Fwd: FreeRADIUS + Cisco + Active Directory

Rashad Hall trynot24 at gmail.com
Mon Dec 28 21:45:12 CET 2015


I am pretty sure my approach to this is all wrong so I've decided to seek
the help of the experts.

I have configured a FreeRADIUS server that authenticates our wifi users
with EAP-TLS and will also authenticate users for our network devices. Our
network devices are mainly Cisco and I need these devices to authenticate
users based on their Active Directory credentials. Wifi portion is
complete, but having trouble with using FreeRADIUS to check AD credentials
correctly. I decided to use MSCHAP (my mistake I believe) for
Authentication and my "radtests" are successful, but when trying to log
into a switch I set up for testing I am unsuccessful. I believe the switch
only uses PAP and does not have the capability to use MSCHAP but I am
unsure of how to set up PAP to query AD or somehow convert the PAP request
into an MSCHAP request server side. Can anyone tell me the best most secure
approach to accomplishing my goal (if possible, I must suck at Googling)?
In the future I'd also like to assign Cisco priv levels based on groups a
user belongs to in AD. Below is debug output showing first a successful
radtest and then the unsuccessful login into the switch.

radiusd -X

Copyright (C) 1999-2015 The FreeRADIUS server project and contributors

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License

For more information about these matters, see the file named COPYRIGHT

Starting - reading configuration files ...

including dictionary file /usr/local/share/freeradius/dictionary

including dictionary file /usr/local/share/freeradius/dictionary.dhcp

including dictionary file /usr/local/share/freeradius/dictionary.vqp

including dictionary file /usr/local/etc/raddb/dictionary

including configuration file /usr/local/etc/raddb/radiusd.conf

including configuration file /usr/local/etc/raddb/proxy.conf

including configuration file /usr/local/etc/raddb/clients.conf

including files in directory /usr/local/etc/raddb/mods-enabled/

including configuration file /usr/local/etc/raddb/mods-enabled/mschap

including configuration file /usr/local/etc/raddb/mods-enabled/replicate

including configuration file /usr/local/etc/raddb/mods-enabled/detail

including configuration file /usr/local/etc/raddb/mods-enabled/echo

including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp

including configuration file /usr/local/etc/raddb/mods-enabled/dhcp

including configuration file /usr/local/etc/raddb/mods-enabled/utf8

including configuration file /usr/local/etc/raddb/mods-enabled/soh

including configuration file /usr/local/etc/raddb/mods-enabled/unpack

including configuration file /usr/local/etc/raddb/mods-enabled/logintime

including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter

including configuration file /usr/local/etc/raddb/mods-enabled/detail.log

including configuration file
/usr/local/etc/raddb/mods-enabled/dynamic_clients

including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth

including configuration file /usr/local/etc/raddb/mods-enabled/expr

including configuration file /usr/local/etc/raddb/mods-enabled/chap

including configuration file /usr/local/etc/raddb/mods-enabled/linelog

including configuration file /usr/local/etc/raddb/mods-enabled/eap

including configuration file /usr/local/etc/raddb/mods-enabled/files

including configuration file /usr/local/etc/raddb/mods-enabled/radutmp

including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap

including configuration file /usr/local/etc/raddb/mods-enabled/pap

including configuration file /usr/local/etc/raddb/mods-enabled/exec

including configuration file /usr/local/etc/raddb/mods-enabled/preprocess

including configuration file /usr/local/etc/raddb/mods-enabled/always

including configuration file /usr/local/etc/raddb/mods-enabled/realm

including configuration file /usr/local/etc/raddb/mods-enabled/expiration

including files in directory /usr/local/etc/raddb/policy.d/

including configuration file /usr/local/etc/raddb/policy.d/abfab-tr

including configuration file /usr/local/etc/raddb/policy.d/accounting

including configuration file /usr/local/etc/raddb/policy.d/cui

including configuration file /usr/local/etc/raddb/policy.d/debug

including configuration file /usr/local/etc/raddb/policy.d/dhcp

including configuration file /usr/local/etc/raddb/policy.d/canonicalization

including configuration file /usr/local/etc/raddb/policy.d/eap

including configuration file /usr/local/etc/raddb/policy.d/filter

including configuration file /usr/local/etc/raddb/policy.d/operator-name

including configuration file /usr/local/etc/raddb/policy.d/control

including files in directory /usr/local/etc/raddb/sites-enabled/

including configuration file /usr/local/etc/raddb/sites-enabled/CUSTOM

main {

 security {

        allow_core_dumps = no

 }

        name = "radiusd"

        prefix = "/usr/local"

        localstatedir = "/var"

        logdir = "/var/log"

        run_dir = "/var/run/radiusd"

}

main {

        name = "radiusd"

        prefix = "/usr/local"

        localstatedir = "/var"

        sbindir = "/usr/local/sbin"

        logdir = "/var/log"

        run_dir = "/var/run/radiusd"

        libdir = "/usr/local/lib/freeradius-3.0.10"

        radacctdir = "/var/log/radacct"

        hostname_lookups = yes

        max_request_time = 30

        cleanup_delay = 5

        max_requests = 16384

        pidfile = "/var/run/radiusd/radiusd.pid"

        checkrad = "/usr/local/sbin/checkrad"

        debug_level = 0

        proxy_requests = no

 log {

        stripped_names = no

        auth = no

        auth_badpass = yes

        auth_goodpass = no

        colourise = yes

        msg_denied = "You are already logged in - access denied"

 }

 resources {

 }

 security {

        max_attributes = 200

        reject_delay = 1.000000

        status_server = yes

        allow_vulnerable_openssl = "no"

 }

}

radiusd: #### Loading Realms and Home Servers ####

 proxy server {

        retry_delay = 5

        retry_count = 3

        default_fallback = no

        dead_time = 120

        wake_all_if_all_dead = no

 }

 home_server localhost {

        ipaddr = 127.0.0.1

        port = 1812

        type = "auth"

        secret = <<< secret >>>

        response_window = 20.000000

        response_timeouts = 1

        max_outstanding = 65536

        zombie_period = 40

        status_check = "status-server"

        ping_interval = 30

        check_interval = 30

        check_timeout = 4

        num_answers_to_alive = 3

        revive_interval = 120

  limit {

        max_connections = 16

        max_requests = 0

        lifetime = 0

        idle_timeout = 0

  }

  coa {

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

  }

 }

 home_server_pool my_auth_failover {

        type = fail-over

        home_server = localhost

 }

 realm example.com {

        auth_pool = my_auth_failover

 }

 realm LOCAL {

 }

radiusd: #### Loading Clients ####

Debugger not attached

radiusd: #### Instantiating modules ####

  # Loaded module rlm_mschap

  # Loading module "mschap" from file
/usr/local/etc/raddb/mods-enabled/mschap

  mschap {

        use_mppe = no

        require_encryption = no

        require_strong = yes

        with_ntdomain_hack = yes

        ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-CUSTOM}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"

   passchange {

   }

        allow_retry = yes

  }

  # Loaded module rlm_replicate

  # Loading module "replicate" from file
/usr/local/etc/raddb/mods-enabled/replicate

  # Loaded module rlm_detail

  # Loading module "detail" from file
/usr/local/etc/raddb/mods-enabled/detail

  detail {

        filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loaded module rlm_exec

  # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo

  exec echo {

        wait = yes

        program = "/bin/echo %{User-Name}"

        input_pairs = "request"

        output_pairs = "reply"

        shell_escape = yes

  }

  # Loaded module rlm_radutmp

  # Loading module "sradutmp" from file
/usr/local/etc/raddb/mods-enabled/sradutmp

  radutmp sradutmp {

        filename = "/var/log/sradutmp"

        username = "%{User-Name}"

        case_sensitive = yes

        check_with_nas = yes

        permissions = 420

        caller_id = no

  }

  # Loaded module rlm_dhcp

  # Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp

  # Loaded module rlm_utf8

  # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8

  # Loaded module rlm_soh

  # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh

  soh {

        dhcp = yes

  }

  # Loaded module rlm_unpack

  # Loading module "unpack" from file
/usr/local/etc/raddb/mods-enabled/unpack

  # Loaded module rlm_logintime

  # Loading module "logintime" from file
/usr/local/etc/raddb/mods-enabled/logintime

  logintime {

        minimum_timeout = 60

  }

  # Loaded module rlm_attr_filter

  # Loading module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.post-proxy {

        filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"

        key = "%{Realm}"

        relaxed = no

  }

  # Loading module "attr_filter.pre-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.pre-proxy {

        filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"

        key = "%{Realm}"

        relaxed = no

  }

  # Loading module "attr_filter.access_reject" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.access_reject {

        filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_reject"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loading module "attr_filter.access_challenge" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.access_challenge {

        filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loading module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.accounting_response {

        filename =
"/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loading module "auth_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  detail auth_log {

        filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "reply_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  detail reply_log {

        filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "pre_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  detail pre_proxy_log {

        filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "post_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  detail post_proxy_log {

        filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loaded module rlm_dynamic_clients

  # Loading module "dynamic_clients" from file
/usr/local/etc/raddb/mods-enabled/dynamic_clients

  # Loading module "ntlm_auth" from file
/usr/local/etc/raddb/mods-enabled/ntlm_auth

  exec ntlm_auth {

        wait = yes

        program = "/usr/local/bin/ntlm_auth --request-nt-key
--domain=CUSTOM --username=%{mschap:User-Name} --password=%{User-Password}"

        shell_escape = yes

  }

  # Loaded module rlm_expr

  # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr

  expr {

        safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"

  }

  # Loaded module rlm_chap

  # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap

  # Loaded module rlm_linelog

  # Loading module "linelog" from file
/usr/local/etc/raddb/mods-enabled/linelog

  linelog {

        filename = "/var/log/linelog"

        escape_filenames = no

        syslog_severity = "info"

        permissions = 384

        format = "This is a log message for %{User-Name}"

        reference = "messages.%{%{reply:Packet-Type}:-default}"

  }

  # Loading module "log_accounting" from file
/usr/local/etc/raddb/mods-enabled/linelog

  linelog log_accounting {

        filename = "/var/log/linelog-accounting"

        escape_filenames = no

        syslog_severity = "info"

        permissions = 384

        format = ""

        reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"

  }

  # Loaded module rlm_eap

  # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap

  eap {

        default_eap_type = "tls"

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = 16384

  }

  # Loaded module rlm_files

  # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files

  files {

        filename = "/usr/local/etc/raddb/mods-config/files/authorize"

        usersfile = "/usr/local/etc/raddb/mods-config/files/authorize"

        acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"

        preproxy_usersfile =
"/usr/local/etc/raddb/mods-config/files/pre-proxy"

  }

  # Loading module "radutmp" from file
/usr/local/etc/raddb/mods-enabled/radutmp

  radutmp {

        filename = "/var/log/radutmp"

        username = "%{User-Name}"

        case_sensitive = yes

        check_with_nas = yes

        permissions = 384

        caller_id = yes

  }

  # Loaded module rlm_cache

  # Loading module "cache_eap" from file
/usr/local/etc/raddb/mods-enabled/cache_eap

  cache cache_eap {

        driver = "rlm_cache_rbtree"

        key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"

        ttl = 15

        max_entries = 0

        epoch = 0

        add_stats = no

  }

  # Loaded module rlm_pap

  # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap

  pap {

        normalise = yes

  }

  # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec

  exec {

        wait = no

        input_pairs = "request"

        shell_escape = yes

        timeout = 10

  }

  # Loaded module rlm_preprocess

  # Loading module "preprocess" from file
/usr/local/etc/raddb/mods-enabled/preprocess

  preprocess {

        huntgroups =
"/usr/local/etc/raddb/mods-config/preprocess/huntgroups"

        hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"

        with_ascend_hack = no

        ascend_channels_per_line = 23

        with_ntdomain_hack = no

        with_specialix_jetstream_hack = no

        with_cisco_vsa_hack = no

        with_alvarion_vsa_hack = no

  }

  # Loaded module rlm_always

  # Loading module "reject" from file
/usr/local/etc/raddb/mods-enabled/always

  always reject {

        rcode = "reject"

        simulcount = 0

        mpp = no

  }

  # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always

  always fail {

        rcode = "fail"

        simulcount = 0

        mpp = no

  }

  # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always

  always ok {

        rcode = "ok"

        simulcount = 0

        mpp = no

  }

  # Loading module "handled" from file
/usr/local/etc/raddb/mods-enabled/always

  always handled {

        rcode = "handled"

        simulcount = 0

        mpp = no

  }

  # Loading module "invalid" from file
/usr/local/etc/raddb/mods-enabled/always

  always invalid {

        rcode = "invalid"

        simulcount = 0

        mpp = no

  }

  # Loading module "userlock" from file
/usr/local/etc/raddb/mods-enabled/always

  always userlock {

        rcode = "userlock"

        simulcount = 0

        mpp = no

  }

  # Loading module "notfound" from file
/usr/local/etc/raddb/mods-enabled/always

  always notfound {

        rcode = "notfound"

        simulcount = 0

        mpp = no

  }

  # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always

  always noop {

        rcode = "noop"

        simulcount = 0

        mpp = no

  }

  # Loading module "updated" from file
/usr/local/etc/raddb/mods-enabled/always

  always updated {

        rcode = "updated"

        simulcount = 0

        mpp = no

  }

  # Loaded module rlm_realm

  # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm

  realm IPASS {

        format = "prefix"

        delimiter = "/"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "suffix" from file
/usr/local/etc/raddb/mods-enabled/realm

  realm suffix {

        format = "suffix"

        delimiter = "@"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "realmpercent" from file
/usr/local/etc/raddb/mods-enabled/realm

  realm realmpercent {

        format = "suffix"

        delimiter = "%"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "ntdomain" from file
/usr/local/etc/raddb/mods-enabled/realm

  realm ntdomain {

        format = "prefix"

        delimiter = "\\"

        ignore_default = no

        ignore_null = no

  }

  # Loaded module rlm_expiration

  # Loading module "expiration" from file
/usr/local/etc/raddb/mods-enabled/expiration

 instantiate {

 }

 modules {

  # Instantiating module "mschap" from file
/usr/local/etc/raddb/mods-enabled/mschap

rlm_mschap (mschap): authenticating by calling 'ntlm_auth'

  # Instantiating module "detail" from file
/usr/local/etc/raddb/mods-enabled/detail

  # Instantiating module "logintime" from file
/usr/local/etc/raddb/mods-enabled/logintime

  # Instantiating module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/post-proxy

  # Instantiating module "attr_filter.pre-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy

  # Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_reject

[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay"  found in filter list for realm "DEFAULT".

[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec"     found in filter list for realm
"DEFAULT".

  # Instantiating module "attr_filter.access_challenge" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_challenge

  # Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/mods-enabled/attr_filter

reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/accounting_response

  # Instantiating module "auth_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output

  # Instantiating module "reply_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  # Instantiating module "pre_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  # Instantiating module "post_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log

  # Instantiating module "linelog" from file
/usr/local/etc/raddb/mods-enabled/linelog

  # Instantiating module "log_accounting" from file
/usr/local/etc/raddb/mods-enabled/linelog

  # Instantiating module "eap" from file
/usr/local/etc/raddb/mods-enabled/eap

   # Linked to sub-module rlm_eap_md5

   # Linked to sub-module rlm_eap_leap

   # Linked to sub-module rlm_eap_gtc

   gtc {

        challenge = "Password: "

        auth_type = "PAP"

   }

   # Linked to sub-module rlm_eap_tls

   tls {

        tls = "tls-common"

   }

   tls-config tls-common {

        rsa_key_exchange = no

        dh_key_exchange = yes

        rsa_key_length = 512

        dh_key_length = 512

        verify_depth = 0

        ca_path = "/usr/local/etc/raddb/certs"

        pem_file_type = yes

        private_key_file =
"/usr/local/etc/raddb/certs/freeradius.dev.network.com.key"

        certificate_file =
"/usr/local/etc/raddb/certs/freeradius.dev.network.com.cer"

        ca_file = "/usr/local/etc/raddb/certs/CA.crt"

        dh_file = "/usr/local/etc/raddb/certs/dh4096.pem"

        fragment_size = 1024

        include_length = yes

        check_crl = no

        check_all_crl = no

        cipher_list = "HIGH"

        ecdh_curve = "prime256v1"

    cache {

        enable = yes

        lifetime = 24

        max_entries = 255

    }

    verify {

        tmpdir = "/tmp/radiusd"

        client = "/usr/local/bin/openssl verify -CAfile
/usr/local/etc/raddb/certs/SD-CUSTOM-CA.crt %{TLS-Client-Cert-Filename}"

    }

    ocsp {

        enable = no

        override_cert_url = yes

        url = "http://127.0.0.1/ocsp/"

        use_nonce = yes

        timeout = 0

        softfail = no

    }

   }

   # Linked to sub-module rlm_eap_ttls

   ttls {

        tls = "tls-common"

        default_eap_type = "md5"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        virtual_server = "inner-tunnel"

        include_length = yes

        require_client_cert = no

   }

tls: Using cached TLS configuration from previous invocation

   # Linked to sub-module rlm_eap_peap

   peap {

        tls = "tls-common"

        default_eap_type = "mschapv2"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        proxy_tunneled_request_as_eap = yes

        virtual_server = "inner-tunnel"

        soh = no

        require_client_cert = no

   }

tls: Using cached TLS configuration from previous invocation

   # Linked to sub-module rlm_eap_mschapv2

   mschapv2 {

        with_ntdomain_hack = no

        send_error = no

   }

  # Instantiating module "files" from file
/usr/local/etc/raddb/mods-enabled/files

reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize

reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize

reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting

reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy

  # Instantiating module "cache_eap" from file
/usr/local/etc/raddb/mods-enabled/cache_eap

rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked

  # Instantiating module "pap" from file
/usr/local/etc/raddb/mods-enabled/pap

  # Instantiating module "preprocess" from file
/usr/local/etc/raddb/mods-enabled/preprocess

reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups

reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints

  # Instantiating module "reject" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "fail" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "ok" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "handled" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "invalid" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "userlock" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "notfound" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "noop" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "updated" from file
/usr/local/etc/raddb/mods-enabled/always

  # Instantiating module "IPASS" from file
/usr/local/etc/raddb/mods-enabled/realm

  # Instantiating module "suffix" from file
/usr/local/etc/raddb/mods-enabled/realm

  # Instantiating module "realmpercent" from file
/usr/local/etc/raddb/mods-enabled/realm

  # Instantiating module "ntdomain" from file
/usr/local/etc/raddb/mods-enabled/realm

  # Instantiating module "expiration" from file
/usr/local/etc/raddb/mods-enabled/expiration

 } # modules

radiusd: #### Loading Virtual Servers ####

server { # from file /usr/local/etc/raddb/radiusd.conf

} # server

server WIFI { # from file /usr/local/etc/raddb/sites-enabled/CUSTOM

 # Loading authenticate {...}

 # Loading authorize {...}

 # Loading preacct {...}

 # Loading session {...}

 # Loading post-auth {...}

} # server WIFI

server NETdevs { # from file /usr/local/etc/raddb/sites-enabled/CUSTOM

 # Loading authenticate {...}

 # Loading authorize {...}

 # Loading preacct {...}

 # Loading session {...}

 # Loading post-auth {...}

} # server NETdevs

radiusd: #### Opening IP addresses and Ports ####

listen {

        type = "auth"

        ipaddr = 192.168.20.90

        port = 1812

        clients = "CUSTOMdevs"

  client WLC-AD-01 {

        ipaddr = 98.87.143.174

        require_message_authenticator = no

        secret = <<< secret >>>

        virtual_server = "WIFI"

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

  }

  client probe01-rb {

        ipaddr = 192.168.20.12

        require_message_authenticator = no

        secret = <<< secret >>>

        virtual_server = "NETdevs"

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

  }

  client ms-01 {

        ipaddr = 192.168.10.128

        require_message_authenticator = no

        secret = <<< secret >>>

        virtual_server = "NETdevs"

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

  }

  client localtest {

        ipaddr = 192.168.20.90

        require_message_authenticator = no

        secret = <<< secret >>>

        virtual_server = "NETdevs"

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

  }

  client BMMTEST {

        ipaddr = 192.168.20.138

        require_message_authenticator = no

        secret = <<< secret >>>

        virtual_server = "NETdevs"

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

  }

}

Listening on auth address 192.168.20.90 port 1812

Ready to process requests

(0) Received Access-Request Id 141 from 192.168.20.90:26563to
192.168.20.90:1812 length 137

(0)   User-Name = "user"

(0)   NAS-IP-Address = 192.168.20.91

(0)   NAS-Port = 1812

(0)   Message-Authenticator = 0xa8cc76ce3b5860d52efc32576eecbf6a

(0)   MS-CHAP-Challenge = 0xb2f91f9870476e40

(0)   MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000058d1080e7b32397b62fcd4f627d44c3a68a7323fd0124cfb

(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/CUSTOM

(0)   authorize {

(0)     [preprocess] = ok

(0) auth_log: EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(0) auth_log:    --> /var/log/radacct/192.168.20.90/auth-detail-20151226

(0) auth_log:
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/192.168.20.90/auth-detail-20151226

(0) auth_log: EXPAND %t

(0) auth_log:    --> Sat Dec 26 23:06:35 2015

(0)     [auth_log] = ok

(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

(0)     [mschap] = ok

(0)     [expiration] = noop

(0)     [logintime] = noop

(0)   } # authorize = ok

(0) Found Auth-Type = MSCHAP

(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/CUSTOM

(0)   authenticate {

(0) mschap: Client is using MS-CHAPv1 with NT-Password

(0) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-CUSTOM}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:

(0) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}

(0) mschap:    --> --username=user

(0) mschap: ERROR: No NT-Domain was found in the User-Name

(0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CUSTOM}

(0) mschap:    --> --domain=CUSTOM

(0) mschap: mschap1: b2

(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}

(0) mschap:    --> --challenge=b2f91f9870476e40

(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}

(0) mschap:    -->
--nt-response=58d1080e7b32397b62fcd4f627d44c3a68a7323fd0124cfb

(0) mschap: Program returned code (0) and output 'NT_KEY:
B790031B37A86A5A3EA42ACFD3DE9679'

(0)     [mschap] = ok

(0)   } # authenticate = ok

(0) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/CUSTOM

(0)   post-auth {

(0)     [exec] = noop

(0)   } # post-auth = noop

(0) Sent Access-Accept Id 141 from 192.168.20.90:1812
to192.168.20.90:26563 length
0

(0) Finished request

Waking up in 4.9 seconds.

(0) Cleaning up request packet ID 141 with timestamp +25

Ready to process requests

(1) Received Access-Request Id 24 from 192.168.20.138:1645to
192.168.20.90:1812 length 91

(1)   User-Name = "user"

(1)   User-Password = "password1"

(1)   NAS-Port = 1

(1)   NAS-Port-Id = "tty1"

(1)   NAS-Port-Type = Virtual

(1)   Calling-Station-Id = "192.168.21.108"

(1)   NAS-IP-Address = 192.168.20.138

(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/CUSTOM

(1)   authorize {

(1)     [preprocess] = ok

(1) auth_log: EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(1) auth_log:    --> /var/log/radacct/192.168.20.138/auth-detail-20151226

(1) auth_log:
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/192.168.20.138/auth-detail-20151226

(1) auth_log: EXPAND %t

(1) auth_log:    --> Sat Dec 26 23:06:58 2015

(1)     [auth_log] = ok

(1)     [mschap] = noop

(1)     [expiration] = noop

(1)     [logintime] = noop

(1)   } # authorize = ok

(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject

(1) Failed to authenticate the user

(1) Using Post-Auth-Type Reject

(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/CUSTOM

(1)   Post-Auth-Type REJECT {

(1) attr_filter.access_reject: EXPAND %{User-Name}

(1) attr_filter.access_reject:    --> user

(1) attr_filter.access_reject: Matched entry DEFAULT at line 11

(1)     [attr_filter.access_reject] = updated

(1)   } # Post-Auth-Type REJECT = updated

(1) Delaying response for 1.000000 seconds

Waking up in 0.6 seconds.

Waking up in 0.3 seconds.

(1) Sending delayed response

(1) Sent Access-Reject Id 24 from 192.168.20.90:1812
to192.168.20.138:1645 length
20

Waking up in 3.9 seconds.

​


More information about the Freeradius-Users mailing list