Class Attribute Missing for Anonymous Users
I use FreeRADIUS 3.0.15 and for some strange reason, the Unifi APs refuse to append the Class attribute for those users that use anonymous identity. Here are 4 accounting packets that were generated by the same UAP for the same user. When she does not use anonymous identity, we see the Class attribute. But when she *does* use anonymous identity, the Class attribute goes missing: Thu Sep 21 22:04:09 2017 Acct-Session-Id = "59C40101-0000000F" Acct-Status-Type = Start Acct-Authentic = RADIUS *User-Name = "53110080806"* NAS-Identifier = "802aa8b0fab9" NAS-Port = 0 Called-Station-Id = "80-2A-A8-B1-FA-B9:DAMLA.NET" *Calling-Station-Id = "6C-71-D9-2E-61-29"* NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" *Class = 0x3533313130303830383036* NAS-IP-Address = 192.168.0.26 Event-Timestamp = "Sep 21 2017 22:04:09 +03" Timestamp = 1506020649 Thu Sep 21 22:05:06 2017 Acct-Session-Id = "59C40101-0000000F" Acct-Status-Type = Stop Acct-Authentic = RADIUS *User-Name = "53110080806"* NAS-Identifier = "802aa8b0fab9" NAS-Port = 0 Called-Station-Id = "80-2A-A8-B1-FA-B9:DAMLA.NET" *Calling-Station-Id = "6C-71-D9-2E-61-29"* NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" *Class = 0x3533313130303830383036* Acct-Session-Time = 58 Acct-Input-Packets = 445 Acct-Output-Packets = 228 Acct-Input-Octets = 88637 Acct-Output-Octets = 16859 Event-Timestamp = "Sep 21 2017 22:04:45 +03" Acct-Terminate-Cause = User-Request NAS-IP-Address = 192.168.0.26 Timestamp = 1506020706 Thu Sep 21 22:06:02 2017 Acct-Session-Id = "59C40101-00000010" Acct-Status-Type = Start Acct-Authentic = RADIUS *User-Name = "anonymous"* NAS-Identifier = "802aa8b0fab9" NAS-Port = 0 Called-Station-Id = "80-2A-A8-B1-FA-B9:DAMLA.NET" *Calling-Station-Id = "6C-71-D9-2E-61-29"* NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" NAS-IP-Address = 192.168.0.26 Event-Timestamp = "Sep 21 2017 22:06:02 +03" Timestamp = 1506020762 Thu Sep 21 22:18:37 2017 Acct-Session-Id = "59C40101-00000010" Acct-Status-Type = Stop Acct-Authentic = RADIUS *User-Name = "anonymous"* NAS-Identifier = "802aa8b0fab9" NAS-Port = 0 Called-Station-Id = "80-2A-A8-B1-FA-B9:DAMLA.NET" *Calling-Station-Id = "6C-71-D9-2E-61-29"* NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Time = 755 Acct-Input-Packets = 827 Acct-Output-Packets = 401 Acct-Input-Octets = 109567 Acct-Output-Octets = 28858 Event-Timestamp = "Sep 21 2017 22:18:15 +03" Acct-Terminate-Cause = User-Request NAS-IP-Address = 192.168.0.26 Timestamp = 1506021517 I think the UAP is trying to protect the user's privacy and I hate that. I will definitely get in touch with Ubnt and ask them to change this behaviour. But is there anything I can do on the FreeRADIUS server to make sure that the Class attribute is present in all accounting packets? --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
On Sep 21, 2017, at 3:31 PM, Selahattin Cilek <selahattin_cilek@hotmail.com> wrote:
I use FreeRADIUS 3.0.15 and for some strange reason, the Unifi APs refuse to append the Class attribute for those users that use anonymous identity.
Here are 4 accounting packets that were generated by the same UAP for the same user. When she does not use anonymous identity, we see the Class attribute. But when she *does* use anonymous identity, the Class attribute goes missing:
That's not good.
I think the UAP is trying to protect the user's privacy and I hate that.
It's not supposed to be smart. It's supposed to do what the RADIUS server tells it to do.
I will definitely get in touch with Ubnt and ask them to change this behaviour.
That's the best approach.
But is there anything I can do on the FreeRADIUS server to make sure that the Class attribute is present in all accounting packets?
No. The AP creates the accounting packets. No amount of poking FreeRADIUS will fix a broken AP. Alan DeKok.
On 21.09.2017 23:06, Alan DeKok wrote:
On Sep 21, 2017, at 3:31 PM, Selahattin Cilek <selahattin_cilek@hotmail.com> wrote:
I use FreeRADIUS 3.0.15 and for some strange reason, the Unifi APs refuse to append the Class attribute for those users that use anonymous identity.
Here are 4 accounting packets that were generated by the same UAP for the same user. When she does not use anonymous identity, we see the Class attribute. But when she *does* use anonymous identity, the Class attribute goes missing: That's not good.
I think the UAP is trying to protect the user's privacy and I hate that. It's not supposed to be smart. It's supposed to do what the RADIUS server tells it to do.
I will definitely get in touch with Ubnt and ask them to change this behaviour. That's the best approach.
But is there anything I can do on the FreeRADIUS server to make sure that the Class attribute is present in all accounting packets? No. The AP creates the accounting packets. No amount of poking FreeRADIUS will fix a broken AP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I installed FreeRADIUS 2.2.9 and copied the configuration of a running site and ran some tests. I am afraid that does not happen with FreeRADIUS 2.2.9. So I believe it has something to do with the configuration of FreeRADIUS 3.0.15. Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp exec motp { wait = yes program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{rep ly:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server_key.pem" certificate_file = "/usr/local/etc/raddb/certs/server_cert.pem" CA_file = "/usr/local/etc/raddb/certs/ca_cert.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "tls" copy_request_to_tunnel = yes use_tunneled_reply = yes include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "tls" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/local/etc/raddb/huntgroups reading pairlist file /usr/local/etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /usr/local/etc/raddb/users reading pairlist file /usr/local/etc/raddb/acct_users reading pairlist file /usr/local/etc/raddb/preproxy_users Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "3306" login = "raduser" password = "0000" radius_db = "raddb" read_groups = yes sqltrace = no sqltracefile = "/var/log/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "CALL load_clients()" authorize_check_query = "CALL authorize_check('%{SQL-User-Name}')" authorize_reply_query = "CALL authorize_reply('%{SQL-User-Name}')" authorize_group_check_query = "CALL authorize_group_check('%{Sql-Group}')" authorize_group_reply_query = "CALL authorize_group_reply('%{Sql-Group}')" accounting_onoff_query = "CALL accounting_on_off ('%{Acct-Status-Type}' , '%{Called-Station-Id}')" accounting_update_query = "CALL accounting_update ('%{Acct-Session-Id}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Session-Time}','%{Acct- Input-Octets}','%{Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}')" accounting_update_query_alt = "CALL accounting_update ('%{Acct-Session-Id}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Session-Time}','%{A cct-Input-Octets}','%{Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}')" accounting_start_query = "CALL accounting_start ('%{Acct-Session-Id}','%{SQL-User-Name}','%{Class}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Call ing-Station-Id}')" accounting_start_query_alt = "CALL accounting_start ('%{Acct-Session-Id}','%{SQL-User-Name}','%{Class}','%{NAS-IP-Address}','%{Called-Station-Id}','%{ Calling-Station-Id}')" accounting_stop_query = "CALL accounting_stop ('%{Acct-Session-Id}','%{SQL-User-Name}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Session- Time}','%{Acct-Input-Octets}','%{Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}','%{Acct-Terminate-Cause}')" accounting_stop_query_alt = "CALL accounting_stop ('%{Acct-Session-Id}','%{SQL-User-Name}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Sess ion-Time}','%{Acct-Input-Octets}','%{Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}','%{Acct-Terminate-Cause}')" group_membership_query = "CALL group_membership('%{SQL-User-Name}')" connect_failure_retry_delay = 60 simul_count_query = "CALL simul_count('%{SQL-User-Name}')" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to raduser@localhost:3306/raddb rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is CALL load_clients() rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=192.168.0.4,shortname=HOME_AP,secret=0000 rlm_sql (sql): Adding client 192.168.0.4 (HOME_AP, server=<none>) to clients list rlm_sql (sql): Released sql socket id: 4 Module: Linked to module rlm_checkval Module: Instantiating module "checkval" from file /usr/local/etc/raddb/modules/checkval checkval { item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Instantiating module "datacounterdaily" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterdaily { wait = no program = "/bin/echo hi" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterweekly" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterweekly { wait = no program = "/bin/echo hi" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacountermonthly" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacountermonthly { wait = no program = "/bin/echo hi" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterforever" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterforever { wait = no program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} %{request:Calling-Station-Id} %{request:NAS-IP-Ad dress} %{request:Class} %{request:Acct-Status-Type}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/usr/local/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs.pre-proxy Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/usr/local/etc/raddb/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs.access_reject } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.0.1 port = 1812 } listen { type = "acct" ipaddr = 192.168.0.1 port = 1813 } Listening on authentication address 192.168.0.1 port 1812 Listening on accounting address 192.168.0.1 port 1813 Listening on proxy address 192.168.0.1 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.4 port 58586, id=1, length=169 User-Name = "anonymous" NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0269000e01616e6f6e796d6f7573 Message-Authenticator = 0x6f32e006c6b27ccb58bc8bc78e2e3205 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "anonymous", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 105 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> anonymous [sql] sql_set_user escaped user --> 'anonymous' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: CALL authorize_check('%{SQL-User-Name}') -> CALL authorize_check('anonymous') [sql] expand: CALL group_membership('%{SQL-User-Name}') -> CALL group_membership('anonymous') rlm_sql (sql): Released sql socket id: 3 [sql] User anonymous not found +++[sql] = notfound ++} # policy redundant = notfound rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Item Name: Calling-Station-Id, Value: 00-26-C6-72-D2-F8 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 192.168.0.4 port 58586 EAP-Message = 0x016a00061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4e4aad6b48ebf06e52e0c33b4e5fbf2 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.4 port 58586, id=2, length=229 User-Name = "anonymous" NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026a00381500160301002d01000029030142cf0aea5e88ab95c9cd6c305f61ffe159fd853caed9c07396f71d58332932f8000002000a0100 State = 0xb4e4aad6b48ebf06e52e0c33b4e5fbf2 Message-Authenticator = 0x6c0f70c11638cf5a316b0cd395bad365 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "anonymous", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 106 length 56 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 002d], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 09d4], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 192.168.0.4 port 58586 EAP-Message = 0x016b040015c000000a11160301002a020000260301cc599cac1c9998ef1bb2ef491c5ece75006101e1e0cce61e0cb713413823ce4a00000a0016030109d40b0009d000 09cd00051830820514308203fca003020102020101300d06092a864886f70d01010b0500308195310b3009060355040613025553310e300c060355040813055465786173310f300d06035504071306 41757374696e31263024060355040a131d4578616d706c6520436572746966696361746520417574686f726974793120301e06092a864886f70d01090116116365727473406578616d706c652e636f 6d311b301906035504031312667265657261646975732d74656d702d EAP-Message = 0x6361301e170d3137303733303134313733355a170d3237303732383134313733355a308199310b3009060355040613025553310e300c06035504081305546578617331 0f300d0603550407130641757374696e31263024060355040a131d4578616d706c6520436572746966696361746520417574686f726974793120301e06092a864886f70d0109011611636572747340 6578616d706c652e636f6d311f301d06035504031316667265657261646975732d74656d702d73657276657230820122300d06092a864886f70d01010105000382010f003082010a0282010100ddd5 f66f6f917fc94c6c27ed5e2272405c8c673a3131263b560b62cf2cc1 EAP-Message = 0x06cc35c6aeb5564b2c8760930b7bb6a906ac59032fa6b94ed42b5f6e242f9af92dae3a3ce7b65141402fca918675d370c43784bb54f5ecfdc33b4c0e223ca4f70b0448 428aff1c9dfcd14c1e9e0a220d86707689a32850a7431ae40bb7fd975cd53efdd9b3f29799e3c5ee160f9d7c9ffc8afb6d17a775aff57cf7e90f96512fa13c32346ea12daddab9526cc1362b496e73 5e9b17957cf39a906c83fbe5ef4515bc5b9f69ce61ae2b90d5b4ce4765913cc02d5af73eb76949dc40c2bf5cf97e867b249fdafcfafef27e850e8cef9783a41d218ebc401ae2c24cc33a7b0173980a 470203010001a38201673082016330090603551d1304023000301106 EAP-Message = 0x096086480186f8420101040403020640303306096086480186f842010d042616244f70656e53534c2047656e6572617465642053657276657220436572746966696361 7465301d0603551d0e041604143bccd27850c43399eca9a78deeaece12a07db23f3081c20603551d230481ba3081b780141146326f07c5778d5978fe8a2de29dbefed4d028a1819ba4819830819531 0b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31263024060355040a131d4578616d706c6520436572746966696361746520417574 686f726974793120301e06092a864886f70d01090116116365727473 EAP-Message = 0x406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4e4aad6b58fbf06e52e0c33b4e5fbf2 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.4 port 58586, id=3, length=179 User-Name = "anonymous" NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026b00061500 State = 0xb4e4aad6b58fbf06e52e0c33b4e5fbf2 Message-Authenticator = 0x2bba9c81e5bad331d4791bcdb1ef4148 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "anonymous", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 107 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 192.168.0.4 port 58586 EAP-Message = 0x016c040015c000000a11311b301906035504031312667265657261646975732d74656d702d6361820100301d0603551d250416301406082b0601050507030106082b06 010505080202300b0603551d0f0404030205a0300d06092a864886f70d01010b050003820101003147e47b5eb3976d2548a90a93dc0afe1183c5260799cca812e1ed0892f4bc59475cbd7bf0ee3e46 55c7afb725b7c1f679faeebbaecb2161463532a52c33637ddfee62e11aa141971967655f19adf91b4eb5b366cd42d264feae1d04d5cc5e68cfb962cfb552caf218a306218cc4a5ea5bc29401a72f5f a658efe97156e4f35158a786f3817f7733b177ae0a2fcf1c08798833 EAP-Message = 0x2d103cb690f842a82b040588366a6755ed81de0a3e5cd12d1417be924d7e98fc2d6a9e4eb08107c25ac05902840ef7d7e5e8a0d2993b69ca0873dd149f5dcc23285521 dd028906a2c4e2ceef8c6b0fd43c1a9f55915b5a02b022100b90abc16125f5b091d626ec9c6b25f62f1a0004af308204ab30820393a003020102020100300d06092a864886f70d01010b0500308195 310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31263024060355040a131d4578616d706c65204365727469666963617465204175 74686f726974793120301e06092a864886f70d010901161163657274 EAP-Message = 0x73406578616d706c652e636f6d311b301906035504031312667265657261646975732d74656d702d6361301e170d3137303733303134313733355a170d323730373238 3134313733355a308195310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31263024060355040a131d4578616d706c652043657274 6966696361746520417574686f726974793120301e06092a864886f70d01090116116365727473406578616d706c652e636f6d311b301906035504031312667265657261646975732d74656d702d63 6130820122300d06092a864886f70d01010105000382010f00308201 EAP-Message = 0x0a0282010100d7ed60120b3344c7e822913cd56b439dbbdd3a830d921986cd2dc226fdaea6ad35812c32fe239692addb43f4f8fee8dd6b9b224610611b2dcf79e8febc 50d9daa743b19e6aa485fe488970e262761d5dbf12dfcb690bd65d9a04efd6d8d66f5f5a0985b355a562f8e20c896a912b0ef79754570acec27b656d62c646f5e09c2249f429a3b51566b70cf385b4 bf597d56d261c23149b9bdeacfe438524a33f7041c69bfa73d306e73d669856e9203a527a8c8de0f6a6311b07d0b08d6fbab65e2421f08425c88c8c9d1a8fe0f5c057780ad6128197a2281c9505c72 9e6baf6a1ca287e7fa5ec44940e1ba92019638e59efffa9ae07b75a7 EAP-Message = 0xb4e4bf9850926106ed020301 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4e4aad6b688bf06e52e0c33b4e5fbf2 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.4 port 58586, id=4, length=179 User-Name = "anonymous" NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026c00061500 State = 0xb4e4aad6b688bf06e52e0c33b4e5fbf2 Message-Authenticator = 0xf6ea48856d66fad97dd4520f114c239a # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "anonymous", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 108 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 192.168.0.4 port 58586 EAP-Message = 0x016d022f158000000a110001a38201023081ff301d0603551d0e041604141146326f07c5778d5978fe8a2de29dbefed4d0283081c20603551d230481ba3081b7801411 46326f07c5778d5978fe8a2de29dbefed4d028a1819ba48198308195310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e3126302406 0355040a131d4578616d706c6520436572746966696361746520417574686f726974793120301e06092a864886f70d01090116116365727473406578616d706c652e636f6d311b3019060355040313 12667265657261646975732d74656d702d6361820100300c0603551d EAP-Message = 0x13040530030101ff300b0603551d0f040403020106300d06092a864886f70d01010b0500038201010041e0078d94ddb8aa76266f78eff1bea1fe843f9051f25a7bda07 1af1c52660eb9bfbb42050e76f952465e5460c75c6fcf1f78139fc793b849d1ace4e08c64ebb670d52aa371b14825948cffbb62b99c464dd7ccb55f17ecbeacebd3ba2109423636b8a4e461a86cb43 01e143a27fdc25011ee292cfa7c7c6fa79cd996544d0f210866079b8cccfbaf3634fb4a7b57525e514da5dd63400aeeb837d2e09ef7f917ad5a2a64ba8a28b3560a4c7fe17dadf9d4f9c98a9acc312 8b6170ff025191886951e17b9d50627c50c2c43d8073b35b57b52ec8 EAP-Message = 0x37f0cff5a87110fc1519e1d7fd66eb0c5f6419ca6e91974a3499bf546ca486c8765b459d018728e245bf900116030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4e4aad6b789bf06e52e0c33b4e5fbf2 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.4 port 58586, id=5, length=499 User-Name = "anonymous" NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026d014415001603010106100001020100a2567e8f00963ec0e82064a375ecb2492d3a40cdb21fcd3cf802f5a7a9a8b01d927f0182e0869855b8dae16e3d2f14e9045f 4b822a5d8732914005ec5daf364d3ef966301b46153fb8a0a7c477a99bab945a8baaec315e245bd8a9bc84a239707aa56b3b3e6baaab8b6fa509250fb1311bd2b7600014d06269be9261ce9ae2d55c 35abfded59288cfecc054b80d4e875eeaf02278da4c3fc55667660ca0e26a94e043bdb958e927a7fd02e739107de0851317eae4e88e969c28af29c7ff588c1c156ba6f51b711fab2859821e92fff8b 367c750c2e892d92689b0311858333b347e1ab4f4f1e9e57898f4a4d EAP-Message = 0x238051ca5fd5cc9d2a5659d11575a3b0112a090a1403010001011603010028ef7a4920c4c3c713f84b77cfa15822957cdc6e94cca75134d9c548f3784bab6d1dc22009 4bb47b2a State = 0xb4e4aad6b789bf06e52e0c33b4e5fbf2 Message-Authenticator = 0x90611aec292e409758bab4236eb791e9 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "anonymous", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 109 length 253 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] TLS_accept: SSLv3 read certificate verify A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to 192.168.0.4 port 58586 EAP-Message = 0x016e003d158000000033140301000101160301002893952457d51f458aa7d6a68db5db3edb2cbcc07daff3cada6eaca13f3465ff559ac90b8f7b86c912 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4e4aad6b08abf06e52e0c33b4e5fbf2 Finished request 4. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.4 port 58586, id=6, length=240 User-Name = "anonymous" NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026e0043150017030100389be64fff33167a8a251fdfb1a94fdaeffc8c379238e4f891c7d403f0af446b92d0ee78a4ee219f9cc9f89f5c04847513f68b63e8ea07aea5 State = 0xb4e4aad6b08abf06e52e0c33b4e5fbf2 Message-Authenticator = 0x0e91867bde1f5e4cb7ab6fcadb7c193e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "anonymous", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 110 length 67 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "scilek" User-Password = "0000" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "scilek" User-Password = "0000" FreeRADIUS-Proxied-To = 127.0.0.1 NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" NAS-IP-Address = 192.168.0.4 server { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[digest] = noop [suffix] No '@' in User-Name = "scilek", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "scilek", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> scilek [sql] sql_set_user escaped user --> 'scilek' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: CALL authorize_check('%{SQL-User-Name}') -> CALL authorize_check('scilek') [sql] User found in radcheck table [sql] expand: CALL authorize_reply('%{SQL-User-Name}') -> CALL authorize_reply('scilek') [sql] expand: CALL group_membership('%{SQL-User-Name}') -> CALL group_membership('scilek') rlm_sql (sql): Released sql socket id: 2 +++[sql] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Item Name: Calling-Station-Id, Value: 00-26-C6-72-D2-F8 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop ++[pap] = updated +} # group authorize = updated Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group PAP { [pap] login attempt with password "0000" [pap] Using clear text password "0000" [pap] User authenticated successfully ++[pap] = ok +} # group PAP = ok # Executing section session from file /usr/local/etc/raddb/sites-enabled/default +group session { ++policy redundant { [sql] expand: %{User-Name} -> scilek [sql] sql_set_user escaped user --> 'scilek' [sql] expand: CALL simul_count('%{SQL-User-Name}') -> CALL simul_count('scilek') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 +++[sql] = ok ++} # policy redundant = ok +} # group session = ok expand: -> Login OK: [scilek] (from client HOME_AP port 0 cli 00-26-C6-72-D2-F8 via TLS tunnel) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +group post-auth { ++update reply { expand: %{User-Name} -> scilek ++} # update reply = noop Warning: Using a password on the command line interface can be insecure. Exec output: [exec] Exec: program returned: 0 ++[exec] = ok +} # group post-auth = ok } # server [ttls] Got tunneled reply code Access-Accept Class = 0x5f7363696c656b Idle-Timeout = 120 Acct-Interim-Interval = 600 Exec-Program-Wait = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/datacounter_auth.sh scilek" User-Name = "scilek" [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok expand: -> Login OK: [anonymous] (from client HOME_AP port 0 cli 00-26-C6-72-D2-F8) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +group post-auth { ++update reply { expand: %{User-Name} -> anonymous ++} # update reply = noop Warning: Using a password on the command line interface can be insecure. Exec output: [exec] Exec: program returned: 0 ++[exec] = ok +} # group post-auth = ok Sending Access-Accept of id 6 to 192.168.0.4 port 58586 Class = 0x5f7363696c656b Idle-Timeout = 120 Acct-Interim-Interval = 600 User-Name = "scilek" MS-MPPE-Recv-Key = 0x2a32e67944b4e75f0a9fcfd85157d957a8b21eb8d6325eb41f90fc3a2017c9be MS-MPPE-Send-Key = 0x44447512273cc60492a384b34b8feeac525cb064d850920ddf10223b686c0c4e EAP-Message = 0x036e0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 5. Going to the next request Waking up in 4.5 seconds. rad_recv: Accounting-Request packet from host 192.168.0.4 port 44196, id=7, length=172 Acct-Session-Id = "59C5EC66-00000000" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "scilek" Framed-IP-Address = 192.168.1.113 NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" Class = 0x5f7363696c656b # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok ++update request { expand: %{Acct-Session-Time} -> ... expanding second conditional expand: %{Acct-Delay-Time} -> ... expanding second conditional expand: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0} -> 1506143408 - 0 - 0 expand: %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} -> 1506143408 ++} # update request = noop [suffix] No '@' in User-Name = "scilek", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "scilek", skipping NULL due to config. ++[ntdomain] = noop ++[files] = noop +} # group preacct = ok # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +group accounting { ++? if (Acct-Session-Time == 0) (Attribute Acct-Session-Time was not found) ? Evaluating (Acct-Session-Time == 0) -> FALSE ++? if (Acct-Session-Time == 0) -> FALSE [detail] expand: %{Packet-Src-IP-Address} -> 192.168.0.4 [detail] expand: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d -> /var/log/radacct/192.168.0.4/detail_2017_0 9_23 [detail] /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d expands to /var/log/radacct/192.168.0.4/detail_2017_09_23 [detail] expand: %t -> Sat Sep 23 08:10:08 2017 ++[detail] = ok rlm_counter: We only run on Accounting-Stop packets. ++[daily] = noop rlm_counter: We only run on Accounting-Stop packets. ++[weekly] = noop rlm_counter: We only run on Accounting-Stop packets. ++[monthly] = noop rlm_counter: We only run on Accounting-Stop packets. ++[forever] = noop ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) ?? Evaluating (request:Acct-Status-Type == Stop) -> FALSE ?? Evaluating (request:Acct-Status-Type == Interim-Update) -> FALSE ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) -> FALSE ++[unix] = ok ++policy redundant { [sql] expand: %{User-Name} -> scilek [sql] sql_set_user escaped user --> 'scilek' [sql] expand: CALL accounting_start ('%{Acct-Session-Id}','%{SQL-User-Name}','%{Class}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Calling-Station-Id}') -> CALL accounting_start ('59C5EC66-00000000','scilek','0x5f7363696c656b','192.168.0.4','82-2A-A8-AD-1E-F9:SCILEK.NET','00-26-C6-72-D2-F8') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> scilek attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 7 to 192.168.0.4 port 44196 Finished request 6. Cleaning up request 6 ID 7 with timestamp +13 Going to the next request Waking up in 4.2 seconds. Cleaning up request 0 ID 1 with timestamp +12 Cleaning up request 1 ID 2 with timestamp +12 Cleaning up request 2 ID 3 with timestamp +12 Cleaning up request 3 ID 4 with timestamp +12 Cleaning up request 4 ID 5 with timestamp +12 Waking up in 0.1 seconds. Cleaning up request 5 ID 6 with timestamp +12 Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.0.4 port 44196, id=8, length=214 Acct-Session-Id = "59C5EC66-00000000" Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = "scilek" Framed-IP-Address = 192.168.1.113 NAS-Identifier = "802aa8ac1ef9" NAS-Port = 0 Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Calling-Station-Id = "00-26-C6-72-D2-F8" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" Class = 0x5f7363696c656b Acct-Session-Time = 62 Acct-Input-Packets = 2198 Acct-Output-Packets = 1981 Acct-Input-Octets = 2995341 Acct-Output-Octets = 2870213 Event-Timestamp = "Sep 23 2017 08:11:11 +03" Acct-Terminate-Cause = User-Request # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok ++update request { expand: %{Acct-Session-Time} -> 62 expand: %{Acct-Delay-Time} -> ... expanding second conditional expand: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0} -> 1506143469 - 62 - 0 expand: %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} -> 1506143407 ++} # update request = noop [suffix] No '@' in User-Name = "scilek", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "scilek", skipping NULL due to config. ++[ntdomain] = noop ++[files] = noop +} # group preacct = ok # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +group accounting { ++? if (Acct-Session-Time == 0) ? Evaluating (Acct-Session-Time == 0) -> FALSE ++? if (Acct-Session-Time == 0) -> FALSE [detail] expand: %{Packet-Src-IP-Address} -> 192.168.0.4 [detail] expand: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d -> /var/log/radacct/192.168.0.4/detail_2017_0 9_23 [detail] /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d expands to /var/log/radacct/192.168.0.4/detail_2017_09_23 [detail] expand: %t -> Sat Sep 23 08:11:09 2017 ++[detail] = ok rlm_counter: Searching the database for key 'scilek' rlm_counter: Could not find the requested key in the database. rlm_counter: User=scilek, New Counter=62. rlm_counter: Storing new value in database. rlm_counter: New value stored successfully. ++[daily] = ok rlm_counter: Searching the database for key 'scilek' rlm_counter: Could not find the requested key in the database. rlm_counter: User=scilek, New Counter=62. rlm_counter: Storing new value in database. rlm_counter: New value stored successfully. ++[weekly] = ok rlm_counter: Searching the database for key 'scilek' rlm_counter: Could not find the requested key in the database. rlm_counter: User=scilek, New Counter=62. rlm_counter: Storing new value in database. rlm_counter: New value stored successfully. ++[monthly] = ok rlm_counter: Searching the database for key 'scilek' rlm_counter: Could not find the requested key in the database. rlm_counter: User=scilek, New Counter=62. rlm_counter: Storing new value in database. rlm_counter: New value stored successfully. ++[forever] = ok ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) ?? Evaluating (request:Acct-Status-Type == Stop) -> TRUE ?? Skipping (request:Acct-Status-Type == Interim-Update) ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) -> TRUE ++if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) { +++[datacounterdaily] = ok +++[datacounterweekly] = ok +++[datacountermonthly] = ok [datacounterforever] expand: %{request:User-Name} -> scilek [datacounterforever] expand: %{request:Calling-Station-Id} -> 00-26-C6-72-D2-F8 [datacounterforever] expand: %{request:NAS-IP-Address} -> 192.168.0.4 [datacounterforever] expand: %{request:Class} -> 0x5f7363696c656b [datacounterforever] expand: %{request:Acct-Status-Type} -> Stop +++[datacounterforever] = ok ++} # if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) = ok ++[unix] = ok ++policy redundant { [sql] expand: %{User-Name} -> scilek [sql] sql_set_user escaped user --> 'scilek' [sql] expand: CALL accounting_stop ('%{Acct-Session-Id}','%{SQL-User-Name}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Session-Time}','%{Acct-In put-Octets}','%{Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}','%{Acct-Terminate-Cause}') -> CALL accounting_stop ('59C5EC66-000000 00','scilek','82-2A-A8-AD-1E-F9:SCILEK.NET','00-26-C6-72-D2-F8','62','2995341','','2870213','','User-Request') rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> scilek attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 8 to 192.168.0.4 port 44196 Finished request 7. Cleaning up request 7 ID 8 with timestamp +74 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.0.4 port 44196, id=0, length=82 Acct-Status-Type = Accounting-On Acct-Authentic = RADIUS NAS-Identifier = "802aa8ac1ef9" Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" Acct-Terminate-Cause = NAS-Reboot # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok ++update request { expand: %{Acct-Session-Time} -> ... expanding second conditional expand: %{Acct-Delay-Time} -> ... expanding second conditional expand: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0} -> 1506143521 - 0 - 0 expand: %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} -> 1506143521 ++} # update request = noop [suffix] Proxy reply, or no User-Name. Ignoring. ++[suffix] = ok [ntdomain] Proxy reply, or no User-Name. Ignoring. ++[ntdomain] = ok ++[files] = noop +} # group preacct = ok # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +group accounting { ++? if (Acct-Session-Time == 0) (Attribute Acct-Session-Time was not found) ? Evaluating (Acct-Session-Time == 0) -> FALSE ++? if (Acct-Session-Time == 0) -> FALSE [detail] expand: %{Packet-Src-IP-Address} -> 192.168.0.4 [detail] expand: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d -> /var/log/radacct/192.168.0.4/detail_2017_0 9_23 [detail] /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d expands to /var/log/radacct/192.168.0.4/detail_2017_09_23 [detail] expand: %t -> Sat Sep 23 08:12:01 2017 ++[detail] = ok rlm_counter: We only run on Accounting-Stop packets. ++[daily] = noop rlm_counter: We only run on Accounting-Stop packets. ++[weekly] = noop rlm_counter: We only run on Accounting-Stop packets. ++[monthly] = noop rlm_counter: We only run on Accounting-Stop packets. ++[forever] = noop ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) ?? Evaluating (request:Acct-Status-Type == Stop) -> FALSE ?? Evaluating (request:Acct-Status-Type == Interim-Update) -> FALSE ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) -> FALSE ++[unix] = noop ++policy redundant { [sql] Received Acct On/Off packet [sql] expand: CALL accounting_on_off ('%{Acct-Status-Type}' , '%{Called-Station-Id}') -> CALL accounting_on_off ('Accounting-On' , '82-2A-A8-AD-1E-F9:SCILEK .NET') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: MYSQL check_error: 1305 received [sql] Couldn't update SQL accounting for Acct On/Off packet - PROCEDURE raddb.accounting_on_off does not exist rlm_sql_mysql: MYSQL check_error: 1305 received rlm_sql_mysql: Cannot store result rlm_sql_mysql: MySQL error 'PROCEDURE raddb.accounting_on_off does not exist' rlm_sql (sql): Released sql socket id: 3 +++[sql] = fail ++} # policy redundant = fail +} # group accounting = fail Finished request 8. Cleaning up request 8 ID 0 with timestamp +126 Going to the next request Ready to process requests. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
On Sep 23, 2017, at 1:16 AM, Selahattin Cilek <selahattin_cilek@hotmail.com> wrote:
I installed FreeRADIUS 2.2.9 and copied the configuration of a running site and ran some tests. I am afraid that does not happen with FreeRADIUS 2.2.9. So I believe it has something to do with the configuration of FreeRADIUS 3.0.15.
Does 3.0.15 send the Class attribute in the Access-Accept? If not, that's the problem. Otherwise, look at the Access-Accept packets from the two versions. If they're different, try to make them the same. Maybe the NAS is getting excited over those differences. Alan DeKok.
On 23.09.2017 16:23, Alan DeKok wrote:
On Sep 23, 2017, at 1:16 AM, Selahattin Cilek <selahattin_cilek@hotmail.com> wrote:
I installed FreeRADIUS 2.2.9 and copied the configuration of a running site and ran some tests. I am afraid that does not happen with FreeRADIUS 2.2.9. So I believe it has something to do with the configuration of FreeRADIUS 3.0.15. Does 3.0.15 send the Class attribute in the Access-Accept? If not, that's the problem. No, it does not.
Otherwise, look at the Access-Accept packets from the two versions. If they're different, try to make them the same. Maybe the NAS is getting excited over those differences.
How do I do that? authorize_group_check_query = "CALL authorize_group_check('%{sql1-SQL-Group}')" authorize_group_reply_query = "CALL authorize_group_reply('%{sql1-SQL-Group}')" group_membership_query = "CALL group_membership('%{SQL-User-Name}')" simul_count_query = "CALL simul_count('%{SQL-User-Name}')" safe_characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#+%&?*-_@." accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "CALL accounting_on('%{Called-Station-Id}')" } accounting-off { query = "CALL accounting_off('%{Called-Station-Id}')" } start { query = "CALL accounting_start('%{Acct-Session-Id}','%{SQL-User-Name}','%{Class}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Calling-Station-Id}')" } interim-update { query = "CALL accounting_update ('%{Acct-Session-Id}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Session-Time}','%{Acct-Input-Octets}','%{ Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}')" } stop { query = "CALL accounting_stop ('%{Acct-Session-Id}','%{SQL-User-Name}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Session-Time}','%{Acct-I nput-Octets}','%{Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}','%{Acct-Terminate-Cause}')" } } } post-auth { reference = ".query" } } rlm_sql (sql1): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute sql1-SQL-Group # Loaded module rlm_sqlcounter # Loading module "dailycounter" from file /usr/local/etc/raddb/mods-enabled/sqlcounter sqlcounter dailycounter { sql_module_instance = "sql" key = "User-Name" query = "SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMEST AMP(acctstarttime) + acctsessiontime > '%%b'" reset = "daily" counter_name = "Daily-Session-Time" check_name = "Max-Daily-Session" reply_name = "Session-Timeout" } # Loading module "monthlycounter" from file /usr/local/etc/raddb/mods-enabled/sqlcounter sqlcounter monthlycounter { sql_module_instance = "sql" key = "User-Name" query = "SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='%{User-Name}' AND UNIX_TIMESTAM P(acctstarttime) + acctsessiontime > '%%b'" reset = "monthly" counter_name = "Monthly-Session-Time" check_name = "Max-Monthly-Session" reply_name = "Session-Timeout" } # Loading module "noresetcounter" from file /usr/local/etc/raddb/mods-enabled/sqlcounter sqlcounter noresetcounter { sql_module_instance = "sql" key = "User-Name" query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{User-Name}'" reset = "never" counter_name = "Max-All-Session-Time" check_name = "Max-All-Session" reply_name = "Session-Timeout" } # Loading module "expire_on_login" from file /usr/local/etc/raddb/mods-enabled/sqlcounter sqlcounter expire_on_login { sql_module_instance = "sql" key = "User-Name" query = "SELECT IFNULL( MAX(TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime))),0) FROM radacct WHERE UserName='%{User-Name}' ORDER BY acctstarttime LIMIT 1; " reset = "never" counter_name = "Expire-After-Initial-Login" check_name = "Expire-After" reply_name = "Session-Timeout" } instantiate { # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "sql1" from file /usr/local/etc/raddb/mods-enabled/sql rlm_sql_mysql: libmysql version: 5.6.35 mysql { tls { } warnings = "auto" } rlm_sql (sql1): Attempting to connect to database "raddb" rlm_sql (sql1): Initialising connection pool pool { start = 5 min = 3 max = 5 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 60 spread = no } WARNING: Ignoring "spare = 10", forcing to "spare = 2" rlm_sql (sql1): Opening additional connection (0), 1 of 5 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'raddb' on Localhost via UNIX socket, server version 5.6.37, protocol version 10 rlm_sql (sql1): Opening additional connection (1), 1 of 4 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'raddb' on Localhost via UNIX socket, server version 5.6.37, protocol version 10 rlm_sql (sql1): Opening additional connection (2), 1 of 3 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'raddb' on Localhost via UNIX socket, server version 5.6.37, protocol version 10 rlm_sql (sql1): Opening additional connection (3), 1 of 2 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'raddb' on Localhost via UNIX socket, server version 5.6.37, protocol version 10 rlm_sql (sql1): Opening additional connection (4), 1 of 1 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'raddb' on Localhost via UNIX socket, server version 5.6.37, protocol version 10 rlm_sql (sql1): Processing generate_sql_clients rlm_sql (sql1) in generate_sql_clients: query is CALL load_clients() rlm_sql (sql1): Reserved connection (0) rlm_sql (sql1): Executing select query: CALL load_clients() rlm_sql (sql1): Adding client 192.168.0.4 (HOME_AP) to global clients list rlm_sql (192.168.0.4): Client "HOME_AP" (sql1) added rlm_sql (sql1): Released connection (0) } # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server_key.pem" certificate_file = "/usr/local/etc/raddb/certs/server_cert.pem" ca_file = "/usr/local/etc/raddb/certs/ca_cert.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "tls" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel-ttls" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "tls" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel-peap" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "dailycounter" from file /usr/local/etc/raddb/mods-enabled/sqlcounter rlm_sqlcounter: Current Time: 1506176265 [2017-09-23 17:17:45], Prev reset 1506114000 [2017-09-23 00:00:00] # Instantiating module "monthlycounter" from file /usr/local/etc/raddb/mods-enabled/sqlcounter rlm_sqlcounter: Current Time: 1506176265 [2017-09-23 17:17:45], Prev reset 1504213200 [2017-09-01 00:00:00] # Instantiating module "noresetcounter" from file /usr/local/etc/raddb/mods-enabled/sqlcounter rlm_sqlcounter: Current Time: 1506176265 [2017-09-23 17:17:45], Prev reset 0 [2017-09-23 17:00:00] # Instantiating module "expire_on_login" from file /usr/local/etc/raddb/mods-enabled/sqlcounter rlm_sqlcounter: Current Time: 1506176265 [2017-09-23 17:17:45], Prev reset 0 [2017-09-23 17:00:00] } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel-ttls { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel-ttls server inner-tunnel-peap { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-peap # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel-peap radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.0.1 port = 1812 } listen { type = "acct" ipaddr = 192.168.0.1 port = 1813 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18127 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18128 } Listening on auth address 192.168.0.1 port 1812 bound to server default Listening on acct address 192.168.0.1 port 1813 bound to server default Listening on auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls Listening on auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap Ready to process requests (0) Received Access-Request Id 2 from 192.168.0.4:52371 to 192.168.0.1:1812 length 169 (0) User-Name = "anonymous" (0) NAS-Identifier = "802aa8ac1ef9" (0) NAS-Port = 0 (0) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (0) Calling-Station-Id = "00-26-C6-72-D2-F8" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x02ff000e01616e6f6e796d6f7573 (0) Message-Authenticator = 0x1e62d45b5b8abe56e27712fd43adc6c7 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) redundant sql { (0) sql1: EXPAND %{User-Name} (0) sql1: --> anonymous (0) sql1: SQL-User-Name set to 'anonymous' rlm_sql (sql1): Reserved connection (1) (0) sql1: EXPAND CALL authorize_check('%{SQL-User-Name}') (0) sql1: --> CALL authorize_check('anonymous') (0) sql1: Executing select query: CALL authorize_check('anonymous') (0) sql1: EXPAND CALL group_membership('%{SQL-User-Name}') (0) sql1: --> CALL group_membership('anonymous') (0) sql1: Executing select query: CALL group_membership('anonymous') (0) sql1: User not found in any groups rlm_sql (sql1): Released connection (1) rlm_sql (sql1): Closing connection (2), from 3 unused connections rlm_sql_mysql: Socket destructor called, closing socket (0) [sql1] = notfound (0) } # redundant sql = notfound (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) eap: Peer sent EAP Response (code 2) ID 255 length 14 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: Initiating new EAP-TLS session (0) eap_ttls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 0 length 6 (0) eap: EAP session adding &reply:State = 0x418d1b1a418d0e7b (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 2 from 192.168.0.1:1812 to 192.168.0.4:52371 length 0 (0) EAP-Message = 0x010000061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x418d1b1a418d0e7baecbafb2f6fd97a1 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 3 from 192.168.0.4:52371 to 192.168.0.1:1812 length 229 (1) User-Name = "anonymous" (1) NAS-Identifier = "802aa8ac1ef9" (1) NAS-Port = 0 (1) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (1) Calling-Station-Id = "00-26-C6-72-D2-F8" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x020000381500160301002d010000290301f1b99311d79837940bc11a0f24e0e692dc8a7cfaa58df31a39f3f5802734aff4000002000a0100 (1) State = 0x418d1b1a418d0e7baecbafb2f6fd97a1 (1) Message-Authenticator = 0x3c448c950bc2dbf87263c61aa839c9ce (1) session-state: No cached attributes (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) redundant sql { (1) sql1: EXPAND %{User-Name} (1) sql1: --> anonymous (1) sql1: SQL-User-Name set to 'anonymous' rlm_sql (sql1): Reserved connection (3) (1) sql1: EXPAND CALL authorize_check('%{SQL-User-Name}') (1) sql1: --> CALL authorize_check('anonymous') (1) sql1: Executing select query: CALL authorize_check('anonymous') (1) sql1: EXPAND CALL group_membership('%{SQL-User-Name}') (1) sql1: --> CALL group_membership('anonymous') (1) sql1: Executing select query: CALL group_membership('anonymous') (1) sql1: User not found in any groups rlm_sql (sql1): Released connection (3) (1) [sql1] = notfound (1) } # redundant sql = notfound (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) eap: Peer sent EAP Response (code 2) ID 0 length 56 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x418d1b1a418d0e7b (1) eap: Finished EAP session with state 0x418d1b1a418d0e7b (1) eap: Previous EAP request found for state 0x418d1b1a418d0e7b, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: Continuing EAP-TLS (1) eap_ttls: Got final TLS record fragment (50 bytes) (1) eap_ttls: WARNING: Total received TLS record fragments (50 bytes), does not equal indicated TLS record length (0 bytes) (1) eap_ttls: [eaptls verify] = ok (1) eap_ttls: Done initial handshake (1) eap_ttls: (other): before/accept initialization (1) eap_ttls: TLS_accept: before/accept initialization (1) eap_ttls: <<< recv TLS 1.0 Handshake [length 002d], ClientHello (1) eap_ttls: TLS_accept: SSLv3 read client hello A (1) eap_ttls: >>> send TLS 1.0 Handshake [length 002a], ServerHello (1) eap_ttls: TLS_accept: SSLv3 write server hello A (1) eap_ttls: >>> send TLS 1.0 Handshake [length 09d4], Certificate (1) eap_ttls: TLS_accept: SSLv3 write certificate A (1) eap_ttls: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_ttls: TLS_accept: SSLv3 write server done A (1) eap_ttls: TLS_accept: SSLv3 flush data (1) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_ttls: In SSL Handshake Phase (1) eap_ttls: In SSL Accept mode (1) eap_ttls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 1 length 1004 (1) eap: EAP session adding &reply:State = 0x418d1b1a408c0e7b (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 3 from 192.168.0.1:1812 to 192.168.0.4:52371 length 0 (1) EAP-Message = 0x010103ec15c000000a11160301002a02000026030190d37ae7310216fd6180e2b560cad45d9f7a873252076c9575efa7366262dce000000a0016030109d40b0009d00009 cd00051830820514308203fca003020102020101300d06092a864886f70d01010b0500308195310b3009060355040613025553 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x418d1b1a408c0e7baecbafb2f6fd97a1 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 4 from 192.168.0.4:52371 to 192.168.0.1:1812 length 179 (2) User-Name = "anonymous" (2) NAS-Identifier = "802aa8ac1ef9" (2) NAS-Port = 0 (2) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (2) Calling-Station-Id = "00-26-C6-72-D2-F8" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x020100061500 (2) State = 0x418d1b1a408c0e7baecbafb2f6fd97a1 (2) Message-Authenticator = 0xcaa59edd5b9938d5385df84ec4650c82 (2) session-state: No cached attributes (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) [preprocess] = ok (2) redundant sql { (2) sql1: EXPAND %{User-Name} (2) sql1: --> anonymous (2) sql1: SQL-User-Name set to 'anonymous' rlm_sql (sql1): Reserved connection (4) (2) sql1: EXPAND CALL authorize_check('%{SQL-User-Name}') (2) sql1: --> CALL authorize_check('anonymous') (2) sql1: Executing select query: CALL authorize_check('anonymous') (2) sql1: EXPAND CALL group_membership('%{SQL-User-Name}') (2) sql1: --> CALL group_membership('anonymous') (2) sql1: Executing select query: CALL group_membership('anonymous') (2) sql1: User not found in any groups rlm_sql (sql1): Released connection (4) (2) [sql1] = notfound (2) } # redundant sql = notfound (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) eap: Peer sent EAP Response (code 2) ID 1 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x418d1b1a408c0e7b (2) eap: Finished EAP session with state 0x418d1b1a408c0e7b (2) eap: Previous EAP request found for state 0x418d1b1a408c0e7b, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 2 length 1004 (2) eap: EAP session adding &reply:State = 0x418d1b1a438f0e7b (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 4 from 192.168.0.1:1812 to 192.168.0.4:52371 length 0 (2) EAP-Message = 0x010203ec15c000000a110116116365727473406578616d706c652e636f6d311b301906035504031312667265657261646975732d74656d702d6361820100301d0603551d 250416301406082b0601050507030106082b06010505080202300b0603551d0f0404030205a0300d06092a864886f70d01010b (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x418d1b1a438f0e7baecbafb2f6fd97a1 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 5 from 192.168.0.4:52371 to 192.168.0.1:1812 length 179 (3) User-Name = "anonymous" (3) NAS-Identifier = "802aa8ac1ef9" (3) NAS-Port = 0 (3) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (3) Calling-Station-Id = "00-26-C6-72-D2-F8" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x020200061500 (3) State = 0x418d1b1a438f0e7baecbafb2f6fd97a1 (3) Message-Authenticator = 0x59326993c24ae834a3a1a4537a6d0f22 (3) session-state: No cached attributes (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (3) authorize { (3) [preprocess] = ok (3) redundant sql { (3) sql1: EXPAND %{User-Name} (3) sql1: --> anonymous (3) sql1: SQL-User-Name set to 'anonymous' rlm_sql (sql1): Reserved connection (0) (3) sql1: EXPAND CALL authorize_check('%{SQL-User-Name}') (3) sql1: --> CALL authorize_check('anonymous') (3) sql1: Executing select query: CALL authorize_check('anonymous') (3) sql1: EXPAND CALL group_membership('%{SQL-User-Name}') (3) sql1: --> CALL group_membership('anonymous') (3) sql1: Executing select query: CALL group_membership('anonymous') (3) sql1: User not found in any groups rlm_sql (sql1): Released connection (0) (3) [sql1] = notfound (3) } # redundant sql = notfound (3) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (3) pap: WARNING: Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) eap: Peer sent EAP Response (code 2) ID 2 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x418d1b1a438f0e7b (3) eap: Finished EAP session with state 0x418d1b1a438f0e7b (3) eap: Previous EAP request found for state 0x418d1b1a438f0e7b, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: Peer ACKed our handshake fragment (3) eap_ttls: [eaptls verify] = request (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 3 length 599 (3) eap: EAP session adding &reply:State = 0x418d1b1a428e0e7b (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 5 from 192.168.0.1:1812 to 192.168.0.4:52371 length 0 (3) EAP-Message = 0x01030257158000000a119e6baf6a1ca287e7fa5ec44940e1ba92019638e59efffa9ae07b75a7b4e4bf9850926106ed0203010001a38201023081ff301d0603551d0e0416 04141146326f07c5778d5978fe8a2de29dbefed4d0283081c20603551d230481ba3081b780141146326f07c5778d5978fe8a2d (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x418d1b1a428e0e7baecbafb2f6fd97a1 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 6 from 192.168.0.4:52371 to 192.168.0.1:1812 length 499 (4) User-Name = "anonymous" (4) NAS-Identifier = "802aa8ac1ef9" (4) NAS-Port = 0 (4) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (4) Calling-Station-Id = "00-26-C6-72-D2-F8" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x020301441500160301010610000102010056802e5b5275d1632dbc7bb3ce78e79168b0048f90ab99fc720b86ca95354fc9d08dce0c11730ab5c6323fa837014cf8b83a4b 44f270b5280a8b08e772099004864b1190cddf939d48070fe58f1136d80ac62963138084a68d434e1584988866ad2d5140bd95 (4) State = 0x418d1b1a428e0e7baecbafb2f6fd97a1 (4) Message-Authenticator = 0x5c31b7e2c0ff66ad75e1fdf81268c6c9 (4) session-state: No cached attributes (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (4) authorize { (4) [preprocess] = ok (4) redundant sql { (4) sql1: EXPAND %{User-Name} (4) sql1: --> anonymous (4) sql1: SQL-User-Name set to 'anonymous' rlm_sql (sql1): Reserved connection (1) (4) sql1: EXPAND CALL authorize_check('%{SQL-User-Name}') (4) sql1: --> CALL authorize_check('anonymous') (4) sql1: Executing select query: CALL authorize_check('anonymous') (4) sql1: EXPAND CALL group_membership('%{SQL-User-Name}') (4) sql1: --> CALL group_membership('anonymous') (4) sql1: Executing select query: CALL group_membership('anonymous') (4) sql1: User not found in any groups rlm_sql (sql1): Released connection (1) (4) [sql1] = notfound (4) } # redundant sql = notfound (4) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (4) pap: WARNING: Authentication will fail unless a "known good" password is available (4) [pap] = noop (4) eap: Peer sent EAP Response (code 2) ID 3 length 324 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x418d1b1a428e0e7b (4) eap: Finished EAP session with state 0x418d1b1a428e0e7b (4) eap: Previous EAP request found for state 0x418d1b1a428e0e7b, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: [eaptls verify] = ok (4) eap_ttls: Done initial handshake (4) eap_ttls: <<< recv TLS 1.0 Handshake [length 0106], ClientKeyExchange (4) eap_ttls: TLS_accept: SSLv3 read client key exchange A (4) eap_ttls: TLS_accept: SSLv3 read certificate verify A (4) eap_ttls: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_ttls: <<< recv TLS 1.0 Handshake [length 0010], Finished (4) eap_ttls: TLS_accept: SSLv3 read finished A (4) eap_ttls: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_ttls: TLS_accept: SSLv3 write change cipher spec A (4) eap_ttls: >>> send TLS 1.0 Handshake [length 0010], Finished (4) eap_ttls: TLS_accept: SSLv3 write finished A (4) eap_ttls: TLS_accept: SSLv3 flush data (4) eap_ttls: (other): SSL negotiation finished successfully (4) eap_ttls: SSL Connection Established (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 4 length 61 (4) eap: EAP session adding &reply:State = 0x418d1b1a45890e7b (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 6 from 192.168.0.1:1812 to 192.168.0.4:52371 length 0 (4) EAP-Message = 0x0104003d158000000033140301000101160301002820d5bef24e4864a308c6c562c26eb5b6e676f02418bf5da5390254c5100fd95680736b3980b80033 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x418d1b1a45890e7baecbafb2f6fd97a1 (4) Finished request Waking up in 4.7 seconds. (5) Received Access-Request Id 7 from 192.168.0.4:52371 to 192.168.0.1:1812 length 240 (5) User-Name = "anonymous" (5) NAS-Identifier = "802aa8ac1ef9" (5) NAS-Port = 0 (5) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (5) Calling-Station-Id = "00-26-C6-72-D2-F8" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x0204004315001703010038790bbda0fd97f73c98474e19730eb2eabaa550aae994c4e54770671cd51560a5be3cfa25195fec12ee65e61900128ccd45473b7b8ef0842c (5) State = 0x418d1b1a45890e7baecbafb2f6fd97a1 (5) Message-Authenticator = 0x5e50c0a036d0da8fe72186303ac6f412 (5) session-state: No cached attributes (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (5) authorize { (5) [preprocess] = ok (5) redundant sql { (5) sql1: EXPAND %{User-Name} (5) sql1: --> anonymous (5) sql1: SQL-User-Name set to 'anonymous' rlm_sql (sql1): Reserved connection (3) (5) sql1: EXPAND CALL authorize_check('%{SQL-User-Name}') (5) sql1: --> CALL authorize_check('anonymous') (5) sql1: Executing select query: CALL authorize_check('anonymous') (5) sql1: EXPAND CALL group_membership('%{SQL-User-Name}') (5) sql1: --> CALL group_membership('anonymous') (5) sql1: Executing select query: CALL group_membership('anonymous') (5) sql1: User not found in any groups rlm_sql (sql1): Released connection (3) (5) [sql1] = notfound (5) } # redundant sql = notfound (5) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (5) pap: WARNING: Authentication will fail unless a "known good" password is available (5) [pap] = noop (5) eap: Peer sent EAP Response (code 2) ID 4 length 67 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x418d1b1a45890e7b (5) eap: Finished EAP session with state 0x418d1b1a45890e7b (5) eap: Previous EAP request found for state 0x418d1b1a45890e7b, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: [eaptls verify] = ok (5) eap_ttls: Done initial handshake (5) eap_ttls: [eaptls process] = ok (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: User-Name = "scilek" (5) eap_ttls: User-Password = "0000" (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel-ttls received request (5) User-Name = "scilek" (5) User-Password = "0000" (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) NAS-Identifier = "802aa8ac1ef9" (5) NAS-Port = 0 (5) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (5) Calling-Station-Id = "00-26-C6-72-D2-F8" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) Event-Timestamp = "Sep 23 2017 17:18:17 +03" (5) NAS-IP-Address = 192.168.0.4 (5) server inner-tunnel-ttls { (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls (5) authorize { (5) if ("%{sql: CALL is_login_allowed('%{User-Name}')}" == "0" ) { (5) EXPAND %{User-Name} (5) --> scilek (5) SQL-User-Name set to 'scilek' rlm_sql (sql1): Reserved connection (4) (5) EXPAND /var/log/sqltrace.sql (5) --> /var/log/sqltrace.sql (5) Executing select query: CALL is_login_allowed('scilek') rlm_sql (sql1): Released connection (4) (5) EXPAND %{sql: CALL is_login_allowed('%{User-Name}')} (5) --> 1 (5) if ("%{sql: CALL is_login_allowed('%{User-Name}')}" == "0" ) -> FALSE (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) redundant sql { (5) sql1: EXPAND %{User-Name} (5) sql1: --> scilek (5) sql1: SQL-User-Name set to 'scilek' rlm_sql (sql1): Reserved connection (0) (5) sql1: EXPAND CALL authorize_check('%{SQL-User-Name}') (5) sql1: --> CALL authorize_check('scilek') (5) sql1: Executing select query: CALL authorize_check('scilek') (5) sql1: User found in radcheck table (5) sql1: Conditional check items matched, merging assignment check items (5) sql1: Cleartext-Password := "0000" (5) sql1: Simultaneous-Use := 1 (5) sql1: EXPAND CALL authorize_reply('%{SQL-User-Name}') (5) sql1: --> CALL authorize_reply('scilek') (5) sql1: Executing select query: CALL authorize_reply('scilek') (5) sql1: User found in radreply table, merging reply items (5) sql1: Class := 0x5f7363696c656b (5) sql1: Idle-Timeout := 120 (5) sql1: Acct-Interim-Interval := 600 (5) sql1: Exec-Program-Wait = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/datacounter_auth.sh scilek" (5) sql1: EXPAND CALL group_membership('%{SQL-User-Name}') (5) sql1: --> CALL group_membership('scilek') (5) sql1: Executing select query: CALL group_membership('scilek') (5) sql1: User not found in any groups rlm_sql (sql1): Released connection (0) (5) [sql1] = ok (5) } # redundant sql = ok (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = updated (5) } # authorize = updated (5) Found Auth-Type = pap (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls (5) Auth-Type PAP { (5) pap: Login attempt with password (5) pap: Comparing with "known good" Cleartext-Password (5) pap: User authenticated successfully (5) [pap] = ok (5) } # Auth-Type PAP = ok (5) # Executing section session from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls (5) session { (5) redundant sql { (5) sql1: EXPAND %{User-Name} (5) sql1: --> scilek (5) sql1: SQL-User-Name set to 'scilek' (5) sql1: EXPAND CALL simul_count('%{SQL-User-Name}') (5) sql1: --> CALL simul_count('scilek') rlm_sql (sql1): Reserved connection (1) (5) sql1: Executing select query: CALL simul_count('scilek') rlm_sql (sql1): Released connection (1) (5) [sql1] = ok (5) } # redundant sql = ok (5) } # session = ok (5) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls (5) post-auth { (5) if (1) { (5) if (1) -> TRUE (5) if (1) { (5) update reply { (5) User-Name !* ANY (5) Message-Authenticator !* ANY (5) EAP-Message !* ANY (5) Proxy-State !* ANY (5) MS-MPPE-Encryption-Types !* ANY (5) MS-MPPE-Encryption-Policy !* ANY (5) MS-MPPE-Send-Key !* ANY (5) MS-MPPE-Recv-Key !* ANY (5) } # update reply = noop (5) update { (5) &outer.session-state::Class += &reply:Class[*] -> 0x5f7363696c656b (5) &outer.session-state::Idle-Timeout += &reply:Idle-Timeout[*] -> 120 (5) &outer.session-state::Acct-Interim-Interval += &reply:Acct-Interim-Interval[*] -> 600 (5) &outer.session-state::Exec-Program-Wait += &reply:Exec-Program-Wait[*] -> '/usr/local/bin/bash /usr/local/etc/raddb/scripts/datacounter_auth.sh scilek' (5) } # update = noop (5) } # if (1) = noop (5) } # post-auth = noop (5) Login OK: [scilek] (from client HOME_AP port 0 cli 00-26-C6-72-D2-F8 via TLS tunnel) (5) } # server inner-tunnel-ttls (5) Virtual server sending reply (5) Class = 0x5f7363696c656b (5) Idle-Timeout = 120 (5) Acct-Interim-Interval = 600 (5) Exec-Program-Wait = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/datacounter_auth.sh scilek" (5) eap_ttls: Got tunneled Access-Accept (5) eap: Sending EAP Success (code 3) ID 4 length 4 (5) eap: Freeing handler (5) [eap] = ok (5) } # authenticate = ok (5) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (5) post-auth { (5) [exec] = noop (5) } # post-auth = noop (5) Login OK: [anonymous] (from client HOME_AP port 0 cli 00-26-C6-72-D2-F8) (5) Sent Access-Accept Id 7 from 192.168.0.1:1812 to 192.168.0.4:52371 length 0 (5) MS-MPPE-Recv-Key = 0x4ea1660394b373c00aafe60fddb13369f19ffc3cae4ae7ee41cc7ff96f5ad6d1 (5) MS-MPPE-Send-Key = 0xd3e5cea80a4275aaefb15531d3ebef6e171ddc828752b9d903ed33d0e149ff61 (5) EAP-Message = 0x03040004 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) User-Name = "anonymous" (5) Finished request Waking up in 4.5 seconds. (6) Received Accounting-Request Id 8 from 192.168.0.4:50672 to 192.168.0.1:1813 length 166 (6) Acct-Session-Id = "0000002B-00000000" (6) Acct-Status-Type = Start (6) Acct-Authentic = RADIUS (6) User-Name = "anonymous" (6) Framed-IP-Address = 192.168.255.23 (6) NAS-Identifier = "802aa8ac1ef9" (6) NAS-Port = 0 (6) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (6) Calling-Station-Id = "00-26-C6-72-D2-F8" (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default (6) preacct { (6) [preprocess] = ok (6) } # preacct = ok (6) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default (6) accounting { (6) detail: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d (6) detail: --> /var/log/radacct/192.168.0.4/detail_2017_09_23 (6) detail: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d expands to /var/log/radacct/192.168.0.4/detail_2017_09_23 (6) detail: EXPAND %t (6) detail: --> Sat Sep 23 17:18:17 2017 (6) [detail] = ok (6) redundant sql { (6) sql1: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (6) sql1: --> type.start.query (6) sql1: Using query template 'query' rlm_sql (sql1): Reserved connection (3) (6) sql1: EXPAND %{User-Name} (6) sql1: --> anonymous (6) sql1: SQL-User-Name set to 'anonymous' (6) sql1: EXPAND CALL accounting_start('%{Acct-Session-Id}','%{SQL-User-Name}','%{Class}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Calling-Station-Id}') (6) sql1: --> CALL accounting_start('0000002B-00000000','anonymous','','192.168.0.4','82-2A-A8-AD-1E-F9=3ASCILEK.NET','00-26-C6-72-D2-F8') (6) sql1: EXPAND /var/log/sqltrace.sql (6) sql1: --> /var/log/sqltrace.sql (6) sql1: Executing query: CALL accounting_start('0000002B-00000000','anonymous','','192.168.0.4','82-2A-A8-AD-1E-F9=3ASCILEK.NET','00-26-C6-72-D2-F8') (6) sql1: SQL query returned: success (6) sql1: 1 record(s) updated rlm_sql (sql1): Released connection (3) (6) [sql1] = ok (6) } # redundant sql = ok (6) [exec] = noop (6) if (request:Acct-Status-Type == Interim-Update) { (6) if (request:Acct-Status-Type == Interim-Update) -> FALSE (6) if (Acct-Session-Time == 0) { (6) ERROR: Failed retrieving values required to evaluate condition (6) } # accounting = ok (6) Sent Accounting-Response Id 8 from 192.168.0.1:1813 to 192.168.0.4:50672 length 0 (6) Finished request (6) Cleaning up request packet ID 8 with timestamp +32 Waking up in 4.1 seconds. (0) Cleaning up request packet ID 2 with timestamp +31 (1) Cleaning up request packet ID 3 with timestamp +31 (2) Cleaning up request packet ID 4 with timestamp +32 (3) Cleaning up request packet ID 5 with timestamp +32 Waking up in 0.1 seconds. (4) Cleaning up request packet ID 6 with timestamp +32 Waking up in 0.2 seconds. (5) Cleaning up request packet ID 7 with timestamp +32 Ready to process requests (7) Received Accounting-Request Id 9 from 192.168.0.4:50672 to 192.168.0.1:1813 length 202 (7) Acct-Session-Id = "0000002B-00000000" (7) Acct-Status-Type = Interim-Update (7) Acct-Authentic = RADIUS (7) User-Name = "anonymous" (7) Framed-IP-Address = 192.168.1.113 (7) NAS-Identifier = "802aa8ac1ef9" (7) NAS-Port = 0 (7) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (7) Calling-Station-Id = "00-26-C6-72-D2-F8" (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Time = 5 (7) Acct-Input-Packets = 135 (7) Acct-Output-Packets = 43 (7) Acct-Input-Octets = 17992 (7) Acct-Output-Octets = 6888 (7) Event-Timestamp = "Sep 23 2017 17:18:22 +03" (7) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default (7) preacct { (7) [preprocess] = ok (7) } # preacct = ok (7) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default (7) accounting { (7) detail: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d (7) detail: --> /var/log/radacct/192.168.0.4/detail_2017_09_23 (7) detail: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d expands to /var/log/radacct/192.168.0.4/detail_2017_09_23 (7) detail: EXPAND %t (7) detail: --> Sat Sep 23 17:18:22 2017 (7) [detail] = ok (7) redundant sql { (7) sql1: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (7) sql1: --> type.interim-update.query (7) sql1: Using query template 'query' rlm_sql (sql1): Reserved connection (4) (7) sql1: EXPAND %{User-Name} (7) sql1: --> anonymous (7) sql1: SQL-User-Name set to 'anonymous' (7) sql1: EXPAND CALL accounting_update ('%{Acct-Session-Id}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Session-Time}','%{Acct-Input-Octets}','%{ Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}') (7) sql1: --> CALL accounting_update ('0000002B-00000000','82-2A-A8-AD-1E-F9=3ASCILEK.NET','00-26-C6-72-D2-F8','5','17992','','6888','') (7) sql1: EXPAND /var/log/sqltrace.sql (7) sql1: --> /var/log/sqltrace.sql (7) sql1: Executing query: CALL accounting_update ('0000002B-00000000','82-2A-A8-AD-1E-F9=3ASCILEK.NET','00-26-C6-72-D2-F8','5','17992','','6888','') (7) sql1: SQL query returned: success (7) sql1: 1 record(s) updated rlm_sql (sql1): Released connection (4) (7) [sql1] = ok (7) } # redundant sql = ok (7) [exec] = noop (7) if (request:Acct-Status-Type == Interim-Update) { (7) if (request:Acct-Status-Type == Interim-Update) -> TRUE (7) if (request:Acct-Status-Type == Interim-Update) { (7) check_quota: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} %{request:Calling-Station-Id} %{request: NAS-IP-Address} %{request:Class} %{request:Acct-Status-Type}: (7) check_quota: EXPAND %{request:User-Name} (7) check_quota: --> anonymous (7) check_quota: EXPAND %{request:Calling-Station-Id} (7) check_quota: --> 00-26-C6-72-D2-F8 (7) check_quota: EXPAND %{request:NAS-IP-Address} (7) check_quota: --> 192.168.0.4 (7) check_quota: EXPAND %{request:Class} (7) check_quota: --> (7) check_quota: EXPAND %{request:Acct-Status-Type} (7) check_quota: --> Interim-Update (7) check_quota: Program executed successfully (7) [check_quota] = ok (7) } # if (request:Acct-Status-Type == Interim-Update) = ok (7) if (Acct-Session-Time == 0) { (7) if (Acct-Session-Time == 0) -> FALSE (7) } # accounting = ok (7) Sent Accounting-Response Id 9 from 192.168.0.1:1813 to 192.168.0.4:50672 length 0 (7) Finished request (7) Cleaning up request packet ID 9 with timestamp +37 Ready to process requests Warning: Using a password on the command line interface can be insecure. Warning: Using a password on the command line interface can be insecure. ERROR 1370 (42000) at line 1: execute command denied to user 'quota_checker'@'localhost' for routine 'raddb.get_simple_usage_info' /usr/local/etc/raddb/scripts/datacounter_acct.sh: line 67: ((: < : syntax error: operand expected (error token is "< ") /bin/sh: can't open /etc/persistent/kick_mac.sh (8) Received Accounting-Request Id 10 from 192.168.0.4:50672 to 192.168.0.1:1813 length 208 (8) Acct-Session-Id = "0000002B-00000000" (8) Acct-Status-Type = Stop (8) Acct-Authentic = RADIUS (8) User-Name = "anonymous" (8) Framed-IP-Address = 192.168.1.113 (8) NAS-Identifier = "802aa8ac1ef9" (8) NAS-Port = 0 (8) Called-Station-Id = "82-2A-A8-AD-1E-F9:SCILEK.NET" (8) Calling-Station-Id = "00-26-C6-72-D2-F8" (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) Acct-Session-Time = 35 (8) Acct-Input-Packets = 277 (8) Acct-Output-Packets = 48 (8) Acct-Input-Octets = 35621 (8) Acct-Output-Octets = 7261 (8) Event-Timestamp = "Sep 23 2017 17:18:52 +03" (8) Acct-Terminate-Cause = User-Request (8) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default (8) preacct { (8) [preprocess] = ok (8) } # preacct = ok (8) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default (8) accounting { (8) detail: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d (8) detail: --> /var/log/radacct/192.168.0.4/detail_2017_09_23 (8) detail: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail_%Y_%m_%d expands to /var/log/radacct/192.168.0.4/detail_2017_09_23 (8) detail: EXPAND %t (8) detail: --> Sat Sep 23 17:18:52 2017 (8) [detail] = ok (8) redundant sql { (8) sql1: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (8) sql1: --> type.stop.query (8) sql1: Using query template 'query' rlm_sql (sql1): Reserved connection (0) (8) sql1: EXPAND %{User-Name} (8) sql1: --> anonymous (8) sql1: SQL-User-Name set to 'anonymous' (8) sql1: EXPAND CALL accounting_stop ('%{Acct-Session-Id}','%{SQL-User-Name}','%{Called-Station-Id}','%{Calling-Station-Id}','%{Acct-Session-Time}','%{Acct-I nput-Octets}','%{Acct-Input-Gigawords}','%{Acct-Output-Octets}','%{Acct-Output-Gigawords}','%{Acct-Terminate-Cause}') (8) sql1: --> CALL accounting_stop ('0000002B-00000000','anonymous','82-2A-A8-AD-1E-F9=3ASCILEK.NET','00-26-C6-72-D2-F8','35','35621','','7261','','User-Re quest') (8) sql1: EXPAND /var/log/sqltrace.sql (8) sql1: --> /var/log/sqltrace.sql (8) sql1: Executing query: CALL accounting_stop ('0000002B-00000000','anonymous','82-2A-A8-AD-1E-F9=3ASCILEK.NET','00-26-C6-72-D2-F8','35','35621','','7261',' ','User-Request') (8) sql1: SQL query returned: success (8) sql1: 1 record(s) updated rlm_sql (sql1): Released connection (0) rlm_sql (sql1): Closing connection (1), from 1 unused connections rlm_sql_mysql: Socket destructor called, closing socket (8) [sql1] = ok (8) } # redundant sql = ok (8) [exec] = noop (8) if (request:Acct-Status-Type == Interim-Update) { (8) if (request:Acct-Status-Type == Interim-Update) -> FALSE (8) if (Acct-Session-Time == 0) { (8) if (Acct-Session-Time == 0) -> FALSE (8) } # accounting = ok (8) Sent Accounting-Response Id 10 from 192.168.0.1:1813 to 192.168.0.4:50672 length 0 (8) Finished request (8) Cleaning up request packet ID 10 with timestamp +67 Ready to process requests --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
On Sep 23, 2017, at 11:07 AM, Selahattin Cilek <selahattin_cilek@hotmail.com> wrote:
Does 3.0.15 send the Class attribute in the Access-Accept? If not, that's the problem. No, it does not.
Well, that's the problem then.
Otherwise, look at the Access-Accept packets from the two versions. If they're different, try to make them the same. Maybe the NAS is getting excited over those differences.
How do I do that?
Make sure you have the same configuration as in v2. *Understand* what the configuration does. Run the server in debug mode, and READ THE OUTPUT. The debug output tells you what's going on, and even shows the Class attribute... repeatedly. So you've got it half done, you just need to finish it.
/usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls (5) post-auth { (5) if (1) { (5) if (1) -> TRUE (5) if (1) { (5) update reply { (5) User-Name !* ANY (5) Message-Authenticator !* ANY (5) EAP-Message !* ANY (5) Proxy-State !* ANY (5) MS-MPPE-Encryption-Types !* ANY (5) MS-MPPE-Encryption-Policy !* ANY (5) MS-MPPE-Send-Key !* ANY (5) MS-MPPE-Recv-Key !* ANY (5) } # update reply = noop (5) update { (5) &outer.session-state::Class += &reply:Class[*] -> 0x5f7363696c656b
You have it updating the out session state with the Class attribute.
(5) &outer.session-state::Idle-Timeout += &reply:Idle-Timeout[*] -> 120 (5) &outer.session-state::Acct-Interim-Interval += &reply:Acct-Interim-Interval[*] -> 600 (5) &outer.session-state::Exec-Program-Wait += &reply:Exec-Program-Wait[*] -> '/usr/local/bin/bash /usr/local/etc/raddb/scripts/datacounter_auth.sh scilek' (5) } # update = noop (5) } # if (1) = noop (5) } # post-auth = noop (5) Login OK: [scilek] (from client HOME_AP port 0 cli 00-26-C6-72-D2-F8 via TLS tunnel) (5) } # server inner-tunnel-ttls (5) Virtual server sending reply (5) Class = 0x5f7363696c656b (5) Idle-Timeout = 120 (5) Acct-Interim-Interval = 600 (5) Exec-Program-Wait = "/usr/local/bin/bash
And the inner-tunnel reply contains the Class attribute.
/usr/local/etc/raddb/scripts/datacounter_auth.sh scilek" (5) eap_ttls: Got tunneled Access-Accept (5) eap: Sending EAP Success (code 3) ID 4 length 4 (5) eap: Freeing handler (5) [eap] = ok (5) } # authenticate = ok (5) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (5) post-auth { (5) [exec] = noop (5) } # post-auth = noop (5) Login OK: [anonymous] (from client HOME_AP port 0 cli 00-26-C6-72-D2-F8) (5) Sent Access-Accept Id 7 from 192.168.0.1:1812 to 192.168.0.4:52371 length 0 (5) MS-MPPE-Recv-Key = 0x4ea1660394b373c00aafe60fddb13369f19ffc3cae4ae7ee41cc7ff96f5ad6d1 (5) MS-MPPE-Send-Key = 0xd3e5cea80a4275aaefb15531d3ebef6e171ddc828752b9d903ed33d0e149ff61 (5) EAP-Message = 0x03040004 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) User-Name = "anonymous"
But you never copy the Class attribute from the inner tunnel to the outer tunnel. Fix that in the inner-tunnel virtual server: post-auth { ... update outer.reply { Class += &reply:Class } That should do it. Alan DeKok.
post-auth { ... update outer.reply { Class += &reply:Class }
NEAT! That *did* do it.! Thank you very much! And while I was at it, I managed to fix the "anonymous user" problem too! post-auth { update outer.reply { User-Name += &request:User-Name Class += &reply:Class Idle-Timeout += &reply:Idle-Timeout Acct-Interim-Interval += &reply:Acct-Interim-Interval } ... } --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
participants (2)
-
Alan DeKok -
Selahattin Cilek