Certificate problem between 3.0.11 and 3.1.x
I've been migrating our RADIUS estate from 2.2.9 and 3.0.11 to 3.1.x, built from git. Thanks to help from this list last week I've got eduroam working successfully. I'm now struggling to get another SSID (machine authentication for domain-joined Windows PCs) to work. I can see that it is printing the warning: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! EAP session 0x2ab6bf0 did not finish! !! !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! however the same certificate works properly on 3.0.11. Has there been a change of behaviour in the server? Thanks, Jonathan FreeRADIUS Version 3.1.0 Copyright (C) 1999-2016 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including files in directory /etc/raddb/clients.d/ including configuration file /etc/raddb/clients.d/WISM7.conf including configuration file /etc/raddb/clients.d/YEOVIL.conf including configuration file /etc/raddb/clients.d/WISM8.conf including configuration file /etc/raddb/clients.d/WISM2.conf including configuration file /etc/raddb/clients.d/NHS-JA-GW.conf including configuration file /etc/raddb/clients.d/WISM2-HA.conf including configuration file /etc/raddb/clients.d/localhost.conf including configuration file /etc/raddb/clients.d/WISM5-HA.conf including configuration file /etc/raddb/clients.d/WISM6.conf including configuration file /etc/raddb/clients.d/roaming2.ja.net.conf including configuration file /etc/raddb/clients.d/WISM3.conf including configuration file /etc/raddb/clients.d/WISM6-HA.conf including configuration file /etc/raddb/clients.d/roaming1.ja.net-v6.conf including configuration file /etc/raddb/clients.d/monitor.conf including configuration file /etc/raddb/clients.d/roaming1.ja.net.conf including configuration file /etc/raddb/clients.d/WISM4-HA.conf including configuration file /etc/raddb/clients.d/ENGINE-SHED.conf including configuration file /etc/raddb/clients.d/NBHT.conf including configuration file /etc/raddb/clients.d/roaming0.ja.net.conf including configuration file /etc/raddb/clients.d/WISM5.conf including configuration file /etc/raddb/clients.d/BCC110.conf including configuration file /etc/raddb/clients.d/WISM1-HA.conf including configuration file /etc/raddb/clients.d/testswitch.conf including configuration file /etc/raddb/clients.d/UBHT120.conf including configuration file /etc/raddb/clients.d/WISM7-HA.conf including configuration file /etc/raddb/clients.d/adminctrl.conf including configuration file /etc/raddb/clients.d/monitor-dev.conf including configuration file /etc/raddb/clients.d/WISM4.conf including configuration file /etc/raddb/clients.d/UBHT169.conf including configuration file /etc/raddb/clients.d/WISM1.conf including configuration file /etc/raddb/clients.d/TAUNTON-NEW.conf including configuration file /etc/raddb/clients.d/F5.conf including configuration file /etc/raddb/clients.d/roaming2.ja.net-v6.conf including configuration file /etc/raddb/clients.d/WISM3-HA.conf including configuration file /etc/raddb/clients.d/WISM9.conf including configuration file /etc/raddb/clients.d/roaming0.ja.net-v6.conf including configuration file /etc/raddb/clients.d/WISM12.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/rainbowpreprocess including configuration file /etc/raddb/mods-enabled/uobdetail including configuration file /etc/raddb/mods-enabled/rainbowmschap including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/files-eduroam including configuration file /etc/raddb/mods-enabled/linelog /etc/raddb/mods-enabled/linelog[114]: Reference "${..pool}" not found /etc/raddb/mods-enabled/linelog[127]: Reference "${..pool}" not found including configuration file /etc/raddb/mods-enabled/vpimschap including configuration file /etc/raddb/mods-enabled/rainbowlog including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/eduroameap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/eduroamvlan including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/uobldap including configuration file /etc/raddb/mods-enabled/uobsql-write including configuration file /etc/raddb/mods-config/uobsql-write-queries.conf including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/eduroamlioneap including configuration file /etc/raddb/mods-enabled/logtofile including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/rainbowfiles including configuration file /etc/raddb/mods-enabled/logtosyslog including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/eduroammschap including configuration file /etc/raddb/mods-enabled/uobsql including configuration file /etc/raddb/mods-config/uobsql-queries.conf including configuration file /etc/raddb/mods-enabled/eduroaminfo including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/vpieap including configuration file /etc/raddb/mods-enabled/rainboweap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/templates.conf including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/policies including configuration file /etc/raddb/policy.d/normalization including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/eduroam-realm-checks.conf including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/get-ssid including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/vendor including configuration file /etc/raddb/policy.d/logchecker including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/abfab-tr including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/rainbowmacauth including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/eduroam-partners including configuration file /etc/raddb/sites-enabled/bristolresearchnet including configuration file /etc/raddb/sites-enabled/rainbow-inner including configuration file /etc/raddb/sites-enabled/uobconsoles including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/vpi-inner including configuration file /etc/raddb/sites-enabled/rainbow including configuration file /etc/raddb/sites-enabled/eduroamalien including configuration file /etc/raddb/sites-enabled/vpi including configuration file /etc/raddb/sites-enabled/status including files in directory /etc/raddb/statusclients.d/ including configuration file /etc/raddb/statusclients.d/localhost.conf including configuration file /etc/raddb/statusclients.d/monitor-devv6.conf including configuration file /etc/raddb/statusclients.d/monitor.conf including configuration file /etc/raddb/statusclients.d/monitorv6.conf including configuration file /etc/raddb/statusclients.d/monitor-dev.conf including configuration file /etc/raddb/sites-enabled/eduroamlocal-acct including configuration file /etc/raddb/sites-enabled/eduroamlocal-auth including configuration file /etc/raddb/sites-enabled/eduroamlion-inner including configuration file /etc/raddb/sites-enabled/rainboweap-tls including configuration file /etc/raddb/sites-enabled/eduroam-inner main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 continuation_timeout = 15 max_requests = 4096 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "yes" } } radiusd: #### Loading Realms and Home Servers #### home_server jrs0 { ipaddr = 194.82.174.185 port = 1812 type = "auth+acct" proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server jrs0v6 { ipv6addr = 2001:630:1:128::185 port = 1812 type = "auth+acct" proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server jrs1 { ipaddr = 194.83.56.233 port = 1812 type = "auth+acct" proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server jrs1v6 { ipv6addr = 2001:630:1:12a::233 port = 1812 type = "auth+acct" proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server jrs2 { ipaddr = 194.83.56.249 port = 1812 type = "auth+acct" proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server jrs2v6 { ipv6addr = 2001:630:1:129::249 port = 1812 type = "auth+acct" proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server radius-dev { ipaddr = 137.222.7.119 port = 16006 type = "auth+acct" proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server radius-dev-v6 { ipv6addr = 2001:630:e4:81:137:222:7:119 port = 16006 type = "auth+acct" proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } realm LOCAL { } realm bris.ac.uk { } realm bristol.ac.uk { } home_server_pool dev { type = fail-over home_server = radius-dev home_server = radius-dev-v6 } realm dev { pool = dev } home_server_pool jrs { type = fail-over home_server = jrs1v6 home_server = jrs2v6 home_server = jrs1 home_server = jrs0v6 home_server = jrs2 home_server = jrs0 } realm jrs { pool = jrs nostrip } realm lion.bristol.ac.uk { } realm my.bristol.ac.uk { } radiusd: #### Loading Clients #### client WISM7 { ipaddr = 172.17.107.207 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM7" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client YEOVIL { ipaddr = 195.171.105.146 require_message_authenticator = no secret = <<< secret >>> shortname = "YEOVIL" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM8 { ipaddr = 172.17.107.208 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM8" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM2 { ipaddr = 172.17.107.202 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM2" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client NHS-JA-GW { ipaddr = 194.176.105.96/28 require_message_authenticator = no secret = <<< secret >>> shortname = "NHS-JA-GW" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM2-HA { ipaddr = 172.17.107.102 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM2-HA" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> shortname = "localhost" nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM5-HA { ipaddr = 172.17.107.105 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM5-HA" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM6 { ipaddr = 172.17.107.206 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM6" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client roaming2.ja.net { ipaddr = 194.83.56.249 require_message_authenticator = no secret = <<< secret >>> shortname = "roaming2.ja.net" virtual_server = "eduroamalien" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM3 { ipaddr = 172.17.107.203 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM3" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM6-HA { ipaddr = 172.17.107.106 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM6-HA" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client roaming1.ja.net-v6 { ipv6addr = 2001:630:1:12a::233 require_message_authenticator = no secret = <<< secret >>> shortname = "roaming1.ja.net-v6" virtual_server = "eduroamalien" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client monitor { ipaddr = 137.222.7.147 require_message_authenticator = no secret = <<< secret >>> shortname = "monitor" nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client roaming1.ja.net { ipaddr = 194.83.56.233 require_message_authenticator = no secret = <<< secret >>> shortname = "roaming1.ja.net" virtual_server = "eduroamalien" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM4-HA { ipaddr = 172.17.107.104 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM4-HA" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client ENGINE-SHED { ipaddr = 172.21.120.253 require_message_authenticator = no secret = <<< secret >>> shortname = "ENGINE-SHED" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client NBHT { ipaddr = 82.33.242.34 require_message_authenticator = no secret = <<< secret >>> shortname = "NBHT" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client roaming0.ja.net { ipaddr = 194.82.174.185 require_message_authenticator = no secret = <<< secret >>> shortname = "roaming0.ja.net" virtual_server = "eduroamalien" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM5 { ipaddr = 172.17.107.205 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM5" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client BCC110 { ipaddr = 193.35.235.110 require_message_authenticator = no secret = <<< secret >>> shortname = "BCC110" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM1-HA { ipaddr = 172.17.107.101 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM1-HA" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client testswitch { ipaddr = 172.17.51.30 require_message_authenticator = no secret = <<< secret >>> shortname = "testswitch" nas_type = "cisco" virtual_server = "rainbow" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client UBHT120 { ipaddr = 10.160.155.120 require_message_authenticator = no secret = <<< secret >>> shortname = "UBHT120" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM7-HA { ipaddr = 172.17.107.107 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM7-HA" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client adminctrl { ipaddr = 172.17.0.0/16 require_message_authenticator = no secret = <<< secret >>> shortname = "adminctrl" nas_type = "cisco" virtual_server = "rainbow" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client monitor-dev { ipaddr = 137.222.8.103 require_message_authenticator = no secret = <<< secret >>> shortname = "monitor-dev" nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM4 { ipaddr = 172.17.107.204 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM4" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client UBHT169 { ipaddr = 10.160.156.169 require_message_authenticator = no secret = <<< secret >>> shortname = "UBHT169" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM1 { ipaddr = 172.17.107.201 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM1" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client TAUNTON-NEW { ipaddr = 109.176.101.162 require_message_authenticator = no secret = <<< secret >>> shortname = "TAUNTON-NEW" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client F5 { ipaddr = 137.222.250.0/24 require_message_authenticator = no secret = <<< secret >>> shortname = "F5" nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client roaming2.ja.net-v6 { ipv6addr = 2001:630:1:129::249 require_message_authenticator = no secret = <<< secret >>> shortname = "roaming2.ja.net-v6" virtual_server = "eduroamalien" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM3-HA { ipaddr = 172.17.107.103 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM3-HA" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM9 { ipaddr = 172.17.107.209 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM9" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client roaming0.ja.net-v6 { ipv6addr = 2001:630:1:128::185 require_message_authenticator = no secret = <<< secret >>> shortname = "roaming0.ja.net-v6" virtual_server = "eduroamalien" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client WISM12 { ipaddr = 172.17.107.212 require_message_authenticator = no secret = <<< secret >>> shortname = "WISM12" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached thread pool { start_servers = 5 max_servers = 256 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 cleanup_delay = 5 max_queue_size = 65536 auto_limit_acct = no } WARNING: Ignoring "max_spare_servers = 10", forcing to "max_spare_servers = 3" listen { type = "control" listen { socket = "/var/run/radiusd/control/radiusd.sock" mode = "rw" peercred = yes } } listen { type = "auth" ipaddr = * port = 1645 recv_buff = 0 } listen { type = "acct" ipaddr = * port = 1646 recv_buff = 0 } listen { type = "auth" ipaddr = * port = 16061 recv_buff = 0 } listen { type = "acct" ipaddr = * port = 16062 recv_buff = 0 } listen { type = "auth" ipaddr = * port = 16063 recv_buff = 0 } listen { type = "acct" ipaddr = * port = 16064 recv_buff = 0 } # Creating Autz-Type = Status-Server # Creating Auth-Type = eduroameap # Creating Auth-Type = eduroamlioneap # Creating Acct-Type = Status-Server listen { type = "auth" ipaddr = * port = 16014 recv_buff = 0 } listen { type = "acct" ipaddr = * port = 16015 recv_buff = 0 } # Creating Auth-Type = PAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = rainboweap listen { type = "auth" ipaddr = * port = 16018 recv_buff = 0 } # Creating Auth-Type = vpieap listen { type = "auth" ipaddr = * port = 16028 recv_buff = 0 } listen { type = "acct" ipaddr = * port = 16029 recv_buff = 0 } listen { type = "auth" ipaddr = * port = 1812 recv_buff = 0 } listen { type = "auth" ipv6addr = :: port = 1812 recv_buff = 0 } listen { type = "auth" ipaddr = * port = 16020 recv_buff = 0 } listen { type = "acct" ipaddr = * port = 16021 recv_buff = 0 } listen { type = "status" ipaddr = * port = 18120 recv_buff = 0 client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> shortname = "localhost" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client monitor-devv6 { ipv6addr = 2001:630:e4:81:137:222:8:103 require_message_authenticator = no secret = <<< secret >>> shortname = "monitor-devv6" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client monitor { ipaddr = 137.222.7.147 require_message_authenticator = no secret = <<< secret >>> shortname = "monitor" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client monitorv6 { ipv6addr = 2001:630:e4:81:137:222:7:147 require_message_authenticator = no secret = <<< secret >>> shortname = "monitorv6" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client monitor-dev { ipaddr = 137.222.8.103 require_message_authenticator = no secret = <<< secret >>> shortname = "monitor-dev" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } /etc/raddb/statusclients.d/localhost.conf[1]: Ignoring unknown sub-section "client" /etc/raddb/statusclients.d/monitor-devv6.conf[1]: Ignoring unknown sub-section "client" /etc/raddb/statusclients.d/monitor.conf[1]: Ignoring unknown sub-section "client" /etc/raddb/statusclients.d/monitorv6.conf[1]: Ignoring unknown sub-section "client" /etc/raddb/statusclients.d/monitor-dev.conf[1]: Ignoring unknown sub-section "client" listen { type = "acct" ipaddr = * port = 16007 recv_buff = 0 } listen { type = "auth" ipaddr = * port = 16006 recv_buff = 0 } # Creating Auth-Type = files-eduroam radiusd: #### Loading modules #### modules { # Loaded module "rlm_detail" # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module "rlm_preprocess" # Loading module "rainbowpreprocess" from file /etc/raddb/mods-enabled/rainbowpreprocess preprocess rainbowpreprocess { with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = yes with_alvarion_vsa_hack = no } # Loading module "uob_detail" from file /etc/raddb/mods-enabled/uobdetail detail uob_detail { filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/detail.log" header = "%t" permissions = 416 locking = no escape_filenames = no log_packet_header = no } # Loading module "uob_auth_log" from file /etc/raddb/mods-enabled/uobdetail detail uob_auth_log { filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = yes } # Loading module "uob_auth_log_password" from file /etc/raddb/mods-enabled/uobdetail detail uob_auth_log_password { filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "uob_reply_log" from file /etc/raddb/mods-enabled/uobdetail detail uob_reply_log { filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "uob_pre_proxy_log" from file /etc/raddb/mods-enabled/uobdetail detail uob_pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-DEFAULT}/pre-proxy-detail.log" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "uob_post_proxy_log" from file /etc/raddb/mods-enabled/uobdetail detail uob_post_proxy_log { filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-DEFAULT}/post-proxy-detail.log" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module "rlm_mschap" # Loading module "rainbowmschap" from file /etc/raddb/mods-enabled/rainbowmschap mschap rainbowmschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{rainbowmschap:User-Name}} --challenge=%{%{rainbowmschap:Challenge}:-00} --nt-response=%{%{rainbowmschap:NT-Response}:-00}" passchange { } allow_retry = yes } # Loading module "rainbowmachinemschap" from file /etc/raddb/mods-enabled/rainbowmschap mschap rainbowmachinemschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{rainbowmschap:User-Name}} --challenge=%{%{rainbowmschap:Challenge}:-00} --nt-response=%{%{rainbowmschap:NT-Response}:-00} --require-membership-of=S-1-5-21-1117850145-1682116191-196506527-515" passchange { } allow_retry = yes } # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module "rlm_files" # Loading module "files-eduroam" from file /etc/raddb/mods-enabled/files-eduroam files files-eduroam { usersfile = "/etc/raddb/users.d/users-eduroam" } # Loaded module "rlm_linelog" # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { destination = "file" delimiter = " " file { filename = "/var/log/radius/linelog" permissions = 384 escape_filenames = no } syslog { severity = "info" } unix { } tcp { port = 514 timeout = 2.000000 } udp { port = 514 timeout = 2.000000 } } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { destination = "file" delimiter = " " file { filename = "/var/log/radius/linelog-accounting" permissions = 384 escape_filenames = no } syslog { severity = "info" } unix { } tcp { timeout = 1000.000000 } udp { timeout = 1000.000000 } } # Loading module "vpimschap" from file /etc/raddb/mods-enabled/vpimschap mschap vpimschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{vpimschap:User-Name}} --challenge=%{vpimschap:Challenge} --nt-response=%{vpimschap:NT-Response} --require-membership-of=S-1-5-21-1117850145-1682116191-196506527-149178" passchange { } allow_retry = yes } # Loading module "rainbowlogsyslog" from file /etc/raddb/mods-enabled/rainbowlog linelog rainbowlogsyslog { destination = "syslog" delimiter = " " file { permissions = 384 escape_filenames = no } syslog { facility = "local5" severity = "info" } unix { } tcp { timeout = 1000.000000 } udp { timeout = 1000.000000 } } # Loading module "rainbowlogfiles" from file /etc/raddb/mods-enabled/rainbowlog linelog rainbowlogfiles { destination = "file" delimiter = " " file { filename = "/var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log" permissions = 384 escape_filenames = no } syslog { severity = "info" } unix { } tcp { timeout = 1000.000000 } udp { timeout = 1000.000000 } } # Loading module "rainbowacclog" from file /etc/raddb/mods-enabled/rainbowlog linelog rainbowacclog { destination = "syslog" delimiter = " " file { permissions = 384 escape_filenames = no } syslog { facility = "local5" severity = "info" } unix { } tcp { timeout = 1000.000000 } udp { timeout = 1000.000000 } } # Loaded module "rlm_replicate" # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module "rlm_eap" # Loading module "eduroameap" from file /etc/raddb/mods-enabled/eduroameap eap eduroameap { default_eap_type = "peap" ignore_unknown_eap_types = no cisco_accounting_username_bug = no } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" require_client_cert = yes } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk.key" certificate_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk-cert.pem" ca_file = "/etc/raddb/certs/uob-net-ca.pem" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT:!ADH:!SSLv2" ecdh_curve = "prime256v1" cache { } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner" include_length = yes require_client_cert = no } tls - Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "eduroam-inner" soh = no require_client_cert = no } tls - Using cached TLS configuration from previous invocation rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server eduroam-inner. The server cannot proxy inner-tunnel EAP packets. # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loaded module "rlm_chap" # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module "rlm_exec" # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module "rlm_realm" # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module "rlm_dynamic_clients" # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module "rlm_digest" # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module "rlm_expr" # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module "rlm_radutmp" # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module "rlm_cache" # Loading module "eduroamvlan" from file /etc/raddb/mods-enabled/eduroamvlan cache eduroamvlan { driver = "rlm_cache_rbtree" ttl = 600 max_entries = 0 epoch = 0 add_stats = no } # Loaded module "rlm_dhcp" # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module "rlm_ldap" # Loading module "uobldap" from file /etc/raddb/mods-enabled/uobldap ldap uobldap { server = "cse-lox.ads.bris.ac.uk" port = 636 identity = "CN=iser-linauth,OU=ISER - Special Purpose Accounts,OU=ISER,DC=ads,DC=bris,DC=ac,DC=uk" password = <<< secret >>> sasl { } user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_attribute = "memberOf" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "DC=ads,DC=bris,DC=ac,DC=uk" } profile { } options { ldap_debug = 40 chase_referrals = yes use_referral_credentials = no rebind = yes session_tracking = no res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { start_tls = no require_cert = "allow" } } Creating attribute uobldap-LDAP-Group # Loaded module "rlm_sql" # Loading module "uobsql-write" from file /etc/raddb/mods-enabled/uobsql-write sql uobsql-write { driver = "rlm_sql_mysql" server = "db-write.nomadic-core.bris.ac.uk" port = 3306 login = "radiusd" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}" group_attribute = "uobsql-write-sql-Group" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{uobsql-write-sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{uobsql-write-sql-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" } accounting-off { query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, virtual_server, radius_server, vlan, strippedusername) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', '%S', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))" query = "UPDATE radacct SET acctstarttime = '%S', acctupdatetime = '%S', connectinfo_start = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = '%S', acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, virtual_server, radius_server, vlan, strippedusername) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), '%S', NULL, %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '%{Connect-Info}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))" } stop { query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, virtual_server, radius_server, vlan, strippedusername) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), '%S', '%S', %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (uobsql-write) - Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute uobsql-write-sql-Group # Loaded module "rlm_expiration" # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loading module "eduroamlioneap" from file /etc/raddb/mods-enabled/eduroamlioneap eap eduroamlioneap { default_eap_type = "peap" ignore_unknown_eap_types = no cisco_accounting_username_bug = no } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" require_client_cert = yes } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk.key" certificate_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk-cert.pem" ca_file = "/etc/raddb/certs/uob-net-ca.pem" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT:!ADH:!SSLv2" ecdh_curve = "prime256v1" cache { } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroamlion-inner" include_length = yes require_client_cert = no } tls - Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "eduroamlion-inner" soh = no require_client_cert = no } tls - Using cached TLS configuration from previous invocation rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server eduroamlion-inner. The server cannot proxy inner-tunnel EAP packets. # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loading module "logtofile" from file /etc/raddb/mods-enabled/logtofile linelog logtofile { destination = "file" delimiter = " " file { filename = "/var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log" permissions = 384 escape_filenames = no } syslog { severity = "info" } unix { } tcp { timeout = 1000.000000 } udp { timeout = 1000.000000 } } # Loaded module "rlm_always" # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loading module "rainbowfiles" from file /etc/raddb/mods-enabled/rainbowfiles files rainbowfiles { usersfile = "/etc/raddb/users.d/users-rainbow" } # Loading module "logtosyslog" from file /etc/raddb/mods-enabled/logtosyslog linelog logtosyslog { destination = "syslog" delimiter = " " file { permissions = 384 escape_filenames = no } syslog { facility = "local5" severity = "info" } unix { } tcp { timeout = 1000.000000 } udp { timeout = 1000.000000 } } # Loaded module "rlm_attr_filter" # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" relaxed = no } # Loading module "filter.attrs.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.attrs.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/attrs.accounting_response" relaxed = no } # Loading module "filter.bristolresearchnet-a_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.bristolresearchnet-a_reject { filename = "/etc/raddb/mods-config/attr_filter/bristolresearchnet-a_reject" relaxed = no } # Loading module "filter.eduroamalien-a_accept" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.eduroamalien-a_accept { filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_accept" relaxed = no } # Loading module "filter.eduroamalien-a_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.eduroamalien-a_challenge { filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_challenge" relaxed = no } # Loading module "filter.eduroamalien-a_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.eduroamalien-a_reject { filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_reject" relaxed = no } # Loading module "filter.eduroamlocal-a_accept" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.eduroamlocal-a_accept { filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_accept" relaxed = no } # Loading module "filter.eduroamlocal-a_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.eduroamlocal-a_challenge { filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_challenge" relaxed = no } # Loading module "filter.eduroamlocal-a_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.eduroamlocal-a_reject { filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_reject" relaxed = no } # Loading module "filter.eduroamlocal-post_proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.eduroamlocal-post_proxy { filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-post_proxy" relaxed = no } # Loading module "filter.eduroamlocal-pre_proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.eduroamlocal-pre_proxy { filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-pre_proxy" relaxed = no } # Loading module "filter.vpi-a_accept" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.vpi-a_accept { filename = "/etc/raddb/mods-config/attr_filter/vpi-a_accept" relaxed = no } # Loading module "filter.vpi-a_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.vpi-a_challenge { filename = "/etc/raddb/mods-config/attr_filter/vpi-a_challenge" relaxed = no } # Loading module "filter.vpi-a_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter filter.vpi-a_reject { filename = "/etc/raddb/mods-config/attr_filter/vpi-a_reject" relaxed = no } # Loaded module "rlm_utf8" # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module "rlm_passwd" # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module "rlm_soh" # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module "rlm_unix" # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loading module "eduroammschap" from file /etc/raddb/mods-enabled/eduroammschap mschap eduroammschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = no retry_msg = "Verify username and re-enter your password" } # Loading module "uobsql" from file /etc/raddb/mods-enabled/uobsql sql uobsql { driver = "rlm_sql_mysql" server = "db.nomadic-core.bris.ac.uk" port = 3306 login = "radiusd" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}" group_attribute = "uobsql-sql-Group" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{uobsql-sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{uobsql-sql-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" } accounting-off { query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, virtual_server, radius_server, vlan, strippedusername) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', '%S', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))" query = "UPDATE radacct SET acctstarttime = '%S', acctupdatetime = '%S', connectinfo_start = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = '%S', acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, virtual_server, radius_server, vlan, strippedusername) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), '%S', NULL, %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '%{Connect-Info}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))" } stop { query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, virtual_server, radius_server, vlan, strippedusername) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), '%S', '%S', %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (uobsql) - Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute uobsql-sql-Group # Loading module "eduroaminfo" from file /etc/raddb/mods-enabled/eduroaminfo linelog eduroaminfo { destination = "syslog" delimiter = " " file { permissions = 384 escape_filenames = no } syslog { facility = "user" severity = "info" } unix { } tcp { timeout = 1000.000000 } udp { timeout = 1000.000000 } } # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "vpieap" from file /etc/raddb/mods-enabled/vpieap eap vpieap { default_eap_type = "peap" ignore_unknown_eap_types = no cisco_accounting_username_bug = no } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" require_client_cert = yes } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/2016-vpi.wireless.bris.ac.uk.key" certificate_file = "/etc/raddb/certs/2016-vpi.wireless.bris.ac.uk.pem" ca_file = "/etc/raddb/certs/University-of-Bristol-Windows-CA.pem" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" disable_tlsv1_2 = yes cache { } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "vpi-inner" soh = no require_client_cert = no } tls - Using cached TLS configuration from previous invocation rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server vpi-inner. The server cannot proxy inner-tunnel EAP packets. # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loading module "rainboweap" from file /etc/raddb/mods-enabled/rainboweap eap rainboweap { default_eap_type = "peap" ignore_unknown_eap_types = no cisco_accounting_username_bug = no } # Linked to sub-module rlm_eap_tls tls { require_client_cert = yes virtual_server = "rainboweap-tls" } TLS section "tls" missing, trying to use legacy configuration tls { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/The-Rainbow-Edge.key" certificate_file = "/etc/raddb/certs/The-Rainbow-Edge-cert.pem" ca_file = "/etc/raddb/certs/uob-net-ca.pem" dh_file = "/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" require_client_cert = yes ecdh_curve = "prime256v1" cache { } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "rainbow-inner" include_length = yes require_client_cert = no } TLS section "tls" missing, trying to use legacy configuration tls - Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "rainbow-inner" soh = no require_client_cert = no } TLS section "tls" missing, trying to use legacy configuration tls - Using cached TLS configuration from previous invocation rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server rainbow-inner. The server cannot proxy inner-tunnel EAP packets. # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module "rlm_unpack" # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module "rlm_pap" # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module "rlm_logintime" # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } instantiate { } } # modules # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "rainbowpreprocess" from file /etc/raddb/mods-enabled/rainbowpreprocess # Instantiating module "uob_detail" from file /etc/raddb/mods-enabled/uobdetail rlm_detail (uob_detail) - 'User-Password' suppressed, will not appear in detail output # Instantiating module "uob_auth_log" from file /etc/raddb/mods-enabled/uobdetail rlm_detail (uob_auth_log) - 'User-Password' suppressed, will not appear in detail output # Instantiating module "uob_auth_log_password" from file /etc/raddb/mods-enabled/uobdetail # Instantiating module "uob_reply_log" from file /etc/raddb/mods-enabled/uobdetail # Instantiating module "uob_pre_proxy_log" from file /etc/raddb/mods-enabled/uobdetail # Instantiating module "uob_post_proxy_log" from file /etc/raddb/mods-enabled/uobdetail # Instantiating module "rainbowmschap" from file /etc/raddb/mods-enabled/rainbowmschap rainbowmschap : authenticating by calling 'ntlm_auth' # Instantiating module "rainbowmachinemschap" from file /etc/raddb/mods-enabled/rainbowmschap rainbowmachinemschap : authenticating by calling 'ntlm_auth' # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap: using internal authentication # Instantiating module "files-eduroam" from file /etc/raddb/mods-enabled/files-eduroam reading file /etc/raddb/users.d/users-eduroam # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "vpimschap" from file /etc/raddb/mods-enabled/vpimschap vpimschap : authenticating by calling 'ntlm_auth' # Instantiating module "rainbowlogsyslog" from file /etc/raddb/mods-enabled/rainbowlog # Instantiating module "rainbowlogfiles" from file /etc/raddb/mods-enabled/rainbowlog # Instantiating module "rainbowacclog" from file /etc/raddb/mods-enabled/rainbowlog # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading file /etc/raddb/mods-config/files/authorize reading file /etc/raddb/mods-config/files/accounting reading file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "eduroamvlan" from file /etc/raddb/mods-enabled/eduroamvlan eduroamvlan - Driver rlm_cache_rbtree loaded and linked # Instantiating module "uobldap" from file /etc/raddb/mods-enabled/uobldap rlm_ldap (uobldap) - libldap vendor: OpenLDAP, version: 20440 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (uobldap) - Initialising connection pool pool { start = 5 min = 3 max = 5 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 connect_timeout = 3.000000 held_trigger_min = 0.000000 held_trigger_max = 0.500000 retry_delay = 30 spread = no } rlm_ldap (uobldap) - WARNING: Ignoring "spare = 10", forcing to "spare = 2" rlm_ldap (uobldap) - Opening additional connection (0), 1 of 5 pending slots used rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636 rlm_ldap (uobldap) - Waiting for bind result... rlm_ldap (uobldap) - Bind successful rlm_ldap (uobldap) - Performing search in "" with filter "(objectclass=*)", scope "base" rlm_ldap (uobldap) - Waiting for search result... rlm_ldap (uobldap) - Directory type: Active Directory rlm_ldap (uobldap) - Opening additional connection (1), 1 of 4 pending slots used rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636 rlm_ldap (uobldap) - Waiting for bind result... rlm_ldap (uobldap) - Bind successful rlm_ldap (uobldap) - Opening additional connection (2), 1 of 3 pending slots used rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636 rlm_ldap (uobldap) - Waiting for bind result... rlm_ldap (uobldap) - Bind successful rlm_ldap (uobldap) - Opening additional connection (3), 1 of 2 pending slots used rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636 rlm_ldap (uobldap) - Waiting for bind result... rlm_ldap (uobldap) - Bind successful rlm_ldap (uobldap) - Opening additional connection (4), 1 of 1 pending slots used rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636 rlm_ldap (uobldap) - Waiting for bind result... rlm_ldap (uobldap) - Bind successful # Instantiating module "uobsql-write" from file /etc/raddb/mods-enabled/uobsql-write rlm_sql_mysql - libmysql version: 5.5.44-MariaDB mysql { tls { } warnings = "auto" } rlm_sql (uobsql-write) - Attempting to connect to database "radius" rlm_sql (uobsql-write) - Initialising connection pool pool { start = 1 min = 1 max = 2 spare = 1 uses = 10000 lifetime = 300 cleanup_interval = 30 idle_timeout = 60 connect_timeout = 3.000000 held_trigger_min = 0.000000 held_trigger_max = 0.500000 retry_delay = 2 spread = no } rlm_sql (uobsql-write) - Opening additional connection (0), 1 of 2 pending slots used rlm_sql_mysql - Starting connect to MySQL server rlm_sql_mysql - Connected to database 'radius' on db-write.nomadic-core.bris.ac.uk via TCP/IP, server version 5.5.48-MariaDB-wsrep, protocol version 10 # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "logtofile" from file /etc/raddb/mods-enabled/logtofile # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "rainbowfiles" from file /etc/raddb/mods-enabled/rainbowfiles reading file /etc/raddb/users.d/users-rainbow # Instantiating module "logtosyslog" from file /etc/raddb/mods-enabled/logtosyslog # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "filter.attrs.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/attrs.accounting_response # Instantiating module "filter.bristolresearchnet-a_reject" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/bristolresearchnet-a_reject # Instantiating module "filter.eduroamalien-a_accept" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/eduroamalien-a_accept # Instantiating module "filter.eduroamalien-a_challenge" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/eduroamalien-a_challenge # Instantiating module "filter.eduroamalien-a_reject" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/eduroamalien-a_reject # Instantiating module "filter.eduroamlocal-a_accept" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_accept # Instantiating module "filter.eduroamlocal-a_challenge" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_challenge # Instantiating module "filter.eduroamlocal-a_reject" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_reject # Instantiating module "filter.eduroamlocal-post_proxy" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-post_proxy # Instantiating module "filter.eduroamlocal-pre_proxy" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-pre_proxy # Instantiating module "filter.vpi-a_accept" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/vpi-a_accept # Instantiating module "filter.vpi-a_challenge" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/vpi-a_challenge # Instantiating module "filter.vpi-a_reject" from file /etc/raddb/mods-enabled/attr_filter reading file /etc/raddb/mods-config/attr_filter/vpi-a_reject # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache_eap - Driver rlm_cache_rbtree loaded and linked # Instantiating module "eduroammschap" from file /etc/raddb/mods-enabled/eduroammschap rlm_mschap (eduroammschap) - Initialising connection pool pool { start = 5 min = 3 max = 256 spare = 10 uses = 0 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 connect_timeout = 3.000000 held_trigger_min = 0.000000 held_trigger_max = 0.500000 retry_delay = 30 spread = no } rlm_mschap (eduroammschap) - Opening additional connection (0), 1 of 256 pending slots used rlm_mschap (eduroammschap) - Opening additional connection (1), 1 of 255 pending slots used rlm_mschap (eduroammschap) - Opening additional connection (2), 1 of 254 pending slots used rlm_mschap (eduroammschap) - Opening additional connection (3), 1 of 253 pending slots used rlm_mschap (eduroammschap) - Opening additional connection (4), 1 of 252 pending slots used eduroammschap : authenticating directly to winbind # Instantiating module "uobsql" from file /etc/raddb/mods-enabled/uobsql mysql { tls { } warnings = "auto" } rlm_sql (uobsql) - Attempting to connect to database "radius" rlm_sql (uobsql) - Initialising connection pool pool { start = 1 min = 1 max = 8 spare = 1 uses = 10000 lifetime = 300 cleanup_interval = 30 idle_timeout = 60 connect_timeout = 3.000000 held_trigger_min = 0.000000 held_trigger_max = 0.500000 retry_delay = 2 spread = no } rlm_sql (uobsql) - Opening additional connection (0), 1 of 8 pending slots used rlm_sql_mysql - Starting connect to MySQL server rlm_sql_mysql - Connected to database 'radius' on db.nomadic-core.bris.ac.uk via TCP/IP, server version 5.5.48-MariaDB-wsrep, protocol version 10 # Instantiating module "eduroaminfo" from file /etc/raddb/mods-enabled/eduroaminfo # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading file /etc/raddb/mods-config/preprocess/huntgroups reading file /etc/raddb/mods-config/preprocess/hints # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime radiusd: #### Loading Virtual Servers #### server eduroam-partners { # from file /etc/raddb/sites-enabled/eduroam-partners } # server eduroam-partners server bristolresearchnet { # from file /etc/raddb/sites-enabled/bristolresearchnet } # server bristolresearchnet server rainbow-inner { # from file /etc/raddb/sites-enabled/rainbow-inner } # server rainbow-inner server uobconsoles { # from file /etc/raddb/sites-enabled/uobconsoles } # server uobconsoles server vpi-inner { # from file /etc/raddb/sites-enabled/vpi-inner } # server vpi-inner server rainbow { # from file /etc/raddb/sites-enabled/rainbow } # server rainbow server eduroamalien { # from file /etc/raddb/sites-enabled/eduroamalien } # server eduroamalien server vpi { # from file /etc/raddb/sites-enabled/vpi } # server vpi server status { # from file /etc/raddb/sites-enabled/status } # server status server eduroamlocal-acct { # from file /etc/raddb/sites-enabled/eduroamlocal-acct } # server eduroamlocal-acct server eduroamlocal-auth { # from file /etc/raddb/sites-enabled/eduroamlocal-auth } # server eduroamlocal-auth server eduroamlion-inner { # from file /etc/raddb/sites-enabled/eduroamlion-inner } # server eduroamlion-inner server rainboweap-tls { # from file /etc/raddb/sites-enabled/rainboweap-tls } # server rainboweap-tls server eduroam-inner { # from file /etc/raddb/sites-enabled/eduroam-inner } # server eduroam-inner radiusd: #### Opening IP addresses and Ports #### Listening on command file /var/run/radiusd/control/radiusd.sock Listening on auth address * port 1645 bound to server eduroam-partners Listening on acct address * port 1646 bound to server eduroam-partners Listening on auth address * port 16061 bound to server eduroam-partners Listening on acct address * port 16062 bound to server eduroam-partners Listening on auth address * port 16063 bound to server eduroam-partners Listening on acct address * port 16064 bound to server eduroam-partners Listening on auth address * port 16014 bound to server bristolresearchnet Listening on acct address * port 16015 bound to server bristolresearchnet Listening on auth address * port 16018 bound to server uobconsoles Listening on auth address * port 16028 bound to server rainbow Listening on acct address * port 16029 bound to server rainbow Listening on auth address * port 1812 bound to server eduroamalien Listening on auth address :: port 1812 bound to server eduroamalien Listening on auth address * port 16020 bound to server vpi Listening on acct address * port 16021 bound to server vpi Listening on status address * port 18120 bound to server status Listening on acct address * port 16007 bound to server eduroamlocal-acct Listening on auth address * port 16006 bound to server eduroamlocal-auth Listening on proxy address * port 48159 Listening on proxy address :: port 46124 Ready to process requests (0) Received Access-Request Id 156 from 172.17.107.208:32770 to 137.222.8.134:16020 via ens192 length 322 (0) User-Name = "host/IT051252.users.bris.ac.uk" (0) Chargeable-User-Identity = 0x00 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "c4:85:08:a9:05:24" (0) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs" (0) NAS-Port = 13 (0) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35" (0) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627" (0) NAS-IP-Address = 172.17.107.208 (0) NAS-Identifier = "wism8" (0) Airespace-Wlan-Id = 3 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "547" (0) EAP-Message = 0x0202002301686f73742f49543035313235322e75736572732e627269732e61632e756b (0) Message-Authenticator = 0x210eb8a98c17341f7b1831b8224f1ca9 (0) Running section authorize from file /etc/raddb/sites-enabled/vpi (0) authorize { (0) wism-checks { (0) if (Service-Type == "NAS-Prompt-User") { (0) ... (0) } (0) } # wism-checks (notfound) (0) preprocess (ok) (0) uob_auth_log - EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log (0) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log (0) uob_auth_log - /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/vpi/auth-detail.log (0) uob_auth_log - EXPAND %t (0) uob_auth_log - --> Tue Mar 15 14:59:02 2016 (0) uob_auth_log (ok) (0) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) { (0) ... (0) } (0) vpieap - Peer sent EAP Response (code 2) ID 2 length 35 (0) vpieap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize (0) vpieap (ok) (0) } # authorize (ok) (0) Using 'Auth-Type = vpieap' for authenticate {...} (0) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi (0) authenticate { (0) vpieap - Peer sent packet with EAP method Identity (1) (0) vpieap - Calling submodule eap_peap to process data (0) eap_peap - Initiating new EAP-TLS session (0) vpieap - Sending EAP Request (code 1) ID 3 length 6 (0) vpieap (handled) (0) } # authenticate (handled) (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (0) Sent Access-Challenge Id 156 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x01016e00b7ba0f346d696f996ec2a586 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 157 from 172.17.107.208:32770 to 137.222.8.134:16020 via ens192 length 412 (1) User-Name = "host/IT051252.users.bris.ac.uk" (1) Chargeable-User-Identity = 0x00 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "c4:85:08:a9:05:24" (1) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs" (1) NAS-Port = 13 (1) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35" (1) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627" (1) NAS-IP-Address = 172.17.107.208 (1) NAS-Identifier = "wism8" (1) Airespace-Wlan-Id = 3 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "547" (1) EAP-Message = 0x0203006b198000000061160301005c01000058030156e82335df750bf907213b69795c99dd0e5a0fd9cafa4e22e72034f7067ec9cb000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 (1) State = 0x01016e00b7ba0f346d696f996ec2a586 (1) Message-Authenticator = 0x8ce96eef1c29f0f8b418aa5516a813f4 (1) Running section authorize from file /etc/raddb/sites-enabled/vpi (1) authorize { (1) wism-checks { (1) if (Service-Type == "NAS-Prompt-User") { (1) ... (1) } (1) } # wism-checks (notfound) (1) preprocess (ok) (1) uob_auth_log - EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log (1) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log (1) uob_auth_log - /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/vpi/auth-detail.log (1) uob_auth_log - EXPAND %t (1) uob_auth_log - --> Tue Mar 15 14:59:02 2016 (1) uob_auth_log (ok) (1) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) { (1) ... (1) } (1) vpieap - Peer sent EAP Response (code 2) ID 3 length 107 (1) vpieap - Continuing tunnel setup (1) vpieap (ok) (1) } # authorize (ok) (1) Using 'Auth-Type = vpieap' for authenticate {...} (1) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi (1) authenticate { (1) vpieap - Peer sent packet with EAP method PEAP (25) (1) vpieap - Calling submodule eap_peap to process data (1) eap_peap - Continuing EAP-TLS (1) eap_peap - Peer indicated complete TLS record size will be 97 bytes (1) eap_peap - Got complete TLS record, with length field (97 bytes) (1) eap_peap - [eap-tls verify] = ok (1) eap_peap - before/accept initialization (1) eap_peap - TLS Accept: before/accept initialization (1) eap_peap - <<< recv handshake [length 92], client_hello (1) eap_peap - TLS Accept: SSLv3 read client hello A (1) eap_peap - >>> send handshake [length 57], server_hello (1) eap_peap - TLS Accept: SSLv3 write server hello A (1) eap_peap - >>> send handshake [length 1833], certificate (1) eap_peap - TLS Accept: SSLv3 write certificate A (1) eap_peap - >>> send handshake [length 331], server_key_exchange (1) eap_peap - TLS Accept: SSLv3 write key exchange A (1) eap_peap - >>> send handshake [length 4], server_hello_done (1) eap_peap - TLS Accept: SSLv3 write server done A (1) eap_peap - TLS Accept: SSLv3 flush data (1) eap_peap - TLS Accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap - TLS Accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap - In TLS handshake phase (1) eap_peap - In TLS accept mode (1) eap_peap - Complete TLS record (2245 bytes) larger than MTU (1000 bytes), will fragment (1) eap_peap - Sending first TLS record fragment (1000 bytes), 1245 bytes remaining (1) eap_peap - [eap-tls process] = handled (1) vpieap - Sending EAP Request (code 1) ID 4 length 1010 (1) vpieap (handled) (1) } # authenticate (handled) (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (1) Sent Access-Challenge Id 157 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (1) EAP-Message = 0x010403f219c0000008c5160301003902000035030156e823361b5cba1ccb77c8d1c2d294e5648fa5293f6acb6c7e0b210e9899de6e00c01400000dff01000100000b00040300010216030107290b0007250007220002dc308202d830820282020410456227300d06092a864886f70d01010b05003081bf (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x02036e003ffa67036d696f996ec2a586 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 158 from 172.17.107.208:32770 to 137.222.8.134:16020 via ens192 length 311 (2) User-Name = "host/IT051252.users.bris.ac.uk" (2) Chargeable-User-Identity = 0x00 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "c4:85:08:a9:05:24" (2) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs" (2) NAS-Port = 13 (2) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35" (2) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627" (2) NAS-IP-Address = 172.17.107.208 (2) NAS-Identifier = "wism8" (2) Airespace-Wlan-Id = 3 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "547" (2) EAP-Message = 0x020400061900 (2) State = 0x02036e003ffa67036d696f996ec2a586 (2) Message-Authenticator = 0x2973017c64efccc5305299b5fdd47e3d (2) Running section authorize from file /etc/raddb/sites-enabled/vpi (2) authorize { (2) wism-checks { (2) if (Service-Type == "NAS-Prompt-User") { (2) ... (2) } (2) } # wism-checks (notfound) (2) preprocess (ok) (2) uob_auth_log - EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log (2) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log (2) uob_auth_log - /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/vpi/auth-detail.log (2) uob_auth_log - EXPAND %t (2) uob_auth_log - --> Tue Mar 15 14:59:02 2016 (2) uob_auth_log (ok) (2) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) { (2) ... (2) } (2) vpieap - Peer sent EAP Response (code 2) ID 4 length 6 (2) vpieap - Continuing tunnel setup (2) vpieap (ok) (2) } # authorize (ok) (2) Using 'Auth-Type = vpieap' for authenticate {...} (2) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi (2) authenticate { (2) vpieap - Peer sent packet with EAP method PEAP (25) (2) vpieap - Calling submodule eap_peap to process data (2) eap_peap - Continuing EAP-TLS (2) eap_peap - Peer ACKed our handshake fragment (2) eap_peap - [eap-tls verify] = request (2) eap_peap - Sending additional TLS record fragment (1004 bytes), 241 bytes remaining (2) eap_peap - [eap-tls process] = handled (2) vpieap - Sending EAP Request (code 1) ID 5 length 1010 (2) vpieap (handled) (2) } # authenticate (handled) (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (2) Sent Access-Challenge Id 158 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (2) EAP-Message = 0x010503f219402053657276696365733129302706035504031320556e6976657273697479206f662042726973746f6c2057696e646f7773204341301e170d3033303131303130323733375a170d3233303131303130333531315a3081bf3125302306092a864886f70d010901161663612d61646d696e40 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x03016e00b7ba0f346d696f996ec2a586 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 159 from 172.17.107.208:32770 to 137.222.8.134:16020 via ens192 length 311 (3) User-Name = "host/IT051252.users.bris.ac.uk" (3) Chargeable-User-Identity = 0x00 (3) Location-Capable = Civix-Location (3) Calling-Station-Id = "c4:85:08:a9:05:24" (3) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs" (3) NAS-Port = 13 (3) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35" (3) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627" (3) NAS-IP-Address = 172.17.107.208 (3) NAS-Identifier = "wism8" (3) Airespace-Wlan-Id = 3 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) Tunnel-Type:0 = VLAN (3) Tunnel-Medium-Type:0 = IEEE-802 (3) Tunnel-Private-Group-Id:0 = "547" (3) EAP-Message = 0x020500061900 (3) State = 0x03016e00b7ba0f346d696f996ec2a586 (3) Message-Authenticator = 0x98cabe8901eb9b85dccb9e16a30658c2 (3) Running section authorize from file /etc/raddb/sites-enabled/vpi (3) authorize { (3) wism-checks { (3) if (Service-Type == "NAS-Prompt-User") { (3) ... (3) } (3) } # wism-checks (notfound) (3) preprocess (ok) (3) uob_auth_log - EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log (3) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log (3) uob_auth_log - /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/vpi/auth-detail.log (3) uob_auth_log - EXPAND %t (3) uob_auth_log - --> Tue Mar 15 14:59:02 2016 (3) uob_auth_log (ok) (3) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) { (3) ... (3) } (3) vpieap - Peer sent EAP Response (code 2) ID 5 length 6 (3) vpieap - Continuing tunnel setup (3) vpieap (ok) (3) } # authorize (ok) (3) Using 'Auth-Type = vpieap' for authenticate {...} (3) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi (3) authenticate { (3) vpieap - Peer sent packet with EAP method PEAP (25) (3) vpieap - Calling submodule eap_peap to process data (3) eap_peap - Continuing EAP-TLS (3) eap_peap - Peer ACKed our handshake fragment (3) eap_peap - [eap-tls verify] = request (3) eap_peap - Sending final TLS record fragment (241 bytes) (3) eap_peap - [eap-tls process] = handled (3) vpieap - Sending EAP Request (code 1) ID 6 length 247 (3) vpieap (handled) (3) } # authenticate (handled) (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (3) Sent Access-Challenge Id 159 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (3) EAP-Message = 0x010600f71900ebe0344cb4e5d4ac912e10789408d80c66f81fd27cddd89c4c4a4dc3ae440f0cc86f59ca46e8ff75376eb7910a0af3153626fe0cf81027c02f568b1e56e2656a4191c98103f0da0f1ff061a21c81756cc2aec65066916bda86078229a217c291a4cb982853454ddb46b5e54200d5fd06d4 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x04076e003ffa67036d696f996ec2a586 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 160 from 172.17.107.208:32770 to 137.222.8.134:16020 via ens192 length 449 (4) User-Name = "host/IT051252.users.bris.ac.uk" (4) Chargeable-User-Identity = 0x00 (4) Location-Capable = Civix-Location (4) Calling-Station-Id = "c4:85:08:a9:05:24" (4) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs" (4) NAS-Port = 13 (4) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35" (4) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627" (4) NAS-IP-Address = 172.17.107.208 (4) NAS-Identifier = "wism8" (4) Airespace-Wlan-Id = 3 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) Tunnel-Type:0 = VLAN (4) Tunnel-Medium-Type:0 = IEEE-802 (4) Tunnel-Private-Group-Id:0 = "547" (4) EAP-Message = 0x020600901980000000861603010046100000424104647ecb7be9097a5ded8a15cad2f20782f73ac6dc656b780709999a57827e73a8fe8e6a1b0e84a16922438dc84d05ae35ea7a5ea9a0dde79187142978e52f2b8a14030100010116030100306891fee4d9c9dc571d75c0f76b02e5725a63f2d65a9a70 (4) State = 0x04076e003ffa67036d696f996ec2a586 (4) Message-Authenticator = 0x88fc7f16291a306da34adbcad2b075d8 (4) Running section authorize from file /etc/raddb/sites-enabled/vpi (4) authorize { (4) wism-checks { (4) if (Service-Type == "NAS-Prompt-User") { (4) ... (4) } (4) } # wism-checks (notfound) (4) preprocess (ok) (4) uob_auth_log - EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log (4) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log (4) uob_auth_log - /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/vpi/auth-detail.log (4) uob_auth_log - EXPAND %t (4) uob_auth_log - --> Tue Mar 15 14:59:02 2016 (4) uob_auth_log (ok) (4) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) { (4) ... (4) } (4) vpieap - Peer sent EAP Response (code 2) ID 6 length 144 (4) vpieap - Continuing tunnel setup (4) vpieap (ok) (4) } # authorize (ok) (4) Using 'Auth-Type = vpieap' for authenticate {...} (4) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi (4) authenticate { (4) vpieap - Peer sent packet with EAP method PEAP (25) (4) vpieap - Calling submodule eap_peap to process data (4) eap_peap - Continuing EAP-TLS (4) eap_peap - Peer indicated complete TLS record size will be 134 bytes (4) eap_peap - Got complete TLS record, with length field (134 bytes) (4) eap_peap - [eap-tls verify] = ok (4) eap_peap - <<< recv handshake [length 70], client_key_exchange (4) eap_peap - TLS Accept: SSLv3 read client key exchange A (4) eap_peap - <<< recv change_cipher_spec [length 1] (4) eap_peap - <<< recv handshake [length 16], finished (4) eap_peap - TLS Accept: SSLv3 read finished A (4) eap_peap - >>> send change_cipher_spec [length 1] (4) eap_peap - TLS Accept: SSLv3 write change cipher spec A (4) eap_peap - >>> send handshake [length 16], finished (4) eap_peap - TLS Accept: SSLv3 write finished A (4) eap_peap - TLS Accept: SSLv3 flush data (4) eap_peap - SSL negotiation finished successfully (4) eap_peap - TLS established with cipher suite: ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 (4) eap_peap - Sending complete TLS record (59 bytes) (4) eap_peap - [eap-tls process] = handled (4) vpieap - Sending EAP Request (code 1) ID 7 length 69 (4) vpieap (handled) (4) } # authenticate (handled) (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (4) Sent Access-Challenge Id 160 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (4) EAP-Message = 0x0107004519800000003b14030100010116030100306fdc388f829843e06f869eeae13afdf94ba2efe759a91d60b7a147cb1663ee604ab474b08aaf072259723668fe0c447b (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x05016e00b7ba0f346d696f996ec2a586 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 161 from 172.17.107.208:32770 to 137.222.8.134:16020 via ens192 length 311 (5) User-Name = "host/IT051252.users.bris.ac.uk" (5) Chargeable-User-Identity = 0x00 (5) Location-Capable = Civix-Location (5) Calling-Station-Id = "c4:85:08:a9:05:24" (5) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs" (5) NAS-Port = 13 (5) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35" (5) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627" (5) NAS-IP-Address = 172.17.107.208 (5) NAS-Identifier = "wism8" (5) Airespace-Wlan-Id = 3 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) Tunnel-Type:0 = VLAN (5) Tunnel-Medium-Type:0 = IEEE-802 (5) Tunnel-Private-Group-Id:0 = "547" (5) EAP-Message = 0x020700061900 (5) State = 0x05016e00b7ba0f346d696f996ec2a586 (5) Message-Authenticator = 0x96dc59cdbca6df009be0b9cbd5443481 (5) Running section authorize from file /etc/raddb/sites-enabled/vpi (5) authorize { (5) wism-checks { (5) if (Service-Type == "NAS-Prompt-User") { (5) ... (5) } (5) } # wism-checks (notfound) (5) preprocess (ok) (5) uob_auth_log - EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log (5) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log (5) uob_auth_log - /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/vpi/auth-detail.log (5) uob_auth_log - EXPAND %t (5) uob_auth_log - --> Tue Mar 15 14:59:02 2016 (5) uob_auth_log (ok) (5) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) { (5) ... (5) } (5) vpieap - Peer sent EAP Response (code 2) ID 7 length 6 (5) vpieap - Continuing tunnel setup (5) vpieap (ok) (5) } # authorize (ok) (5) Using 'Auth-Type = vpieap' for authenticate {...} (5) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi (5) authenticate { (5) vpieap - Peer sent packet with EAP method PEAP (25) (5) vpieap - Calling submodule eap_peap to process data (5) eap_peap - Continuing EAP-TLS (5) eap_peap - Peer ACKed our handshake fragment. handshake is finished (5) eap_peap - [eap-tls verify] = success (5) eap_peap - [eap-tls process] = success (5) eap_peap - Session established. Decoding tunneled data (5) eap_peap - PEAP state TUNNEL ESTABLISHED (5) eap_peap - Sending complete TLS record (37 bytes) (5) vpieap - Sending EAP Request (code 1) ID 8 length 47 (5) vpieap (handled) (5) } # authenticate (handled) (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (5) Sent Access-Challenge Id 161 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (5) EAP-Message = 0x0108002f19800000002517030100205f34f3a684a6f8a6c27272a92b19c76ee8552b4ea7b442e2ff9d4c5027a36f41 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x06036e003ffa67036d696f996ec2a586 (5) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 156 with timestamp +3 (1) Cleaning up request packet ID 157 with timestamp +3 (2) Cleaning up request packet ID 158 with timestamp +3 (3) Cleaning up request packet ID 159 with timestamp +3 (4) Cleaning up request packet ID 160 with timestamp +3 (5) Cleaning up request packet ID 161 with timestamp +3 Ready to process requests Ready to process requests Signalled to terminate Exiting normally !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! EAP session 0x2ab6bf0 did not finish! !! !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! rlm_sql (uobsql) - Removing connection pool rlm_sql (uobsql) - Closing connection (0) rlm_sql_mysql - Socket destructor called, closing socket rlm_mschap (eduroammschap) - Removing connection pool rlm_mschap (eduroammschap) - Closing connection (4) rlm_mschap (eduroammschap) - Closing connection (3) rlm_mschap (eduroammschap) - Closing connection (2) rlm_mschap (eduroammschap) - Closing connection (1) rlm_mschap (eduroammschap) - Closing connection (0) rlm_sql (uobsql-write) - Removing connection pool rlm_sql (uobsql-write) - Closing connection (0) rlm_sql_mysql - Socket destructor called, closing socket rlm_ldap (uobldap) - Removing connection pool rlm_ldap (uobldap) - Closing connection (4) rlm_ldap (uobldap) - Closing connection (3) rlm_ldap (uobldap) - Closing connection (2) rlm_ldap (uobldap) - Closing connection (1) rlm_ldap (uobldap) - Closing connection (0) -- Jonathan Gazeley Senior Systems Administrator IT Services University of Bristol
On 15 Mar 2016, at 15:14, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
I've been migrating our RADIUS estate from 2.2.9 and 3.0.11 to 3.1.x, built from git. Thanks to help from this list last week I've got eduroam working successfully. I'm now struggling to get another SSID (machine authentication for domain-joined Windows PCs) to work.
I can see that it is printing the warning:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! EAP session 0x2ab6bf0 did not finish! !! !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Doesn't look like a certificate problem. Looks like inner EAP method negotiation failing (client doesn't respond). -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 15 Mar 2016, at 15:41, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 15 Mar 2016, at 15:14, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
I've been migrating our RADIUS estate from 2.2.9 and 3.0.11 to 3.1.x, built from git. Thanks to help from this list last week I've got eduroam working successfully. I'm now struggling to get another SSID (machine authentication for domain-joined Windows PCs) to work.
I can see that it is printing the warning:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! EAP session 0x2ab6bf0 did not finish! !! !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Doesn't look like a certificate problem. Looks like inner EAP method negotiation failing (client doesn't respond).
Any idea what machine auth actually is. Is it something weird like EAP-TLS in EAP-TLS? Could be an MTU issue if that's the case. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Tue, Mar 15, 2016 at 03:53:25PM +0000, Jonathan Gazeley wrote:
On 15/03/16 15:47, Arran Cudbard-Bell wrote:
Any idea what machine auth actually is. Is it something weird like EAP-TLS in EAP-TLS?
It's EAP-PEAP using the default Windows supplicant.
What's the inner? MSCHAPv2 or EAP-TLS. i.e "Machine auth" with domain credentials (machine account p/w) or certificates? PEAP/EAP-TLS runs into MTU issues as Arran said, but I'd expect that to be the same on 3.0.x and 3.1.x. But you probably need to enable debugging on the Windows supplicant side and see what it's complaining about. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 15/03/16 16:00, Matthew Newton wrote:
On Tue, Mar 15, 2016 at 03:53:25PM +0000, Jonathan Gazeley wrote:
On 15/03/16 15:47, Arran Cudbard-Bell wrote:
Any idea what machine auth actually is. Is it something weird like EAP-TLS in EAP-TLS?
It's EAP-PEAP using the default Windows supplicant.
What's the inner? MSCHAPv2 or EAP-TLS.
MSCHAPv2.
i.e "Machine auth" with domain credentials (machine account p/w) or certificates?
With domain credentials.
PEAP/EAP-TLS runs into MTU issues as Arran said, but I'd expect that to be the same on 3.0.x and 3.1.x. But you probably need to enable debugging on the Windows supplicant side and see what it's complaining about.
Groan. I'm not a Windows guy :) I'm just puzzled by the apparent difference in behaviour between 3.0.11 and 3.1.x when neither the certificates nor the clients have been changed. I'll keep looking. Thanks, Jonathan
On 15/03/16 16:06, Jonathan Gazeley wrote:
On 15/03/16 16:00, Matthew Newton wrote:
On Tue, Mar 15, 2016 at 03:53:25PM +0000, Jonathan Gazeley wrote:
On 15/03/16 15:47, Arran Cudbard-Bell wrote:
Any idea what machine auth actually is. Is it something weird like EAP-TLS in EAP-TLS?
It's EAP-PEAP using the default Windows supplicant.
What's the inner? MSCHAPv2 or EAP-TLS.
MSCHAPv2.
i.e "Machine auth" with domain credentials (machine account p/w) or certificates?
With domain credentials.
PEAP/EAP-TLS runs into MTU issues as Arran said, but I'd expect that to be the same on 3.0.x and 3.1.x. But you probably need to enable debugging on the Windows supplicant side and see what it's complaining about.
Groan. I'm not a Windows guy :)
I'm just puzzled by the apparent difference in behaviour between 3.0.11 and 3.1.x when neither the certificates nor the clients have been changed. I'll keep looking.
Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released. Thanks to everyone who helped with our troubleshooting. Jonathan
On Mar 16, 2016, at 10:23 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released.
If you have time... it would help to know when 3.1 stopped working. You could grab a copy of 3.1 from early 2015, and see if it works. If so, do a binary search on the commits until you get one which works, and one shortly after that which doesn't. That would at least help us narrow down what changed. And would likely allow us to fix the problem. Alan DeKok.
On 16 Mar 2016, at 16:44, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 16, 2016, at 10:23 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released.
If you have time... it would help to know when 3.1 stopped working. You could grab a copy of 3.1 from early 2015, and see if it works. If so, do a binary search on the commits until you get one which works, and one shortly after that which doesn't.
That would at least help us narrow down what changed. And would likely allow us to fix the problem.
Using current v3.1.x HEAD and running with -Xxx or a debug condition with debug level 3 set would also help. We could compare the unencrypted tunnel data to what we see with wpa_supplicant and see what's different. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hmm, this thread got me interested - we were running 3.1.0 # 390f216 (around april 2015 I think) up until recently and it was fine with PEAP-EAP-MSCHAPv2/TLS, not that we used it much, but I did test it. Now with our last git pull (64aa7f9) it doesn't work, same message about EAP not finishing. It also behaves the same with PEAP-EAP-TLS. Hopefully that helps a bit, but I understand it's quite a wide time-span. eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! eap: !! EAP session 0x17ac0b0 did not finish! !! eap: !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !! eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thanks Andy -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: 16 March 2016 18:38 To: FreeRadius users mailing list Subject: Re: Certificate problem between 3.0.11 and 3.1.x
On 16 Mar 2016, at 16:44, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 16, 2016, at 10:23 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released.
If you have time... it would help to know when 3.1 stopped working. You could grab a copy of 3.1 from early 2015, and see if it works. If so, do a binary search on the commits until you get one which works, and one shortly after that which doesn't.
That would at least help us narrow down what changed. And would likely allow us to fix the problem.
Using current v3.1.x HEAD and running with -Xxx or a debug condition with debug level 3 set would also help. We could compare the unencrypted tunnel data to what we see with wpa_supplicant and see what's different. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Top posting quickly... If you could help narrow down the commit range, that would help enormously. Even 4 attempts at a binary search of the commit range would take it from a year to a few weeks. That would likely give us sufficient information to find and fix it. Or, if you have a test client VM, that would help too. EAP interoperability problems are a major problem, and are VERY high priority for us. Many, many people are affected, so the fixes are critical.
On Mar 17, 2016, at 7:03 PM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
Hmm, this thread got me interested - we were running 3.1.0 # 390f216 (around april 2015 I think) up until recently and it was fine with PEAP-EAP-MSCHAPv2/TLS, not that we used it much, but I did test it. Now with our last git pull (64aa7f9) it doesn't work, same message about EAP not finishing. It also behaves the same with PEAP-EAP-TLS. Hopefully that helps a bit, but I understand it's quite a wide time-span.
eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! eap: !! EAP session 0x17ac0b0 did not finish! !! eap: !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !! eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thanks Andy
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: 16 March 2016 18:38 To: FreeRadius users mailing list Subject: Re: Certificate problem between 3.0.11 and 3.1.x
On 16 Mar 2016, at 16:44, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 16, 2016, at 10:23 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released.
If you have time... it would help to know when 3.1 stopped working. You could grab a copy of 3.1 from early 2015, and see if it works. If so, do a binary search on the commits until you get one which works, and one shortly after that which doesn't.
That would at least help us narrow down what changed. And would likely allow us to fix the problem.
Using current v3.1.x HEAD and running with -Xxx or a debug condition with debug level 3 set would also help.
We could compare the unencrypted tunnel data to what we see with wpa_supplicant and see what's different.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 17 Mar 2016, at 23:03, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
Hmm, this thread got me interested - we were running 3.1.0 # 390f216 (around april 2015 I think) up until recently and it was fine with PEAP-EAP-MSCHAPv2/TLS, not that we used it much, but I did test it. Now with our last git pull (64aa7f9) it doesn't work, same message about EAP not finishing. It also behaves the same with PEAP-EAP-TLS. Hopefully that helps a bit, but I understand it's quite a wide time-span.
eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! eap: !! EAP session 0x17ac0b0 did not finish! !! eap: !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !! eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thanks Andy
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: 16 March 2016 18:38 To: FreeRadius users mailing list Subject: Re: Certificate problem between 3.0.11 and 3.1.x
On 16 Mar 2016, at 16:44, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 16, 2016, at 10:23 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released.
If you have time... it would help to know when 3.1 stopped working. You could grab a copy of 3.1 from early 2015, and see if it works. If so, do a binary search on the commits until you get one which works, and one shortly after that which doesn't.
That would at least help us narrow down what changed. And would likely allow us to fix the problem.
Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP: commit 8a7f6e330f45439d333f61dde7ee0982ebcc2a29 Author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> Date: Sun Dec 6 00:34:21 2015 -0500 Add additional debugging so we can track TLS fragments sent :100644 100644 084fb69... aa50e65... M src/modules/rlm_eap/libeap/eap_tls.c :100644 100644 a9ce517... 800fc77... M src/modules/rlm_eap/libeap/eap_tls.h :100644 100644 cb0a560... 8d64335... M src/modules/rlm_eap/libeap/eapcommon.c :100644 100644 b418f31... 87fd937... M src/modules/rlm_eap/rlm_eap.c :100644 100644 becfa6c... 504ed01... M src/modules/rlm_eap/types/rlm_eap_peap/peap.c :100644 100644 887d0d1... 5958f0d... M src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c works immediately before this commit, doesn’t work after. Regards Scott Armitage
Hi,
Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:
even with divide and conquer approach this was an interesting approach as our 3.1.x config had many options/configs that didnt work with earlier releases (features werent there!) so lots of config tweaks.... and quite a few commits that meant server build failed or it segfaulted.....but we found , finally, the change. alan
On 18 March 2016 at 09:52, <A.L.M.Buxey@lboro.ac.uk> wrote:
Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:
even with divide and conquer approach this was an interesting approach as our 3.1.x config had many options/configs that didnt work with earlier releases (features werent there!) so lots of config tweaks.... and quite a few commits that meant server build failed or it segfaulted.....but we found , finally, the change.
Thanks for doing that! Jonathan and I spent a lot of time yesterday discussing how we might be able to do do that, but our build/deploy system is all set up for running a production service rather than developing - so comes with a different set of assumptions. It didn't look like it was going to be an easy task for us! -Paul -- ---------------------------------------------------------------------- Paul Seward, Senior Systems Administrator, University of Bristol Paul.Seward@bristol.ac.uk +44 (0)117 39 41148 GPG Key ID: E24DA8A2 GPG Fingerprint: 7210 4E4A B5FC 7D9C 39F8 5C3C 6759 3937 E24D A8A2
On Fri, Mar 18, 2016 at 09:23:20AM +0000, Scott Armitage wrote:
Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:
commit 8a7f6e330f45439d333f61dde7ee0982ebcc2a29 Author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> Date: Sun Dec 6 00:34:21 2015 -0500
Add additional debugging so we can track TLS fragments sent
Hmm. If that's the case, then the bug is probably to do with the length included flag and the length of the packet. What does the EAP data look like in the packet sent before it breaks immediately after this patch, and in the equivalent packet before this patch? Specifically in EAP-Message it's the 8th bit ("length included") and 7th bit ("more fragments") of the 6th octet ("flags"), the "message length" field (7th, 8th, 9th and 10th octets) and the EAP-Message length (3rd and 4th octets). So fragments should be c0 on the first fragment, 40 on intermediate fragments and 00 on the last fragment. Or 80 for a standalone packet (no further fragments). These look OK in the original debug output, but the lengths for each packet look a bit odd in this sequence starting (1) eap_peap - Complete TLS record (2245 bytes) larger than MTU (1000 bytes), will fragment (1) eap_peap - Sending first TLS record fragment (1000 bytes), 1245 bytes remaining (1) eap_peap - [eap-tls process] = handled (1) vpieap - Sending EAP Request (code 1) ID 4 length 1010 (1) vpieap (handled) (1) } # authenticate (handled) (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (1) Sent Access-Challenge Id 157 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (1) EAP-Message = 0x010403f219c0000008c5160301003902000035030156e823361b5cba1ccb77c8d1c2d294e5648fa5293f6acb6c7e0b210e9899de6e00c01400000dff01000100000b00040300010216030107290b0007250007220002dc308202d830820282020410456227300d06092a864886f70d01010b05003081bf (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x02036e003ffa67036d696f996ec2a586 (1) Finished request 1000 bytes, 1245 remaining. OK. 000008c5 is 2245. 03f2 is 1010, which is 1000 plus 10 (header octets) but length of that attribute is only 119 octets. Flags are OK. The next two challenges are similar (2) eap_peap - Sending additional TLS record fragment (1004 bytes), 241 bytes remaining (2) eap_peap - [eap-tls process] = handled (2) vpieap - Sending EAP Request (code 1) ID 5 length 1010 (2) vpieap (handled) (2) } # authenticate (handled) (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (2) Sent Access-Challenge Id 158 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (2) EAP-Message = 0x010503f219402053657276696365733129302706035504031320556e6976657273697479206f662042726973746f6c2057696e646f7773204341301e170d3033303131303130323733375a170d3233303131303130333531315a3081bf3125302306092a864886f70d010901161663612d61646d696e40 Same length attribute. (3) eap_peap - Sending final TLS record fragment (241 bytes) (3) eap_peap - [eap-tls process] = handled (3) vpieap - Sending EAP Request (code 1) ID 6 length 247 (3) vpieap (handled) (3) } # authenticate (handled) (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi (3) Sent Access-Challenge Id 159 from 137.222.8.134:16020 to 172.17.107.208:32770 via ens192 length 0 (3) EAP-Message = 0x010600f71900ebe0344cb4e5d4ac912e10789408d80c66f81fd27cddd89c4c4a4dc3ae440f0cc86f59ca46e8ff75376eb7910a0af3153626fe0cf81027c02f568b1e56e2656a4191c98103f0da0f1ff061a21c81756cc2aec65066916bda86078229a217c291a4cb982853454ddb46b5e54200d5fd06d4 Same length attribute. It looks to me like the lengths are being set correctly in the attribute, but the actual amount of data sent is just the length of the final fragment (00f7 = 247 bytes). Comparing to debug output from the previous commit would verify this. But can't see how this exact behaviour would be caused by this patch, so maybe I'm completely wrong. I've not had much coffee yet today. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Fri, Mar 18, 2016 at 12:02:40PM +0000, Matthew Newton wrote:
On Fri, Mar 18, 2016 at 09:23:20AM +0000, Scott Armitage wrote:
Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:
commit 8a7f6e330f45439d333f61dde7ee0982ebcc2a29 Author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> Date: Sun Dec 6 00:34:21 2015 -0500
Add additional debugging so we can track TLS fragments sent
Hmm. If that's the case, then the bug is probably to do with the length included flag and the length of the packet.
Close. Think I may have found it. Have found the differences, anyway. First confusing thing is the FreeRADIUS is only printing out the first EAP-Message attribute in the debug output, hence the lengths before looked wrong (e.g. showing length 1000, but only having 247 or so bytes in the response). This is just because the other three EAP-Message attributes aren't being printed. Testing here with eapol_test shows that they are being returned correctly and this is only a debug output issue. The new code, for fragmented packets, is arguably more correct. In 8a7f6e330f^, in my test here, I have Challenge 1: length 1004, flags L+M Challenge 2: length 1000, flags M Challenge 3: length 726 Total length 2730, all verified OK (correct lengths in packets etc) as far as I can tell. In 8a7f6e330f (with the patch) for the same request/config I get: Challenge 1: length 1000, flags L+M Challenge 2: length 1000, flags M Challenge 3: length 730 So it's not going over the MTU, which is better. However... The key difference seems to be that in packets that do *not* need fragmenting, the L flag and length are now included, whereas in 8a7f6e330f^ they are not. This seems fine in the PEAP negotiation stage, but fails on the first packet after PEAP goes into its inner tunnel. My hypothesis would be a supplicant bug that sees the Length flag set so erroneously expects more packets, but that should not be the case because M was not set. It certainly works fine in eapol_test both pre- and post-8a7f6e330f, so it seems down to the way the particular supplicant processes the reply. draft-josefsson-pppext-eap-tls-eap-02 is silent on this matter it seems. L and M MUST be set for the start of fragments, L to set the length of the whole amount of data. But there is no mention of whether L on its own (for a non-fragmented packet), without M, is banned. Certainly the supplicant seems to send data this way to the server, and other packets are sent like this back to the supplicant, hence guessing this change in behaviour is just hitting one particular Windows supplicant in the wrong places. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Fri, Mar 18, 2016 at 11:22:53PM +0000, Matthew Newton wrote:
On Fri, Mar 18, 2016 at 12:02:40PM +0000, Matthew Newton wrote:
On Fri, Mar 18, 2016 at 09:23:20AM +0000, Scott Armitage wrote:
Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:
commit 8a7f6e330f45439d333f61dde7ee0982ebcc2a29 Author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> Date: Sun Dec 6 00:34:21 2015 -0500
Add additional debugging so we can track TLS fragments sent
Hmm. If that's the case, then the bug is probably to do with the length included flag and the length of the packet.
My hypothesis would be a supplicant bug that sees the Length flag set so erroneously expects more packets, but that should not be the case because M was not set. It certainly works fine in eapol_test both pre- and post-8a7f6e330f, so it seems down to the way the particular supplicant processes the reply.
OK... *don't try this at home, kids*. Drop this into your outer post-auth{} section and try again. Post-Auth-Type Challenge { debug_reply if (&reply:EAP-Message =~ /^0x(....00)(..)1980........(.*)$/) { update control { Tmp-String-1 := "%{2}" Tmp-Integer-1 := "0x%{control:Tmp-String-1}" Tmp-Integer-1 := "%{expr: %{control:Tmp-Integer-1} - 4}" Tmp-String-1 := "%{1}" Tmp-String-2 := "%{hex:&control:Tmp-Integer-1}" Tmp-String-3 := "%{3}" } if (&control:Tmp-String-2 =~ /^000000(..)$/) { update control { Tmp-String-2 := "%{1}" } } update reply { EAP-Message := "0x%{control:Tmp-String-1}%{control:Tmp-String-2}1900%{control:Tmp-String-3}" } } debug_reply } You should see EAP-Message will sometimes get transformed from e.g. EAP-Message = 0x010a002f198000000025170301... to EAP-Message = 0x010a002b1900170301... If it now works, that shows the extra L flag and length are causing the problem. If it doesn't work, you get to keep ALL the pieces, and it proves nothing. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 18 Mar 2016, at 23:22, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Mar 18, 2016 at 12:02:40PM +0000, Matthew Newton wrote:
On Fri, Mar 18, 2016 at 09:23:20AM +0000, Scott Armitage wrote:
Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:
commit 8a7f6e330f45439d333f61dde7ee0982ebcc2a29 Author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> Date: Sun Dec 6 00:34:21 2015 -0500
Add additional debugging so we can track TLS fragments sent
Hmm. If that's the case, then the bug is probably to do with the length included flag and the length of the packet.
Close. Think I may have found it. Have found the differences, anyway.
What's your supplicant, just we can make sure we're using roughly the same methodology. Mine is Windows 10 with PEAP outer EAP-TLS inner.
First confusing thing is the FreeRADIUS is only printing out the first EAP-Message attribute in the debug output, hence the lengths before looked wrong (e.g. showing length 1000, but only having 247 or so bytes in the response). This is just because the other three EAP-Message attributes aren't being printed.
Fixed the debug. Still used a stack buffer of 256 bytes.
Testing here with eapol_test shows that they are being returned correctly and this is only a debug output issue.
Yes, it was.
The new code, for fragmented packets, is arguably more correct.
In 8a7f6e330f^, in my test here, I have
Challenge 1: length 1004, flags L+M Challenge 2: length 1000, flags M Challenge 3: length 726
Total length 2730, all verified OK (correct lengths in packets etc) as far as I can tell.
In 8a7f6e330f (with the patch) for the same request/config I get:
Challenge 1: length 1000, flags L+M Challenge 2: length 1000, flags M Challenge 3: length 730
So it's not going over the MTU, which is better.
Agreed :)
However...
The key difference seems to be that in packets that do *not* need fragmenting, the L flag and length are now included, whereas in 8a7f6e330f^ they are not.
Yes. I got that far too. In packets that don't need fragmenting, sent from the supplicant the L flag is set.
This seems fine in the PEAP negotiation stage, but fails on the first packet after PEAP goes into its inner tunnel.
If you don't fragment the inner tunnel data at all it succeeds. Arguably, PEAP, when proxying should set a more appropriate Framed-MTU. Having two layers of fragmentation is inefficient, both in terms of processing, and in terms of network utilisation. Internal attributes now are only limited by system memory. The entire certificate chain from the inner EAP module should be packed up and returned to the outer EAP module, where it can sit in the outbound memory buffer.
My hypothesis would be a supplicant bug that sees the Length flag set so erroneously expects more packets, but that should not be the case because M was not set. It certainly works fine in eapol_test both pre- and post-8a7f6e330f, so it seems down to the way the particular supplicant processes the reply.
No, something weirder. Even when fragmentation is required it hangs.
draft-josefsson-pppext-eap-tls-eap-02 is silent on this matter it seems. L and M MUST be set for the start of fragments, L to set the length of the whole amount of data. But there is no mention of whether L on its own (for a non-fragmented packet), without M, is banned. Certainly the supplicant seems to send data this way to the server,
Yes I saw that.
and other packets are sent like this back to the supplicant, hence guessing this change in behaviour is just hitting one particular Windows supplicant in the wrong places.
Yes. Have you got PEAP + TLS to run to completion before the patch? I suspect PEAP with MSCHAPv2 will, but PEAP with TLS (that still requires fragmentation), won't. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Sat, Mar 19, 2016 at 12:10:17AM +0000, Arran Cudbard-Bell wrote:
On 18 Mar 2016, at 23:22, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Close. Think I may have found it. Have found the differences, anyway.
What's your supplicant, just we can make sure we're using roughly the same methodology.
Mine is Windows 10 with PEAP outer EAP-TLS inner.
Unfortunately I'm working blind; I've not got a broken machine with Windows. Hence a lot of hypotheses and not too many concrete answers. :( I've been running eapol_test and comparing the differences in the replies between the two versions. The original report was (an unspecified version of) Windows doing PEAP/MSCHAPv2.
First confusing thing is the FreeRADIUS is only printing out the first EAP-Message attribute in the debug output, hence the lengths
Fixed the debug. Still used a stack buffer of 256 bytes.
Cool, thanks :)
My hypothesis would be a supplicant bug that sees the Length flag set so erroneously expects more packets, but that should not be the case because M was not set. It certainly works fine in eapol_test both pre- and post-8a7f6e330f, so it seems down to the way the particular supplicant processes the reply.
No, something weirder. Even when fragmentation is required it hangs.
That is very odd. I wonder if it's a combination of things - something broken before that patch as well as the length being included. In which case taking say v3.0 and artificially _adding_ the L flag and length might be useful - if that works then there must also be other differences. Inverse of my unlang hack. Cough, splutter.
and other packets are sent like this back to the supplicant, hence guessing this change in behaviour is just hitting one particular Windows supplicant in the wrong places.
Yes. Have you got PEAP + TLS to run to completion before the patch? I suspect PEAP with MSCHAPv2 will, but PEAP with TLS (that still requires fragmentation), won't.
The only Windows machine I've got here at the moment is a VM, and I haven't been able to work the hostapd-foo correctly yet to get it to do wired 802.1X over a virtual network port. So I can't currently test it :( I have got a live server at the moment with Windows 7 clients doing PEAP/EAP-TLS, so I know that works, but it's before 8a7f6e330f. So it probably doesn't help much. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
What's your supplicant, just we can make sure we're using roughly the same methodology.
Windows 7,8,10 - PEAP OSX, ios, Android , wpa_supplicant etc all work - i.e. the platforms we (locally) use - the issue with Windows found on our first rollout to a test area (wired/switch environment) - we then validated that it also happened on wireless - and Scott sent initial report a whilst back.......as it was a current block to deployment he re-posted issue recently....and we've added more resource to hunt down when this stopped working (as others all noted...was okay with code from most of last year.... we've spent the past recent time working on using some of the new LDAP/redis etc features and left the auth/client stuff to the side. alan
On 19 Mar 2016, at 00:10, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 18 Mar 2016, at 23:22, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Mar 18, 2016 at 12:02:40PM +0000, Matthew Newton wrote:
On Fri, Mar 18, 2016 at 09:23:20AM +0000, Scott Armitage wrote:
Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:
commit 8a7f6e330f45439d333f61dde7ee0982ebcc2a29 Author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> Date: Sun Dec 6 00:34:21 2015 -0500
Add additional debugging so we can track TLS fragments sent
Hmm. If that's the case, then the bug is probably to do with the length included flag and the length of the packet.
Close. Think I may have found it. Have found the differences, anyway.
Finished poking for today. If you run with radiusd -Xx you should now see improved debug output. Upping fragment_len on the inner eap module didn't make any difference. It seem to be an issue with sending large amounts of application data in the outer TLS tunnel after handshaking has completed. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (8)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Franks Andy (IT Technical Architecture Manager) -
Jonathan Gazeley -
Matthew Newton -
Paul Seward -
Scott Armitage