Setting up radsec proxy with Freeradius 3.0.15
Muhammad Farhan SJAUGI
farhan at perdanauniversity.edu.my
Tue Aug 8 18:51:44 CEST 2017
Greetings,
Currently I am working on "migrating" our radius proxy server from
radsecproxy to freeradius 3.0.15 with radsec. At the client side, majority
of them are using radsecproxy+freeradius 2.2.9.
Connection from the radius proxy via radius port (1812)/non-radsec works
well. However, if we change the connection from the radius proxy via radsec
it doesn't work.
Below is the error message from the proxy server's log (full debug log
attached):
(1) eap: ERROR: rlm_eap (EAP): No EAP session matching state
0xcacb836ecaca9624
(1) eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
(1) eap: Failed to get handler, probably already removed, not inserting
EAP-Failure
, while at the client side (full debug log attached):
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
I used eapol_test to test the authentication.
I there anyone faced similar problem before? if yes, would you mind to
share the solution?
Regards
--
*Muhammad Farhan SJAUGI, S.Kom. M.Sc. *
Head | Information Technology Dept. | Senior Lecturer | Centre for
Computing - Centre for Bioinformatics | School of Data Sciences
Perdana University | Block D1, MAEPS Building, MARDI Complex, Jalan MAEPS
Perdana, Serdang 43400, Selangor D.E. Malaysia
Tel: (60) 3-89418646 (ext: 197) GMT+8h | Fax: (65) 3-89417661 | Email:
farhan at perdanauniversity.edu.my
Homepage:
http://perdanauniversity.edu.my/pusps/programmes/bioinformatics/our-team/muhammad-farhan-sjaugi/
<fhn at cbcommunity.or.id>
--
DISCLAIMER: This e-mail and any files transmitted with it ("Message") is
intended only for the use of the recipient(s) named above and may contain
confidential information. You are hereby notified that the taking of any
action in reliance upon, or any review, retransmission, dissemination,
distribution, printing or copying of this Message or any part thereof by
anyone other than the intended recipient(s) is strictly prohibited. If you
have received this Message in error, you should delete this Message
immediately and advise the sender by return e-mail. Opinions, conclusions
and other information in this Message that do not relate to the official
business of Perdana University shall be understood as neither given nor
endorsed by any of the forementioned.
-------------- next part --------------
radiusd: FreeRADIUS Version 2.2.9, for host x86_64-redhat-linux-gnu, built on Jun 15 2016 at 15:25:41
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam
including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
user = "radius"
group = "radius"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 120
wake_all_if_all_dead = no
}
home_server my-NRO-1 {
ipaddr = 203.80.20.214
port = 1812
type = "auth+acct"
secret = "3dur04mMyR3nM4l4y514"
response_window = 30
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server my-NRO-2 {
ipaddr = 119.40.121.26
port = 1812
type = "auth+acct"
secret = "3dur04mNr02M4l4y514"
response_window = 30
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
realm ~^(.+\.)?myifam.upm\.my$ {
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
nostrip
authhost = 119.40.121.24:11812
secret = eduroammy
}
realm suffix {
}
home_server_pool my-NRO {
type = fail-over
home_server = my-NRO-1
home_server = my-NRO-2
}
radiusd: #### Loading Clients ####
client my-NRO-1 {
ipaddr = 203.80.20.214
require_message_authenticator = no
secret = "3dur04mMyR3nM4l4y514"
nastype = "other"
virtual_server = "eduroam-inner-tunnel"
}
client my-NRO-2 {
ipaddr = 119.40.121.26
require_message_authenticator = no
secret = "3dur04mMyR3nM4l4y514"
nastype = "other"
virtual_server = "eduroam-inner-tunnel"
}
client localhost {
ipaddr = 119.40.121.24
netmask = 32
require_message_authenticator = no
secret = "eduroammy"
shortname = "radsec"
nastype = "other"
virtual_server = "eduroam-inner-tunnel"
}
client ui {
ipaddr = 119.40.121.15
netmask = 32
require_message_authenticator = yes
secret = "eduroammy"
shortname = "ui"
nastype = "other"
virtual_server = "eduroam-inner-tunnel"
}
client farhan-ap {
ipaddr = 118.100.112.226
require_message_authenticator = no
secret = "eduroammy"
nastype = "other"
virtual_server = "eduroam-inner-tunnel"
}
client myren-ap {
ipaddr = 203.80.16.125
require_message_authenticator = no
secret = "myr3n4cc35p01nt"
nastype = "other"
virtual_server = "eduroam-inner-tunnel"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = LDAP
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
ldap {
server = "localhost"
port = 389
password = ""
expect_password = yes
identity = ""
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "ou=users,dc=idp,dc=myifam,dc=upm,dc=my"
filter = "(eduPersonPrincipalName=%{Stripped-User-Name})"
base_filter = "(objectclass=radiusprofile)"
password_header = "{SHA}"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x7fbc5bf80e00
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/idp_comodo.key"
certificate_file = "/etc/raddb/certs/idp_comodo.pem"
CA_file = "/etc/raddb/certs/MYIFAM.pem"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "eduroam-inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/huntgroups
reading pairlist file /etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /etc/raddb/users
reading pairlist file /etc/raddb/acct_users
reading pairlist file /etc/raddb/preproxy_users
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radius"
password = "4u2xsa2z"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{Stripped-User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius at localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/attrs.access_reject
} # modules
} # server
server eduroam { # from file /etc/raddb/sites-enabled/eduroam
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Instantiating module "auth_log" from file /etc/raddb/modules/detail.log
detail auth_log {
detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Checking preacct {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.pre-proxy {
attrsfile = "/etc/raddb/attrs.pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/attrs.pre-proxy
Module: Instantiating module "pre_proxy_log" from file /etc/raddb/modules/detail.log
detail pre_proxy_log {
detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "post_proxy_log" from file /etc/raddb/modules/detail.log
detail post_proxy_log {
detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Instantiating module "attr_filter.post-proxy" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/etc/raddb/attrs"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/attrs
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log
detail reply_log {
detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_linelog
Module: Instantiating module "linelog" from file /etc/raddb/modules/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
} # modules
} # server
server eduroam-inner-tunnel { # from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 0
}
listen {
type = "acct"
ipaddr = 127.0.0.1
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 55167
... adding new socket proxy address * port 42943
... adding new socket proxy address * port 54491
... adding new socket proxy address * port 41677
Listening on authentication address 127.0.0.1 port 1812
Listening on accounting address 127.0.0.1 port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1110
Ready to process requests.
rad_recv: Status-Server packet from host 119.40.121.24 port 42846, id=0, length=38
Message-Authenticator = 0x0b0b00f2254d5a23cf679f48a99edf9c
server eduroam-inner-tunnel {
} # server eduroam-inner-tunnel
Sending Access-Accept of id 0 to 119.40.121.24 port 42846
Finished request 0.
Cleaning up request 0 ID 0 with timestamp +7
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 119.40.121.24 port 42846, id=22, length=105
User-Name = "demo at myifam.upm.my"
Calling-Station-Id = "02-00-00-00-00-01"
EAP-Message = 0x020000170164656d6f406d796966616d2e75706d2e6d79
Message-Authenticator = 0x545e7081e1ce2799cf5915a7c0c9a0bd
Proxy-State = 0x30
server eduroam-inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 119.40.121.24
[auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/119.40.121.24/auth-detail-20170808
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/119.40.121.24/auth-detail-20170808
[auth_log] expand: %t -> Tue Aug 8 16:48:07 2017
++[auth_log] = ok
[suffix] Looking up realm "myifam.upm.my" for User-Name = "demo at myifam.upm.my"
[suffix] Found realm "~^(.+\.)?myifam.upm\.my$"
[suffix] Adding Stripped-User-Name = "demo"
[suffix] Adding Realm = "myifam.upm.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for demo
[ldap] expand: (eduPersonPrincipalName=%{Stripped-User-Name}) -> (eduPersonPrincipalName=demo)
[ldap] expand: ou=users,dc=idp,dc=myifam,dc=upm,dc=my -> ou=users,dc=idp,dc=myifam,dc=upm,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to localhost:389, authentication 0
[ldap] bind as / to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=users,dc=idp,dc=myifam,dc=upm,dc=my, with filter (eduPersonPrincipalName=demo)
[ldap] looking for check items in directory...
[ldap] sambaNTPassword -> NT-Password == 0x3135313238303731453237353036343931343243364442313635313730394145
[ldap] sambaLMPassword -> LM-Password == 0x3736424246344141303830444534364338353934313537384333464143313342
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[mschap] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] No User-Password attribute in the request. Cannot do PAP.
++[pap] = noop
[eap] EAP packet type response id 0 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 22 to 119.40.121.24 port 42846
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa899988fa888c583b9ffe65a0d465f7
Proxy-State = 0x30
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 119.40.121.24 port 42846, id=23, length=349
User-Name = "demo at myifam.upm.my"
Calling-Station-Id = "02-00-00-00-00-01"
EAP-Message = 0x020100f9150016030100ee010000ea03035989eb472559f4f5433c4378972fdc148a9eec2de59aa8978917798131fd3d8d000084c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f00960041c012c00800160013c00dc003000a0007c011c007c00cc0020005000400ff0100003d000b000403000102000a00080006001900180017000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101
State = 0xfa899988fa888c583b9ffe65a0d465f7
Message-Authenticator = 0xf5d940d46f33c1b590d20db67d302c5f
Proxy-State = 0x31
server eduroam-inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 119.40.121.24
[auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/119.40.121.24/auth-detail-20170808
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/119.40.121.24/auth-detail-20170808
[auth_log] expand: %t -> Tue Aug 8 16:48:07 2017
++[auth_log] = ok
[suffix] Looking up realm "myifam.upm.my" for User-Name = "demo at myifam.upm.my"
[suffix] Found realm "~^(.+\.)?myifam.upm\.my$"
[suffix] Adding Stripped-User-Name = "demo"
[suffix] Adding Realm = "myifam.upm.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for demo
[ldap] expand: (eduPersonPrincipalName=%{Stripped-User-Name}) -> (eduPersonPrincipalName=demo)
[ldap] expand: ou=users,dc=idp,dc=myifam,dc=upm,dc=my -> ou=users,dc=idp,dc=myifam,dc=upm,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=users,dc=idp,dc=myifam,dc=upm,dc=my, with filter (eduPersonPrincipalName=demo)
[ldap] looking for check items in directory...
[ldap] sambaNTPassword -> NT-Password == 0x3135313238303731453237353036343931343243364442313635313730394145
[ldap] sambaLMPassword -> LM-Password == 0x3736424246344141303830444534364338353934313537384333464143313342
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[mschap] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] No User-Password attribute in the request. Cannot do PAP.
++[pap] = noop
[eap] EAP packet type response id 1 length 249
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 00ee]
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> Unknown TLS version [length 003e]
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> Unknown TLS version [length 0565]
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 23 to 119.40.121.24 port 42846
EAP-Message = 0x0102040015c000000708160303003e0200003a03035989eb4769d0ad284e446bdfbae1b5329f0c6ea85f41ca293f4b00ce809ef95f00c030000012ff01000100000b000403000102000f00010116030305650b00056100055e00055b308205573082043fa003020102021024dd971009112f3463c8ae57122efe87300d06092a864886f70d01010b0500308190310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564313630340603550403132d434f4d4f444f2052534120446f
EAP-Message = 0x6d61696e2056616c69646174696f6e2053656375726520536572766572204341301e170d3137303732303030303030305a170d3230303732323233353935395a30553121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c69646174656431143012060355040b130b506f73697469766553534c311a3018060355040313116964702e6d796966616d2e75706d2e6d7930820122300d06092a864886f70d01010105000382010f003082010a0282010100b5f6664ec2e2b7ef172915b3161c5d836ca1bc462ba21dced65d5eff7e6edb3251947b938965e0e9a691804c84d82b9acb0f9d5115c8dcd633f45d7be6af166e767ae1751f
EAP-Message = 0xf228178563144dc1e9ec7c475804f3d88cb9d8f4594e065e2eaa75465093b2fcde1e2d9e7ed8d73611e72b6b4d5443dc2d78df3be68b6c9ff310fdbf40280ef28f702f5c59aeecb5f8ddc0d079afa089f2a9df2db5bf529a472274a49dbed08f0c7beb3f3823727312cd70aa6cf9cbed76cdaacf604748b4c6529d6e62148a40316337b3d7f106d12491c5a104b98fc8580e96eae1f35b8d978193570a8eee6fab63b71d59c4509c35b91844e99700dee819fdcf09dc19ca5fbbd10203010001a38201e5308201e1301f0603551d2304183016801490af6a3a945a0bd890ea125673df43b43a28dae7301d0603551d0e04160414e8224d0ebea5b32d4e
EAP-Message = 0xf5736e7452448d8fdcb72a300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b06010505070302304f0603551d2004483046303a060b2b06010401b23101020207302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e636f6d2f4350533008060667810c01020130540603551d1f044d304b3049a047a0458643687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341446f6d61696e56616c69646174696f6e53656375726553657276657243412e63726c30818506082b0601050507010104
EAP-Message = 0x793077304f06082b06010505
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa899988fb8b8c583b9ffe65a0d465f7
Proxy-State = 0x31
Finished request 2.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 119.40.121.24 port 42846, id=24, length=349
User-Name = "demo at myifam.upm.my"
Calling-Station-Id = "02-00-00-00-00-01"
EAP-Message = 0x020100f9150016030100ee010000ea03035989eb472559f4f5433c4378972fdc148a9eec2de59aa8978917798131fd3d8d000084c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f00960041c012c00800160013c00dc003000a0007c011c007c00cc0020005000400ff0100003d000b000403000102000a00080006001900180017000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101
State = 0xfa899988fa888c583b9ffe65a0d465f7
Message-Authenticator = 0x6f69eeaed36fec3693d056a7ed91cbe7
Proxy-State = 0x31
server eduroam-inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 119.40.121.24
[auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/119.40.121.24/auth-detail-20170808
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/119.40.121.24/auth-detail-20170808
[auth_log] expand: %t -> Tue Aug 8 16:48:10 2017
++[auth_log] = ok
[suffix] Looking up realm "myifam.upm.my" for User-Name = "demo at myifam.upm.my"
[suffix] Found realm "~^(.+\.)?myifam.upm\.my$"
[suffix] Adding Stripped-User-Name = "demo"
[suffix] Adding Realm = "myifam.upm.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for demo
[ldap] expand: (eduPersonPrincipalName=%{Stripped-User-Name}) -> (eduPersonPrincipalName=demo)
[ldap] expand: ou=users,dc=idp,dc=myifam,dc=upm,dc=my -> ou=users,dc=idp,dc=myifam,dc=upm,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=users,dc=idp,dc=myifam,dc=upm,dc=my, with filter (eduPersonPrincipalName=demo)
[ldap] looking for check items in directory...
[ldap] sambaNTPassword -> NT-Password == XXXX
[ldap] sambaLMPassword -> LM-Password == XXXX
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[mschap] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] No User-Password attribute in the request. Cannot do PAP.
++[pap] = noop
[eap] EAP packet type response id 1 length 249
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [demo at myifam.upm.my] (from client radsec port 0 cli 02-00-00-00-00-01)
} # server eduroam-inner-tunnel
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group REJECT {
[reply_log] expand: %{Packet-Src-IP-Address} -> 119.40.121.24
[reply_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d -> /var/log/radius/radacct/119.40.121.24/reply-detail-20170808
[reply_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/119.40.121.24/reply-detail-20170808
[reply_log] expand: %t -> Tue Aug 8 16:48:10 2017
++[reply_log] = ok
[linelog] expand: %{Packet-Type} -> Access-Request
[linelog] expand: %{%{Packet-Type}:-format} -> Access-Request
[linelog] expand: /var/log/radius/linelog -> /var/log/radius/linelog
[linelog] expand: Requested access: %{User-Name} -> Requested access: demo at myifam.upm.my
++[linelog] = ok
+} # group REJECT = ok
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 24 to 119.40.121.24 port 42846
Proxy-State = 0x31
Waking up in 0.7 seconds.
Cleaning up request 1 ID 22 with timestamp +7
Waking up in 0.2 seconds.
Cleaning up request 2 ID 23 with timestamp +7
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xfa899988fb8b8c58 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Waking up in 4.0 seconds.
Cleaning up request 3 ID 24 with timestamp +10
Ready to process requests.
-------------- next part --------------
FreeRADIUS Version 3.0.15
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /opt/freeradius-server-3.0.15/share/freeradius/dictionary
including dictionary file /opt/freeradius-server-3.0.15/share/freeradius/dictionary.dhcp
including dictionary file /opt/freeradius-server-3.0.15/share/freeradius/dictionary.vqp
including dictionary file /opt/freeradius-server-3.0.15/etc/raddb/dictionary
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/radiusd.conf
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/proxy.conf
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/clients.conf
including files in directory /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/replicate
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/unix
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/expiration
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/pap
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/digest
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/echo
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/utf8
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/eap
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/exec
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/unpack
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/files
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/soh
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/dhcp
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/linelog
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/passwd
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/cache_eap
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/preprocess
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/expr
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/sradutmp
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/logintime
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/f_ticks
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/radutmp
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/dynamic_clients
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/ntlm_auth
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/date
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/mschap
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/chap
including files in directory /opt/freeradius-server-3.0.15/etc/raddb/policy.d/
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/cui
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/debug
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/eap
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/dhcp
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/accounting
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/canonicalization
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/filter
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/abfab-tr
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/operator-name
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/policy.d/control
including files in directory /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/eduroam
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/inner-tunnel
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
including configuration file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/../eduroam-realm-checks.conf
main {
security {
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server tls {
ipaddr = 127.0.0.1
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.key"
certificate_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.pem"
ca_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/tls-ca-bundle.pem"
dh_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
}
home_server idp.myifam.upm.my {
ipaddr = 119.40.121.24
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.key"
certificate_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.pem"
ca_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/tls-ca-bundle.pem"
dh_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
}
home_server eduroam-idp.perdanauniversity.edu.my {
ipaddr = 122.0.23.57
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.key"
certificate_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.pem"
ca_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/tls-ca-bundle.pem"
dh_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
}
realm LOCAL {
}
realm NULL {
}
realm eduroam.my {
authhost = LOCAL
accthost = LOCAL
}
home_server_pool tls {
type = fail-over
home_server = tls
}
realm tls {
auth_pool = tls
}
home_server_pool myifam.upm.my {
type = fail-over
home_server = idp.myifam.upm.my
}
realm myifam.upm.my {
auth_pool = myifam.upm.my
nostrip
}
home_server_pool perdanauniversity.edu.my {
type = fail-over
home_server = eduroam-idp.perdanauniversity.edu.my
}
realm perdanauniversity.edu.my {
auth_pool = perdanauniversity.edu.my
nostrip
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client idp.myifam.upm.my {
ipaddr = 119.40.121.24
require_message_authenticator = no
secret = <<< secret >>>
shortname = "idp.myifam.upm.my"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client farhan-proline {
ipaddr = 175.139.225.78
require_message_authenticator = no
secret = <<< secret >>>
shortname = "farhan-proline"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = Status-Server
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_replicate
# Loading module "replicate" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/replicate
# Loaded module rlm_always
# Loading module "reject" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_expiration
# Loading module "expiration" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/expiration
# Loaded module rlm_detail
# Loading module "detail" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/digest
# Loaded module rlm_exec
# Loading module "echo" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Loading module "eap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
# Loading module "exec" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/unpack
# Loaded module rlm_files
# Loading module "files" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/files
files {
filename = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/files/authorize"
acctusersfile = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_soh
# Loading module "soh" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/dhcp
# Loaded module rlm_linelog
# Loading module "linelog" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loading module "auth_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "f_ticks" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/f_ticks
linelog f_ticks {
filename = "syslog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
}
# Loading module "eduroam_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/f_ticks
linelog eduroam_log {
filename = "syslog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "eduroam_log.%{%{reply:Packet-Type}:-format}"
}
# Loading module "inner_auth_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/f_ticks
linelog inner_auth_log {
filename = "syslog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "inner_auth_log.%{%{reply:Packet-Type}:-format}"
}
# Loading module "radutmp" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "ntlm_auth" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_date
# Loading module "date" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/chap
instantiate {
}
# Instantiating module "reject" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/always
# Instantiating module "expiration" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/expiration
# Instantiating module "detail" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail
# Instantiating module "pap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/pap
# Instantiating module "eap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
}
TLS section "tls" missing, trying to use legacy configuration
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.key"
certificate_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.pem"
ca_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/tls-ca-bundle.pem"
dh_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
TLS section "tls" missing, trying to use legacy configuration
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
TLS section "tls" missing, trying to use legacy configuration
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "files" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/files
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/files/authorize
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/files/accounting
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/linelog
# Instantiating module "auth_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/detail.log
# Instantiating module "etc_passwd" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "cache_eap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "IPASS" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/realm
# Instantiating module "preprocess" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/preprocess
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/preprocess/hints
# Instantiating module "logintime" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/logintime
# Instantiating module "f_ticks" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/f_ticks
# Instantiating module "eduroam_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/f_ticks
# Instantiating module "inner_auth_log" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/f_ticks
# Instantiating module "attr_filter.post-proxy" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/access_reject
[/opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.15/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "mschap" from file /opt/freeradius-server-3.0.15/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /opt/freeradius-server-3.0.15/etc/raddb/radiusd.conf
} # server
server eduroam { # from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/eduroam
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server eduroam
server inner-tunnel { # from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 2 waiting to be assigned a request
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth+acct"
ipaddr = *
port = 2083
proto = "tcp"
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.key"
certificate_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/server-myifam.pem"
ca_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/tls-ca-bundle.pem"
dh_file = "/opt/freeradius-server-3.0.15/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
require_client_cert = yes
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
Thread 1 waiting to be assigned a request
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
clients = "radsec"
client 127.0.0.1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
proto = "tls"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client idp.myifam.upm.my {
ipaddr = 119.40.121.24
require_message_authenticator = no
secret = <<< secret >>>
proto = "tls"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client eduroam-idp.perdanauniversity.edu.my {
ipaddr = 122.0.23.57
require_message_authenticator = no
secret = <<< secret >>>
proto = "tls"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 36165
Listening on proxy address :: port 35195
Ready to process requests
... new connection request on TCP socket
Listening on auth+acct from client (119.40.121.24, 40204) -> (*, 2083, virtual-server=default)
Waking up in 0.4 seconds.
(0) Initiating new EAP-TLS session
(0) Setting verify mode to require certificate from client
(0) (other): before/accept initialization
(0) TLS_accept: before/accept initialization
(0) <<< recv TLS 1.0 Handshake [length 0096], ClientHello
(0) TLS_accept: SSLv3 read client hello A
(0) >>> send TLS 1.0 Handshake [length 003e], ServerHello
(0) TLS_accept: SSLv3 write server hello A
(0) >>> send TLS 1.0 Handshake [length 0abb], Certificate
(0) TLS_accept: SSLv3 write certificate A
(0) >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(0) TLS_accept: SSLv3 write key exchange A
(0) >>> send TLS 1.0 Handshake [length 47bd], CertificateRequest
(0) TLS_accept: SSLv3 write certificate request A
(0) TLS_accept: SSLv3 flush data
(0) TLS_accept: Need to read more data: SSLv3 read client certificate A
(0) TLS_accept: Need to read more data: SSLv3 read client certificate A
(0) In SSL Handshake Phase
(0) In SSL Accept mode
Waking up in 0.4 seconds.
Waking up in 29.4 seconds.
Reached idle timeout on socket auth+acct from client (119.40.121.24, 40204) -> (*, 2083, virtual-server=default)
... shutting down socket auth+acct from client (119.40.121.24, 40204) -> (*, 2083, virtual-server=default)
Waking up in 2.9 seconds.
... cleaning up socket auth+acct from client (119.40.121.24, 40204) -> (*, 2083, virtual-server=default)
Ready to process requests
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
(0) Received Access-Request Id 0 from 175.139.225.78:56799 to 150.129.185.37:1812 length 144
(0) User-Name = "demo at myifam.upm.my"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x020000170164656d6f406d796966616d2e75706d2e6d79
(0) Message-Authenticator = 0x6c919f552430c347dda227a697746409
(0) # Executing section authorize from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
(0) authorize {
(0) if (!(User-Name =~ /@/)){
(0) if (!(User-Name =~ /@/)) -> FALSE
(0) if (User-Name =~ /@$/){
(0) if (User-Name =~ /@$/) -> FALSE
(0) if (User-Name =~ /@.+?@/){
(0) if (User-Name =~ /@.+?@/) -> FALSE
(0) if (User-Name =~ /@.+?[^[:alnum:]\\.-]/){
(0) if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE
(0) if (User-Name =~ /@[\\.-]/){
(0) if (User-Name =~ /@[\\.-]/) -> FALSE
(0) if (User-Name =~ /@.+?[\\.-]$/){
(0) if (User-Name =~ /@.+?[\\.-]$/) -> FALSE
(0) if (User-Name =~ /@[^\\.]+$/){
(0) if (User-Name =~ /@[^\\.]+$/) -> FALSE
(0) if (User-Name =~ /@.+?\\.\\./){
(0) if (User-Name =~ /@.+?\\.\\./) -> FALSE
(0) if (User-Name =~ /@myabc\\.com$/i){
(0) if (User-Name =~ /@myabc\\.com$/i) -> FALSE
(0) if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i){
(0) if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE
(0) if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(0) if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
(0) if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(0) if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
(0) if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(0) if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
(0) [preprocess] = ok
(0) policy operator-name.authorize {
(0) if ("%{client:Operator-Name}") {
(0) EXPAND %{client:Operator-Name}
(0) -->
(0) if ("%{client:Operator-Name}") -> FALSE
(0) } # policy operator-name.authorize = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "myifam.upm.my" for User-Name = "demo at myifam.upm.my"
(0) suffix: Found realm "myifam.upm.my"
(0) suffix: Adding Realm = "myifam.upm.my"
(0) suffix: Proxying request from user demo at myifam.upm.my to realm myifam.upm.my
(0) suffix: Preparing to proxy authentication request to realm "myifam.upm.my"
(0) [suffix] = updated
(0) eap: Request is supposed to be proxied to Realm myifam.upm.my. Not doing EAP.
(0) [eap] = noop
(0) [files] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) Starting proxy to home server 119.40.121.24 port 2083
(0) # Executing section pre-proxy from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
(0) pre-proxy {
(0) [files] = noop
(0) if ("%{Packet-Type}" != "Accounting-Request") {
(0) EXPAND %{Packet-Type}
(0) --> Access-Request
(0) if ("%{Packet-Type}" != "Accounting-Request") -> TRUE
(0) if ("%{Packet-Type}" != "Accounting-Request") {
(0) attr_filter.pre-proxy: EXPAND %{Realm}
(0) attr_filter.pre-proxy: --> myifam.upm.my
(0) attr_filter.pre-proxy: Matched entry DEFAULT at line 1
(0) [attr_filter.pre-proxy] = updated
(0) } # if ("%{Packet-Type}" != "Accounting-Request") = updated
(0) pre_proxy_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
(0) pre_proxy_log: --> /var/log/freeradius/radacct/175.139.225.78/pre-proxy-detail-20170809
(0) pre_proxy_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d expands to /var/log/freeradius/radacct/175.139.225.78/pre-proxy-detail-20170809
(0) pre_proxy_log: EXPAND %t
(0) pre_proxy_log: --> Wed Aug 9 00:48:32 2017
(0) [pre_proxy_log] = ok
(0) } # pre-proxy = updated
Trying SSL to port 2083
Requiring Server certificate
(0) (other): before/connect initialization
(0) TLS_connect: before/connect initialization
(0) >>> send TLS 1.2 [length 00ee]
(0) TLS_connect: SSLv2/v3 write client hello A
(0) <<< recv TLS 1.0 Handshake [length 0056], ServerHello
(0) TLS_connect: SSLv3 read server hello A
(0) <<< recv TLS 1.0 Handshake [length 152c], Certificate
(0) Creating attributes from certificate OIDs
(0) Creating attributes from certificate OIDs
(0) Creating attributes from certificate OIDs
(0) Creating attributes from certificate OIDs
(0) TLS_connect: SSLv3 read server certificate A
(0) <<< recv TLS 1.0 Handshake [length 4f05], CertificateRequest
(0) TLS_connect: SSLv3 read server certificate request A
(0) <<< recv TLS 1.0 Handshake [length 0004], ServerHelloDone
(0) TLS_connect: SSLv3 read server done A
(0) >>> send TLS 1.0 Handshake [length 056c], Certificate
(0) TLS_connect: SSLv3 write client certificate A
(0) >>> send TLS 1.0 Handshake [length 0106], ClientKeyExchange
(0) TLS_connect: SSLv3 write client key exchange A
(0) >>> send TLS 1.0 Handshake [length 0106], CertificateVerify
(0) TLS_connect: SSLv3 write certificate verify A
(0) >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(0) TLS_connect: SSLv3 write change cipher spec A
(0) >>> send TLS 1.0 Handshake [length 0010], Finished
(0) TLS_connect: SSLv3 write finished A
(0) TLS_connect: SSLv3 flush data
(0) <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(0) <<< recv TLS 1.0 Handshake [length 0010], Finished
(0) TLS_connect: SSLv3 read finished A
(0) (other): SSL negotiation finished successfully
Listening on proxy (150.129.185.37, 39490) -> home_server (119.40.121.24, 2083)
Waking up in 0.3 seconds.
(0) Proxying request to home server 119.40.121.24 port 2083 (TLS) timeout 30.000000
(0) Sent Access-Request Id 58 from 150.129.185.37:39490 to 119.40.121.24:2083 length 105
(0) User-Name = "demo at myifam.upm.my"
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) EAP-Message = 0x020000170164656d6f406d796966616d2e75706d2e6d79
(0) Message-Authenticator = 0x6c919f552430c347dda227a697746409
(0) Proxy-State = 0x30
Thread 5 waiting to be assigned a request
(0) Marking home server 119.40.121.24 port 2083 alive
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 0, (1 handled so far)
(0) Clearing existing &reply: attributes
(0) Received Access-Challenge Id 58 from 119.40.121.24:2083 to 150.129.185.37:39490 length 67
(0) EAP-Message = 0x010100061520
(0) Message-Authenticator = 0xae0b4764a6888d75fc296eab06a802f3
(0) State = 0xfa899988fa888c583b9ffe65a0d465f7
(0) Proxy-State = 0x30
(0) # Executing section post-proxy from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
(0) post-proxy {
(0) post_proxy_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
(0) post_proxy_log: --> /var/log/freeradius/radacct/175.139.225.78/post-proxy-detail-20170809
(0) post_proxy_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d expands to /var/log/freeradius/radacct/175.139.225.78/post-proxy-detail-20170809
(0) post_proxy_log: EXPAND %t
(0) post_proxy_log: --> Wed Aug 9 00:48:32 2017
(0) [post_proxy_log] = ok
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = ok
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 0 from 150.129.185.37:1812 to 175.139.225.78:56799 length 0
(0) EAP-Message = 0x010100061520
(0) Message-Authenticator = 0xae0b4764a6888d75fc296eab06a802f3
(0) State = 0xfa899988fa888c583b9ffe65a0d465f7
(0) Finished request
Thread 4 waiting to be assigned a request
Waking up in 0.1 seconds.
Thread 3 got semaphore
Thread 3 handling request 1, (1 handled so far)
(1) Received Access-Request Id 1 from 175.139.225.78:56799 to 150.129.185.37:1812 length 388
(1) User-Name = "demo at myifam.upm.my"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x020100f9150016030100ee010000ea03035989eb472559f4f5433c4378972fdc148a9eec2de59aa8978917798131fd3d8d000084c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a2009e006700
(1) State = 0xfa899988fa888c583b9ffe65a0d465f7
(1) Message-Authenticator = 0x949e811403ef597fea0c31a191401bef
(1) session-state: No cached attributes
(1) # Executing section authorize from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
(1) authorize {
(1) if (!(User-Name =~ /@/)){
(1) if (!(User-Name =~ /@/)) -> FALSE
(1) if (User-Name =~ /@$/){
(1) if (User-Name =~ /@$/) -> FALSE
(1) if (User-Name =~ /@.+?@/){
(1) if (User-Name =~ /@.+?@/) -> FALSE
(1) if (User-Name =~ /@.+?[^[:alnum:]\\.-]/){
(1) if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE
(1) if (User-Name =~ /@[\\.-]/){
(1) if (User-Name =~ /@[\\.-]/) -> FALSE
(1) if (User-Name =~ /@.+?[\\.-]$/){
(1) if (User-Name =~ /@.+?[\\.-]$/) -> FALSE
(1) if (User-Name =~ /@[^\\.]+$/){
(1) if (User-Name =~ /@[^\\.]+$/) -> FALSE
(1) if (User-Name =~ /@.+?\\.\\./){
(1) if (User-Name =~ /@.+?\\.\\./) -> FALSE
(1) if (User-Name =~ /@myabc\\.com$/i){
(1) if (User-Name =~ /@myabc\\.com$/i) -> FALSE
(1) if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i){
(1) if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE
(1) if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(1) if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
(1) if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(1) if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
(1) if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(1) if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
(1) [preprocess] = ok
(1) policy operator-name.authorize {
(1) if ("%{client:Operator-Name}") {
(1) EXPAND %{client:Operator-Name}
(1) -->
(1) if ("%{client:Operator-Name}") -> FALSE
(1) } # policy operator-name.authorize = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "myifam.upm.my" for User-Name = "demo at myifam.upm.my"
(1) suffix: Found realm "myifam.upm.my"
(1) suffix: Adding Realm = "myifam.upm.my"
(1) suffix: Proxying request from user demo at myifam.upm.my to realm myifam.upm.my
(1) suffix: Preparing to proxy authentication request to realm "myifam.upm.my"
(1) [suffix] = updated
(1) eap: Request is supposed to be proxied to Realm myifam.upm.my. Not doing EAP.
(1) [eap] = noop
(1) [files] = noop
(1) [pap] = noop
(1) } # authorize = updated
(1) Starting proxy to home server 119.40.121.24 port 2083
(1) # Executing section pre-proxy from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
(1) pre-proxy {
(1) [files] = noop
(1) if ("%{Packet-Type}" != "Accounting-Request") {
(1) EXPAND %{Packet-Type}
(1) --> Access-Request
(1) if ("%{Packet-Type}" != "Accounting-Request") -> TRUE
(1) if ("%{Packet-Type}" != "Accounting-Request") {
(1) attr_filter.pre-proxy: EXPAND %{Realm}
(1) attr_filter.pre-proxy: --> myifam.upm.my
(1) attr_filter.pre-proxy: Matched entry DEFAULT at line 1
(1) [attr_filter.pre-proxy] = updated
(1) } # if ("%{Packet-Type}" != "Accounting-Request") = updated
(1) pre_proxy_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
(1) pre_proxy_log: --> /var/log/freeradius/radacct/175.139.225.78/pre-proxy-detail-20170809
(1) pre_proxy_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d expands to /var/log/freeradius/radacct/175.139.225.78/pre-proxy-detail-20170809
(1) pre_proxy_log: EXPAND %t
(1) pre_proxy_log: --> Wed Aug 9 00:48:32 2017
(1) [pre_proxy_log] = ok
(1) } # pre-proxy = updated
(1) Proxying request to home server 119.40.121.24 port 2083 (TLS) timeout 30.000000
(1) Sent Access-Request Id 186 from 150.129.185.37:39490 to 119.40.121.24:2083 length 349
(1) User-Name = "demo at myifam.upm.my"
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) EAP-Message = 0x020100f9150016030100ee010000ea03035989eb472559f4f5433c4378972fdc148a9eec2de59aa8978917798131fd3d8d000084c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a2009e006700
(1) State = 0xfa899988fa888c583b9ffe65a0d465f7
(1) Message-Authenticator = 0x949e811403ef597fea0c31a191401bef
(1) Proxy-State = 0x31
Thread 3 waiting to be assigned a request
Received packet will be too large! Set "fragment_size = 1093"
Closing TLS socket to home server
(0) >>> send TLS 1.0 Alert [length 0002], warning close_notify
Client has closed connection
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
(1) Waiting for client retransmission in order to do a proxy retransmit
Waking up in 4.5 seconds.
Trying SSL to port 2083
Requiring Server certificate
(0) (other): before/connect initialization
(0) TLS_connect: before/connect initialization
(0) >>> send TLS 1.2 [length 00ee]
(0) TLS_connect: SSLv2/v3 write client hello A
(0) <<< recv TLS 1.0 Handshake [length 0056], ServerHello
(0) TLS_connect: SSLv3 read server hello A
(0) <<< recv TLS 1.0 Handshake [length 152c], Certificate
(0) Creating attributes from certificate OIDs
(0) Creating attributes from certificate OIDs
(0) Creating attributes from certificate OIDs
(0) Creating attributes from certificate OIDs
(0) TLS_connect: SSLv3 read server certificate A
(0) <<< recv TLS 1.0 Handshake [length 4f05], CertificateRequest
(0) TLS_connect: SSLv3 read server certificate request A
(0) <<< recv TLS 1.0 Handshake [length 0004], ServerHelloDone
(0) TLS_connect: SSLv3 read server done A
(0) >>> send TLS 1.0 Handshake [length 056c], Certificate
(0) TLS_connect: SSLv3 write client certificate A
(0) >>> send TLS 1.0 Handshake [length 0106], ClientKeyExchange
(0) TLS_connect: SSLv3 write client key exchange A
(0) >>> send TLS 1.0 Handshake [length 0106], CertificateVerify
(0) TLS_connect: SSLv3 write certificate verify A
(0) >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(0) TLS_connect: SSLv3 write change cipher spec A
(0) >>> send TLS 1.0 Handshake [length 0010], Finished
(0) TLS_connect: SSLv3 write finished A
(0) TLS_connect: SSLv3 flush data
(0) <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(0) <<< recv TLS 1.0 Handshake [length 0010], Finished
(0) TLS_connect: SSLv3 read finished A
(0) (other): SSL negotiation finished successfully
Listening on proxy (150.129.185.37, 57409) -> home_server (119.40.121.24, 2083)
(1) Proxying request to home server 119.40.121.24 port 2083 (TLS) timeout 30.000000
(1) Sent Access-Request Id 157 from 150.129.185.37:57409 to 119.40.121.24:2083 length 349
(1) User-Name = "demo at myifam.upm.my"
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) EAP-Message = 0x020100f9150016030100ee010000ea03035989eb472559f4f5433c4378972fdc148a9eec2de59aa8978917798131fd3d8d000084c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a2009e006700
(1) State = 0xfa899988fa888c583b9ffe65a0d465f7
(1) Message-Authenticator = 0x949e811403ef597fea0c31a191401bef
(1) Proxy-State = 0x31
Waking up in 1.7 seconds.
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
(1) Clearing existing &reply: attributes
(1) Received Access-Reject Id 157 from 119.40.121.24:2083 to 150.129.185.37:57409 length 23
(1) Proxy-State = 0x31
(1) # Executing section post-proxy from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
(1) post-proxy {
(1) post_proxy_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
(1) post_proxy_log: --> /var/log/freeradius/radacct/175.139.225.78/post-proxy-detail-20170809
(1) post_proxy_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d expands to /var/log/freeradius/radacct/175.139.225.78/post-proxy-detail-20170809
(1) post_proxy_log: EXPAND %t
(1) post_proxy_log: --> Wed Aug 9 00:48:32 2017
(1) [post_proxy_log] = ok
(1) eap: No pre-existing handler found
(1) [eap] = noop
(1) } # post-proxy = ok
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /opt/freeradius-server-3.0.15/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(1) reply_log: --> /var/log/freeradius/radacct/175.139.225.78/reply-detail-20170809
(1) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/175.139.225.78/reply-detail-20170809
(1) reply_log: WARNING: Skipping empty packet
(1) [reply_log] = ok
(1) f_ticks: EXPAND f_ticks.%{%{reply:Packet-Type}:-format}
(1) f_ticks: --> f_ticks.Access-Reject
(1) f_ticks: EXPAND F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=MY#VISINST=%{Operator-Name}#CSI=%{%{Calling-Station-Id}:-UnknownCSID}#RESULT=FAIL#
(1) f_ticks: --> F-TICKS/eduroam/1.0#REALM=myifam.upm.my#VISCOUNTRY=MY#VISINST=#CSI=02-00-00-00-00-01#RESULT=FAIL#
(1) [f_ticks] = ok
(1) eduroam_log: EXPAND eduroam_log.%{%{reply:Packet-Type}:-format}
(1) eduroam_log: --> eduroam_log.Access-Reject
(1) eduroam_log: EXPAND eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No Failure Reason}#RESULT=FAIL#
(1) eduroam_log: --> eduroam-auth#ORG=myifam.upm.my#USER=demo at myifam.upm.my#CSI=02-00-00-00-00-01#NAS=Unknown Access Point#CUI=Unknown#MSG=No Failure Reason#RESULT=FAIL#
(1) [eduroam_log] = ok
(1) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(1) linelog: --> messages.Access-Reject
(1) linelog: EXPAND Rejected user: %{User-Name}
(1) linelog: --> Rejected user: demo at myifam.upm.my
(1) linelog: EXPAND /var/log/freeradius/linelog
(1) linelog: --> /var/log/freeradius/linelog
(1) [linelog] = ok
(1) redundant {
(1) [ok] = ok
(1) } # redundant = ok
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> demo at myifam.upm.my
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0xfa899988fa888c58
(1) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(1) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Thread 2 waiting to be assigned a request
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Cleaning up request packet ID 0 with timestamp +42
Waking up in 0.2 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 1 from 150.129.185.37:1812 to 175.139.225.78:56799 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 1 with timestamp +42
Waking up in 20.9 seconds.
More information about the Freeradius-Users
mailing list