix: Checking for suffix after "@" (49265) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL (49265) suffix: No such realm "NULL" (49265) [suffix] = noop (49265) update control { (49265) &Proxy-To-Realm := LOCAL (49265) } # update control = noop (49265) eap: Peer sent EAP Response (code 2) ID 8 length 6 (49265) eap: No EAP Start, assuming it's an on-going EAP conversation (49265) [eap] = updated (49265) files: users: Matched entry DEFAULT at line 90 (49265) [files] = ok (49265) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (49265) sql: --> luciana.nogueira (49265) sql: SQL-User-Name set to 'luciana.nogueira' (49265) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (49265) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id (49265) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id (49265) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (49265) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority (49265) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority (49265) sql: User not found in any groups (49265) [sql] = notfound (49265) [expiration] = noop (49265) [logintime] = noop (49265) [pap] = noop (49265) } # authorize = updated (49265) Found Auth-Type = eap (49265) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49265) authenticate { (49265) eap: Expiring EAP session with state 0x9e6734429e602efe (49265) eap: Finished EAP session with state 0x214671d3204e6b6e (49265) eap: Previous EAP request found for state 0x214671d3204e6b6e, released from the list (49265) eap: Peer sent packet with method EAP MSCHAPv2 (26) (49265) eap: Calling submodule eap_mschapv2 to process data (49265) eap: Sending EAP Success (code 3) ID 8 length 4 (49265) eap: Freeing handler (49265) [eap] = ok (49265) } # authenticate = ok (49265) # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49265) session { (49265) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (49265) sql: --> luciana.nogueira (49265) sql: SQL-User-Name set to 'luciana.nogueira' (49265) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL (49265) sql: --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='luciana.nogueira' AND CallingStationId<>'48-49-C7-71-79-66' AND AcctStopTime IS NULL (49265) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='luciana.nogueira' AND CallingStationId<>'48-49-C7-71-79-66' AND AcctStopTime IS NULL (49265) [sql] = ok (49265) } # session = ok (49265) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (49265) post-auth { (49265) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail (49265) reply_log: --> /var/log/freeradius/radacct/10.34.15.221/reply-detail (49265) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.15.221/reply-detail (49265) reply_log: EXPAND %t (49265) reply_log: --> Tue Jun 23 11:18:40 2020 (49265) [reply_log] = ok (49265) } # post-auth = ok (49265) Login OK: [luciana.nogueira] (from client AP-SD1-A03-Q01 port 0 via TLS tunnel) (49265) } # server inner-tunnel (49265) Virtual server sending reply (49265) Idle-Timeout = 300 (49265) MS-MPPE-Encryption-Policy = Encryption-Allowed (49265) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (49265) MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880 (49265) MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c (49265) EAP-Message = 0x03080004 (49265) Message-Authenticator = 0x00000000000000000000000000000000 (49265) User-Name = "luciana.nogueira" (49265) eap_peap: Got tunneled reply code 2 (49265) eap_peap: Idle-Timeout = 300 (49265) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (49265) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (49265) eap_peap: MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880 (49265) eap_peap: MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c (49265) eap_peap: EAP-Message = 0x03080004 (49265) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (49265) eap_peap: User-Name = "luciana.nogueira" (49265) eap_peap: Got tunneled reply RADIUS code 2 (49265) eap_peap: Idle-Timeout = 300 (49265) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (49265) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (49265) eap_peap: MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880 (49265) eap_peap: MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c (49265) eap_peap: EAP-Message = 0x03080004 (49265) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (49265) eap_peap: User-Name = "luciana.nogueira" (49265) eap_peap: Tunneled authentication was successful (49265) eap_peap: SUCCESS (49265) eap: Sending EAP Request (code 1) ID 9 length 46 (49265) eap: EAP session adding &reply:State = 0x343264483c3b7d5b (49265) [eap] = handled (49265) } # authenticate = handled (49265) Using Post-Auth-Type Challenge (49265) Post-Auth-Type sub-section not found. Ignoring. (49265) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49265) Sent Access-Challenge Id 159 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49265) EAP-Message = 0x0109002e190017030300238ad05ce60e5ee56e3f85995ad4d9fa3e7353121ef0323fdf5e8a60cf3b9b554a80d3dd (49265) Message-Authenticator = 0x00000000000000000000000000000000 (49265) State = 0x343264483c3b7d5baa04a227c6849a7d (49265) Finished request (49266) Received Access-Request Id 160 from 10.34.15.221:1384 to 10.34.242.3:1812 length 204 (49266) User-Name = "347117" (49266) NAS-IP-Address = 10.34.15.221 (49266) NAS-Port = 2 (49266) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49266) Calling-Station-Id = "48-49-C7-71-79-66" (49266) Framed-MTU = 1400 (49266) NAS-Port-Type = Wireless-802.11 (49266) Connect-Info = "CONNECT 54Mbps 802.11g" (49266) EAP-Message = 0x0209002e190017030300230000000000000004c778ad733d5b70db3716819554f83810f465ba77cd7845e575c9ff (49266) State = 0x343264483c3b7d5baa04a227c6849a7d (49266) Message-Authenticator = 0x855882f09e771e57421e4a41f6ea470c (49266) session-state: No cached attributes (49266) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49266) authorize { (49266) policy filter_username { (49266) if (&User-Name) { (49266) if (&User-Name) -> TRUE (49266) if (&User-Name) { (49266) if (&User-Name != "%{tolower:%{User-Name}}") { (49266) EXPAND %{tolower:%{User-Name}} (49266) --> 347117 (49266) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (49266) if (&User-Name =~ / /) { (49266) if (&User-Name =~ / /) -> FALSE (49266) if (&User-Name =~ /@[^@]*@/ ) { (49266) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49266) if (&User-Name =~ /\.\./ ) { (49266) if (&User-Name =~ /\.\./ ) -> FALSE (49266) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49266) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49266) if (&User-Name =~ /\.$/) { (49266) if (&User-Name =~ /\.$/) -> FALSE (49266) if (&User-Name =~ /@\./) { (49266) if (&User-Name =~ /@\./) -> FALSE (49266) } # if (&User-Name) = notfound (49266) } # policy filter_username = notfound (49266) [preprocess] = ok (49266) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (49266) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail (49266) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail (49266) auth_log: EXPAND %t (49266) auth_log: --> Tue Jun 23 11:18:40 2020 (49266) [auth_log] = ok (49266) [chap] = noop (49266) [mschap] = noop (49266) [digest] = noop (49266) suffix: Checking for suffix after "@" (49266) suffix: No '@' in User-Name = "347117", looking up realm NULL (49266) suffix: No such realm "NULL" (49266) [suffix] = noop (49266) eap: Peer sent EAP Response (code 2) ID 9 length 46 (49266) eap: Continuing tunnel setup (49266) [eap] = ok (49266) } # authorize = ok (49266) Found Auth-Type = eap (49266) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49266) authenticate { (49266) eap: Expiring EAP session with state 0x9e6734429e602efe (49266) eap: Finished EAP session with state 0x343264483c3b7d5b (49266) eap: Previous EAP request found for state 0x343264483c3b7d5b, released from the list (49266) eap: Peer sent packet with method EAP PEAP (25) (49266) eap: Calling submodule eap_peap to process data (49266) eap_peap: Continuing EAP-TLS (49266) eap_peap: [eaptls verify] = ok (49266) eap_peap: Done initial handshake (49266) eap_peap: [eaptls process] = ok (49266) eap_peap: Session established. Decoding tunneled attributes (49266) eap_peap: PEAP state send tlv success (49266) eap_peap: Received EAP-TLV response (49266) eap_peap: Success (49266) eap: Sending EAP Success (code 3) ID 9 length 4 (49266) eap: Freeing handler (49266) [eap] = ok (49266) } # authenticate = ok (49266) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (49266) post-auth { (49266) update { (49266) No attributes updated (49266) } # update = noop (49266) sql: EXPAND .query (49266) sql: --> .query (49266) sql: Using query template 'query' (49266) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (49266) sql: --> 347117 (49266) sql: SQL-User-Name set to '347117' (49266) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp})) (49266) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('347117', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', TO_TIMESTAMP(1592921920)) (49266) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('347117', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', TO_TIMESTAMP(1592921920)) (49266) sql: SQL query returned: success (49266) sql: 1 record(s) updated (49266) [sql] = ok (49266) [exec] = noop (49266) policy remove_reply_message_if_eap { (49266) if (&reply:EAP-Message && &reply:Reply-Message) { (49266) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (49266) else { (49266) [noop] = noop (49266) } # else = noop (49266) } # policy remove_reply_message_if_eap = noop (49266) } # post-auth = ok (49266) Login OK: [347117] (from client AP-SD1-A03-Q01 port 2 cli 48-49-C7-71-79-66) (49266) Sent Access-Accept Id 160 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0 (49266) MS-MPPE-Recv-Key = 0x542d83c1eb40f8c303c2eb8158cb7e7db2151c3568559646f0ae6cc2b4834cdc (49266) MS-MPPE-Send-Key = 0xe5c545e00159f5d356a41a506a2bfdda247960a2b6a0044c7bf9037a48336c63 (49266) EAP-Message = 0x03090004 (49266) Message-Authenticator = 0x00000000000000000000000000000000 (49266) User-Name = "347117" (49266) Finished request (49267) Received Accounting-Request Id 161 from 10.34.15.221:1386 to 10.34.242.3:1813 length 145 (49267) Acct-Session-Id = "38EBA713-00000041" (49267) Acct-Status-Type = Start (49267) Acct-Authentic = RADIUS (49267) User-Name = "347117" (49267) NAS-IP-Address = 10.34.15.221 (49267) NAS-Port = 2 (49267) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49267) Calling-Station-Id = "48-49-C7-71-79-66" (49267) NAS-Port-Type = Wireless-802.11 (49267) Connect-Info = "CONNECT 54Mbps 802.11g" (49267) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (49267) preacct { (49267) [preprocess] = ok (49267) update request { (49267) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} (49267) --> 1592921920 (49267) FreeRADIUS-Acct-Session-Start-Time = Jun 23 2020 11:18:40 -03 (49267) } # update request = noop (49267) policy acct_unique { (49267) update request { (49267) Tmp-String-9 := "ai:" (49267) } # update request = noop (49267) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (49267) EXPAND %{hex:&Class} (49267) --> (49267) EXPAND ^%{hex:&Tmp-String-9} (49267) --> ^61693a (49267) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (49267) else { (49267) update request { (49267) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{Calling-Station-Id}} (49267) --> 6b521bf17a61aa914f0f67b33c558e07 (49267) &Acct-Unique-Session-Id := 6b521bf17a61aa914f0f67b33c558e07 (49267) } # update request = noop (49267) } # else = noop (49267) } # policy acct_unique = noop (49267) suffix: Checking for suffix after "@" (49267) suffix: No '@' in User-Name = "347117", looking up realm NULL (49267) suffix: No such realm "NULL" (49267) [suffix] = noop (49267) files: acct_users: Matched entry DEFAULT at line 22 (49267) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (49267) files: --> 347117 (49267) [files] = ok (49267) } # preacct = ok (49267) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (49267) accounting { (49267) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown} (49267) log_accounting: --> Accounting-Request.Start (49267) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) (49267) log_accounting: --> Tue, 23-06-2020 11:18:40 Connect: [347117] (did 5C-D9-98-14-37-48:MPDFT cli 48-49-C7-71-79-66 port 2 ip ) (49267) log_accounting: EXPAND /var/log/freeradius/linelog-accounting (49267) log_accounting: --> /var/log/freeradius/linelog-accounting (49267) [log_accounting] = ok (49267) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query} (49267) sql: --> type.start.query (49267) sql: Using query template 'query' (49267) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (49267) sql: --> 347117 (49267) sql: SQL-User-Name set to '347117' (49267) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet) (49267) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38EBA713-00000041', '6b521bf17a61aa914f0f67b33c558e07', '347117', NULLIF('', ''), '10.34.15.221', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1592921920), TO_TIMESTAMP(1592921920), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', NULL, '', '', NULLIF('', '')::inet) (49267) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38EBA713-00000041', '6b521bf17a61aa914f0f67b33c558e07', '347117', NULLIF('', ''), '10.34.15.221', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1592921920), TO_TIMESTAMP(1592921920), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', NULL, '', '', NULLIF('', '')::inet) (49267) sql: SQL query returned: success (49267) sql: 1 record(s) updated (49267) [sql] = ok (49267) if (&request:Acct-Status-Type == start) { (49267) if (&request:Acct-Status-Type == start) -> TRUE (49267) if (&request:Acct-Status-Type == start) { (49267) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (49267) --> 347117 (49267) SQL-User-Name set to '347117' (49267) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1592921920), AcctUpdateTime = TO_TIMESTAMP(1592921920), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 54Mbps 802.11g' WHERE UserName = '347117' AND AcctUniqueId <> '6b521bf17a61aa914f0f67b33c558e07' AND CallingStationId = '48-49-C7-71-79-66' AND AcctStopTime IS NULL (49267) SQL query affected no rows (49267) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL} (49267) --> (49267) } # if (&request:Acct-Status-Type == start) = ok (49267) [exec] = noop (49267) attr_filter.accounting_response: EXPAND %{User-Name} (49267) attr_filter.accounting_response: --> 347117 (49267) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (49267) [attr_filter.accounting_response] = updated (49267) } # accounting = updated (49267) Sent Accounting-Response Id 161 from 10.34.242.3:1813 to 10.34.15.221:1386 length 0 (49267) Finished request (49267) Cleaning up request packet ID 161 with timestamp +43054 (49257) Cleaning up request packet ID 151 with timestamp +43054 (49258) Cleaning up request packet ID 152 with timestamp +43054 (49259) Cleaning up request packet ID 153 with timestamp +43054 (49260) Cleaning up request packet ID 154 with timestamp +43054 (49261) Cleaning up request packet ID 155 with timestamp +43054 (49262) Cleaning up request packet ID 156 with timestamp +43054 (49263) Cleaning up request packet ID 157 with timestamp +43054 (49264) Cleaning up request packet ID 158 with timestamp +43054 (49265) Cleaning up request packet ID 159 with timestamp +43054 (49266) Cleaning up request packet ID 160 with timestamp +43054 root@vp2-seg-008:/var/log/freeradius#
On Jun 23, 2020, at 11:34 AM, Daniel Guimaraes Pena <daniel.pena@mpdft.mp.br> wrote:
Thanks for anwaring, Alan, you were right: that is his MAC Address.
Good.
Until this moment, no mac address appeared at radacct table, so I don’t have debug for that yet. For this, if I may ask, why user is registered in radacct table with mac address but in radius log appears his real username?
Because the NAS sends accounting packets which contain the MAC address in the User-Name field. And, it sends authentication packets which contain the real name in the User-Name field. FreeRADIUS does NOT control this. It's at the mercy of whatever the NAS sends.
Reading debug, real login is "luciana.nogueira" Here the debug log for this entry: =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.23 12:21:07 =~=~=~=~=~=~=~=~=~=~=~= grep -E "\(4925[7-9]\)|\(4926[0-7]\)" debug.log (49257) Received Access-Request Id 151 from 10.34.15.221:1384 to 10.34.242.3:1812 length 151 (49257) User-Name = "347117" (49257) NAS-IP-Address = 10.34.15.221 (49257) NAS-Port = 2 (49257) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49257) Calling-Station-Id = "48-49-C7-71-79-66" (49257) Framed-MTU = 1400 (49257) NAS-Port-Type = Wireless-802.11 (49257) Connect-Info = "CONNECT 54Mbps 802.11g" (49257) EAP-Message = 0x0200000b01333437313137
The end-user machine is creating that EAP-Message. Which contains "34717" as the name. i.e. hex 333437313137 is "34717" In order to fix that, you need to fix the end users machine to send a real name. There is nothing you can do to the NAS or FreeRADIUS to fix this issue. Generally, the outer user name should be something like "@example.com", or "anonymous". The inner-tunnel is receiving the name "luciana.nogueira", which is fine. Alan DeKok.
I understang... Well, I thought something for these two problems, but before try to implement them, I would like your opinion, if possible: FIRST: for the problem of outer username being different from inner-tunnel. Is it possible do something like this? IF inner-tunnel-username <> outer-username Set outer-username equal to innet-tunnel-username Does this solution can cause crazy inserts at radacct table or cause user to receive deny access to wifi? SECOND: for the problema of mac address being registered at radacct table: I will try to create some check at username for account packets like this: IF username is equal to calling-station-id(in lowercase and without "-") Then set username to (select username from radacct where calling-station-id = 'MAC' and username <> 'wrong mac string' limit 1;) Thanks!! I hope you don’t get angry with me for doing this mass =P -----Mensagem original----- De: Freeradius-Users <freeradius-users-bounces+daniel.pena=mpdft.mp.br@lists.freeradius.org> Em nome de Alan DeKok Enviada em: terça-feira, 23 de junho de 2020 12:47 Para: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Assunto: Re: RES: Incorrect username being registered by freeradius On Jun 23, 2020, at 11:34 AM, Daniel Guimaraes Pena <daniel.pena@mpdft.mp.br> wrote:
Thanks for anwaring, Alan, you were right: that is his MAC Address.
Good.
Until this moment, no mac address appeared at radacct table, so I don’t have debug for that yet. For this, if I may ask, why user is registered in radacct table with mac address but in radius log appears his real username?
Because the NAS sends accounting packets which contain the MAC address in the User-Name field. And, it sends authentication packets which contain the real name in the User-Name field. FreeRADIUS does NOT control this. It's at the mercy of whatever the NAS sends.
Reading debug, real login is "luciana.nogueira" Here the debug log for this entry: =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.23 12:21:07 =~=~=~=~=~=~=~=~=~=~=~= grep -E "\(4925[7-9]\)|\(4926[0-7]\)" debug.log (49257) Received Access-Request Id 151 from 10.34.15.221:1384 to 10.34.242.3:1812 length 151 (49257) User-Name = "347117" (49257) NAS-IP-Address = 10.34.15.221 (49257) NAS-Port = 2 (49257) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT" (49257) Calling-Station-Id = "48-49-C7-71-79-66" (49257) Framed-MTU = 1400 (49257) NAS-Port-Type = Wireless-802.11 (49257) Connect-Info = "CONNECT 54Mbps 802.11g" (49257) EAP-Message = 0x0200000b01333437313137
The end-user machine is creating that EAP-Message. Which contains "34717" as the name. i.e. hex 333437313137 is "34717" In order to fix that, you need to fix the end users machine to send a real name. There is nothing you can do to the NAS or FreeRADIUS to fix this issue. Generally, the outer user name should be something like "@example.com", or "anonymous". The inner-tunnel is receiving the name "luciana.nogueira", which is fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi,
FIRST: for the problem of outer username being different from inner-tunnel. Is it possible do something like this? IF inner-tunnel-username <> outer-username Set outer-username equal to innet-tunnel-username Does this solution can cause crazy inserts at radacct table or cause user to receive deny access to wifi?
the inner username if different to the outer, is usually for privacy/anonymous - you dont want to expose the inner username to the NAS - and doing so may break EAP anyway. this si where you would probably want to use eg CUI (Chargeable User Identity) in your Access-Accept packet - and then use the CUI for the accounting packets
SECOND: for the problema of mac address being registered at radacct table:
first, try looking at the NAS configuration and checking if you can adjust how it does the Acct update packets. I guess your Acct start packet is fine, its the account update that is being borked. maybe related to any mobility option your NAS platform has?
I will try to create some check at username for account packets like this: IF username is equal to calling-station-id(in lowercase and without "-") Then set username to (select username from radacct where calling-station-id = 'MAC' and username <> 'wrong mac string' limit 1;)
you could do something like that but its a big hit on the DB . you already know the CSI from the first successful authentication as this is temporal data so you might want to record that key pair in a simple REDIS/etc DB instead rather than hitting the live accounting tables. alan
On Jun 23, 2020, at 12:47 PM, Daniel Guimaraes Pena <daniel.pena@mpdft.mp.br> wrote:
Well, I thought something for these two problems, but before try to implement them, I would like your opinion, if possible:
FIRST: for the problem of outer username being different from inner-tunnel. Is it possible do something like this? IF inner-tunnel-username <> outer-username Set outer-username equal to innet-tunnel-username Does this solution can cause crazy inserts at radacct table or cause user to receive deny access to wifi?
It will break things. Instead of working around broken systems, you should just fix the broken systems.
SECOND: for the problema of mac address being registered at radacct table: I will try to create some check at username for account packets like this: IF username is equal to calling-station-id(in lowercase and without "-") Then set username to (select username from radacct where calling-station-id = 'MAC' and username <> 'wrong mac string' limit 1;)
The solution is to just set the User-Name in the Access-Accept reply. The NAS *should* use that in later accounting requests: post-auth { ... update reply { User-Name := &request:User-Name } }
Thanks!! I hope you don’t get angry with me for doing this mass =P
Nope. My frustration is with people who ask question, and argue with the answers. So long as you're trying to understand, I'm happy to help. Alan DeKok.
Thanks Dekok and Buxey for helping me. As I used Dekok's suggestion of updating outer.session-state from the other topic (CUI thing), I discovered that I was NOT setting Stripped-User-Name just because that policy was NOT mentioned anywhere of VS default and inner-tunnel. Reading that code, it was clear to me that I could "fix" MAC addr in user name of broken NAS (you see, only a few packets of these few NASes was arriving wrong) So, I enabled splitting username from realm and used code of MAC canonicalization to fix MAC user problem: user-as-mac-regexp = '([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})' rewrite_username { if (&User-name && (&User-Name =~ /^${policy.user-as-mac-regexp}$/i)) { update request { &User-Name := "%{sql:SELECT username from radacct \ WHERE CallingStationId = '%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}' \ ORDER BY radacctid limit 1}" } updated } else { noop } } Did some copy and paste with a little substitution... Then, inserted rewrite_username before split_username_nai filter at preacct section and that is it. From, 9417 packets, only one, for now, had the problem and was fixed (server running for 48min until this moment) (8907) Thu Jun 25 14:43:59 2020: Debug: Received Accounting-Request Id 192 from 10.34.5.223:1829 to 10.34.242.3:1813 length 151 (8907) Thu Jun 25 14:43:59 2020: Debug: Acct-Session-Id = "386D9BFB-0000015C" (8907) Thu Jun 25 14:43:59 2020: Debug: Acct-Status-Type = Start (8907) Thu Jun 25 14:43:59 2020: Debug: Acct-Authentic = RADIUS (8907) Thu Jun 25 14:43:59 2020: Debug: User-Name = "a8b86e23fca1" (8907) Thu Jun 25 14:43:59 2020: Debug: NAS-IP-Address = 10.34.5.223 (8907) Thu Jun 25 14:43:59 2020: Debug: NAS-Port = 2 (8907) Thu Jun 25 14:43:59 2020: Debug: Called-Station-Id = "5C-D9-98-14-14-78:MPDFT" (8907) Thu Jun 25 14:43:59 2020: Debug: Calling-Station-Id = "A8-B8-6E-23-FC-A1" (8907) Thu Jun 25 14:43:59 2020: Debug: NAS-Port-Type = Wireless-802.11 (8907) Thu Jun 25 14:43:59 2020: Debug: Connect-Info = "CONNECT 54Mbps 802.11g" (8907) Thu Jun 25 14:43:59 2020: Debug: # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (8907) Thu Jun 25 14:43:59 2020: Debug: preacct { (8907) Thu Jun 25 14:43:59 2020: Debug: [preprocess] = ok (8907) Thu Jun 25 14:43:59 2020: Debug: policy rewrite_username { (8907) Thu Jun 25 14:43:59 2020: Debug: if (&User-name && (&User-Name =~ /^([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})$/i)) { (8907) Thu Jun 25 14:43:59 2020: Debug: if (&User-name && (&User-Name =~ /^([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})$/i)) -> TRUE (8907) Thu Jun 25 14:43:59 2020: Debug: if (&User-name && (&User-Name =~ /^([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})$/i)) { (8907) Thu Jun 25 14:43:59 2020: Debug: update request { (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (8907) Thu Jun 25 14:43:59 2020: Debug: --> a8b86e23fca1 (8907) Thu Jun 25 14:43:59 2020: Debug: SQL-User-Name set to 'a8b86e23fca1' (8907) Thu Jun 25 14:43:59 2020: Debug: Executing select query: SELECT username from radacct WHERE CallingStationId = 'A8-B8-6E-23-FC-A1' ORDER BY radacctid limit 1 (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{sql:SELECT username from radacct WHERE CallingStationId = '%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}' ORDER BY radacctid limit 1} (8907) Thu Jun 25 14:43:59 2020: Debug: --> alex.dalton (8907) Thu Jun 25 14:43:59 2020: Debug: } # update request = noop (8907) Thu Jun 25 14:43:59 2020: Debug: [updated] = updated (8907) Thu Jun 25 14:43:59 2020: Debug: } # if (&User-name && (&User-Name =~ /^([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})$/i)) = updated (8907) Thu Jun 25 14:43:59 2020: Debug: ... skipping else: Preceding "if" was taken (8907) Thu Jun 25 14:43:59 2020: Debug: } # policy rewrite_username = updated (8907) Thu Jun 25 14:43:59 2020: Debug: policy split_username_nai { (8907) Thu Jun 25 14:43:59 2020: Debug: if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (8907) Thu Jun 25 14:43:59 2020: Debug: if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (8907) Thu Jun 25 14:43:59 2020: Debug: if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (8907) Thu Jun 25 14:43:59 2020: Debug: update request { (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{1} (8907) Thu Jun 25 14:43:59 2020: Debug: --> alex.dalton (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{3} (8907) Thu Jun 25 14:43:59 2020: Debug: --> (8907) Thu Jun 25 14:43:59 2020: Debug: } # update request = noop (8907) Thu Jun 25 14:43:59 2020: Debug: [updated] = updated (8907) Thu Jun 25 14:43:59 2020: Debug: } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (8907) Thu Jun 25 14:43:59 2020: Debug: ... skipping else: Preceding "if" was taken (8907) Thu Jun 25 14:43:59 2020: Debug: } # policy split_username_nai = updated (8907) Thu Jun 25 14:43:59 2020: Debug: update request { (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} (8907) Thu Jun 25 14:43:59 2020: Debug: --> 1593107039 (8907) Thu Jun 25 14:43:59 2020: Debug: } # update request = noop (8907) Thu Jun 25 14:43:59 2020: Debug: policy acct_unique { (8907) Thu Jun 25 14:43:59 2020: Debug: update request { (8907) Thu Jun 25 14:43:59 2020: Debug: } # update request = noop (8907) Thu Jun 25 14:43:59 2020: Debug: if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{hex:&Class} (8907) Thu Jun 25 14:43:59 2020: Debug: --> (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND ^%{hex:&Tmp-String-9} (8907) Thu Jun 25 14:43:59 2020: Debug: --> ^61693a (8907) Thu Jun 25 14:43:59 2020: Debug: if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (8907) Thu Jun 25 14:43:59 2020: Debug: else { (8907) Thu Jun 25 14:43:59 2020: Debug: update request { (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{Acct-Session-ID} (8907) Thu Jun 25 14:43:59 2020: Debug: --> 386D9BFB-0000015C (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (8907) Thu Jun 25 14:43:59 2020: Debug: --> alex.dalton (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{md5:%{%{Stripped-User-Name}:-%{User-Name}},%{Acct-Session-ID},%{Calling-Station-Id}} (8907) Thu Jun 25 14:43:59 2020: Debug: --> d07a1728ff39147a452a960d300c989e (8907) Thu Jun 25 14:43:59 2020: Debug: } # update request = noop (8907) Thu Jun 25 14:43:59 2020: Debug: } # else = noop (8907) Thu Jun 25 14:43:59 2020: Debug: } # policy acct_unique = noop (8907) Thu Jun 25 14:43:59 2020: Debug: suffix: Checking for suffix after "@" (8907) Thu Jun 25 14:43:59 2020: Debug: suffix: No '@' in User-Name = "alex.dalton", looking up realm NULL (8907) Thu Jun 25 14:43:59 2020: Debug: suffix: No such realm "NULL" (8907) Thu Jun 25 14:43:59 2020: Debug: [suffix] = noop (8907) Thu Jun 25 14:43:59 2020: Debug: files: acct_users: Matched entry DEFAULT at line 22 (8907) Thu Jun 25 14:43:59 2020: Debug: files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (8907) Thu Jun 25 14:43:59 2020: Debug: files: --> alex.dalton (8907) Thu Jun 25 14:43:59 2020: Debug: [files] = ok (8907) Thu Jun 25 14:43:59 2020: Debug: } # preacct = updated (8907) Thu Jun 25 14:43:59 2020: Debug: # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (8907) Thu Jun 25 14:43:59 2020: Debug: accounting { (8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown} (8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: --> Accounting-Request.Start (8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) (8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: --> Thu, 25-06-2020 14:43:59 Connect: [alex.dalton] (did 5C-D9-98-14-14-78:MPDFT cli A8-B8-6E-23-FC-A1 port 2 ip ) (8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: EXPAND /var/log/freeradius/linelog-accounting (8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: --> /var/log/freeradius/linelog-accounting (8907) Thu Jun 25 14:43:59 2020: Debug: [log_accounting] = ok (8907) Thu Jun 25 14:43:59 2020: Debug: sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query} (8907) Thu Jun 25 14:43:59 2020: Debug: sql: --> type.start.query (8907) Thu Jun 25 14:43:59 2020: Debug: sql: Using query template 'query' (8907) Thu Jun 25 14:43:59 2020: Debug: sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (8907) Thu Jun 25 14:43:59 2020: Debug: sql: --> alex.dalton (8907) Thu Jun 25 14:43:59 2020: Debug: sql: SQL-User-Name set to 'alex.dalton' (8907) Thu Jun 25 14:43:59 2020: Debug: sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet) (8907) Thu Jun 25 14:43:59 2020: Debug: sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('386D9BFB-0000015C', 'd07a1728ff39147a452a960d300c989e', 'alex.dalton', NULLIF('', ''), '10.34.5.223', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593107039), TO_TIMESTAMP(1593107039), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-14-78:MPDFT', 'A8-B8-6E-23-FC-A1', NULL, '', '', NULLIF('', '')::inet) (8907) Thu Jun 25 14:43:59 2020: Debug: sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('386D9BFB-0000015C', 'd07a1728ff39147a452a960d300c989e', 'alex.dalton', NULLIF('', ''), '10.34.5.223', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593107039), TO_TIMESTAMP(1593107039), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-14-78:MPDFT', 'A8-B8-6E-23-FC-A1', NULL, '', '', NULLIF('', '')::inet) (8907) Thu Jun 25 14:43:59 2020: Debug: sql: SQL query returned: success (8907) Thu Jun 25 14:43:59 2020: Debug: sql: 1 record(s) updated (8907) Thu Jun 25 14:43:59 2020: Debug: [sql] = ok (8907) Thu Jun 25 14:43:59 2020: Debug: if (&request:Acct-Status-Type == start) { (8907) Thu Jun 25 14:43:59 2020: Debug: if (&request:Acct-Status-Type == start) -> TRUE (8907) Thu Jun 25 14:43:59 2020: Debug: if (&request:Acct-Status-Type == start) { (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (8907) Thu Jun 25 14:43:59 2020: Debug: --> alex.dalton (8907) Thu Jun 25 14:43:59 2020: Debug: SQL-User-Name set to 'alex.dalton' (8907) Thu Jun 25 14:43:59 2020: Debug: Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1593107039), AcctUpdateTime = TO_TIMESTAMP(1593107039), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 54Mbps 802.11g' WHERE UserName = 'alex.dalton' AND AcctUniqueId <> 'd07a1728ff39147a452a960d300c989e' AND CallingStationId = 'A8-B8-6E-23-FC-A1' AND AcctStopTime IS NULL (8907) Thu Jun 25 14:43:59 2020: Debug: SQL query affected no rows (8907) Thu Jun 25 14:43:59 2020: Debug: EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL} (8907) Thu Jun 25 14:43:59 2020: Debug: --> (8907) Thu Jun 25 14:43:59 2020: Debug: } # if (&request:Acct-Status-Type == start) = ok (8907) Thu Jun 25 14:43:59 2020: Debug: [exec] = noop (8907) Thu Jun 25 14:43:59 2020: Debug: attr_filter.accounting_response: EXPAND %{User-Name} (8907) Thu Jun 25 14:43:59 2020: Debug: attr_filter.accounting_response: --> alex.dalton (8907) Thu Jun 25 14:43:59 2020: Debug: attr_filter.accounting_response: Matched entry DEFAULT at line 12 (8907) Thu Jun 25 14:43:59 2020: Debug: [attr_filter.accounting_response] = updated (8907) Thu Jun 25 14:43:59 2020: Debug: } # accounting = updated (8907) Thu Jun 25 14:43:59 2020: Debug: Sent Accounting-Response Id 192 from 10.34.242.3:1813 to 10.34.5.223:1829 length 0 (8907) Thu Jun 25 14:43:59 2020: Debug: Finished request (8907) Thu Jun 25 14:43:59 2020: Debug: Cleaning up request packet ID 192 with timestamp +2160
participants (3)
-
Alan Buxey -
Alan DeKok -
Daniel Guimaraes Pena