Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle eric at wittle.net
Tue Dec 4 02:58:43 CET 2018


I looked over the debug output from attempts that should have succeeded (valid username and password), vs. those that should have failed (invalid password). It seems like the result description is the following for a valid username / password:

(1) Sent Access-Reject Id 10 from 192.168.1.2:1812 to 192.168.1.1:43315 length 20

and this for an invalid password:

(0) Sent Access-Reject Id 9 from 192.168.1.2:1812 to 192.168.1.1:48225 length 20

That seems to imply that FreeRADIUS 3.0.17 is doing the right thing, but somehow the results for the Ubiquiti EdgeRouter VPN authentication are different. Am I reading the log correctly?

I’ve posted in the Ubiquiti forums asking for help there as well, assuming that I’m reading this debug log correctly and authentication is actually succeeding:

https://community.ubnt.com/t5/EdgeRouter/VPN-radius-authentication-incorrectly-failing/m-p/2584939#M230964

I did a quick web search to see if I could log the authentication response to the EdgeRouter, but didn’t find anything that was particularly clear.

Did the authentication response change from 2.2.10 to 3.0.17? I could presumably rebuild and reconfigure with a 2.X version to see if that would be more compatible with the EdgeRouter.

-Eric

> On Dec 3, 2018, at 7:16 AM, Eric Wittle <eric at wittle.net> wrote:
> 
> And finally what success and failure look like from the router’s messages log:
> 
> Successful authentication with OS X Server’s FreeRADIUS 2.10:
> 
> Dec  3 12:11:39 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 60074.  Local: 33742, Remote: 28 (ref=0/0).  LNS session is 'default'
> Dec  3 12:11:39 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17357, Local: 45819, Remote: 7746, Serial: 1
> Dec  3 12:11:39 ubnt pppd[17357]: pppd 2.4.4 started by root, uid 0
> Dec  3 12:11:39 ubnt pppd[17357]: Connect: ppp0 <-->
> Dec  3 12:11:42 ubnt pppd[17357]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received
> Dec  3 12:11:43 ubnt pppd[17357]: Cannot determine ethernet address for proxy ARP
> Dec  3 12:11:43 ubnt pppd[17357]: local  IP address 10.255.255.0
> Dec  3 12:11:43 ubnt pppd[17357]: remote IP address 192.168.6.100
> Dec  3 12:12:23 ubnt pppd[17357]: Connection terminated: no multilink.
> Dec  3 12:12:23 ubnt pppd[17357]: Modem hangup
> 
> Failed authentication with manually installed FreeRadius 3
> 
> Dec  3 12:13:03 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 49849.  Local: 23776, Remote: 29 (ref=0/0).  LNS session is 'default'
> Dec  3 12:13:03 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17610, Local: 11728, Remote: 7750, Serial: 1
> Dec  3 12:13:03 ubnt pppd[17610]: pppd 2.4.4 started by root, uid 0
> Dec  3 12:13:03 ubnt pppd[17610]: Connect: ppp0 <-->
> Dec  3 12:13:06 ubnt pppd[17610]:
> Dec  3 12:13:06 ubnt pppd[17610]: Peer eric failed CHAP authentication
> Dec  3 12:13:12 ubnt pppd[17610]: Connection terminated: no multilink.
> Dec  3 12:13:12 ubnt pppd[17610]: Modem hangup
> 
> -Eric
> 
>> On Dec 3, 2018, at 6:48 AM, Eric Wittle <eric at wittle.net <mailto:eric at wittle.net>> wrote:
>> 
>> In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.
>> 
>> -Eric
>> 
>> rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132
>> 	Service-Type = Framed-User
>> 	Framed-Protocol = PPP
>> 	User-Name = "eric"
>> 	MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc
>> 	MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8
>> 	NAS-IP-Address = 127.0.1.1
>> 	NAS-Port = 0
>> # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
>> +group authorize {
>> ++[preprocess] = ok
>> ++[chap] = noop
>> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>> ++[mschap] = ok
>> ++[digest] = noop
>> [suffix] No '@' in User-Name = "eric", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] = noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] = noop
>> [files] users: Matched entry DEFAULT at line 178
>> ++[files] = ok
>> [opendirectory] The host 192.168.1.1 does not have an access group.
>> ++[opendirectory] = ok
>> ++[expiration] = noop
>> ++[logintime] = noop
>> [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
>> ++[pap] = noop
>> +} # group authorize = ok
>> Found Auth-Type = MSCHAP
>> # Executing group from file /Library/Server/radius/raddb/sites-enabled/default
>> +group MS-CHAP {
>> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
>> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
>> [mschap] Creating challenge hash with username: eric
>> [mschap] Client is using MS-CHAPv2 for eric, we need NT-Password
>> [mschap] Using OpenDirectory to authenticate
>> [mschap] Doing OD MSCHAPv2 auth
>> [mschap] Successful authentication for eric
>> ++[mschap] = ok
>> +} # group MS-CHAP = ok
>> Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net <http://router.wittle.net/> port 0)
>> # Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default
>> +group post-auth {
>> ++[exec] = noop
>> +} # group post-auth = noop
>> Sending Access-Accept of id 2 to 192.168.1.1 port 60795
>> 	Framed-Protocol = PPP
>> 	Framed-Compression = Van-Jacobson-TCP-IP
>> 	MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530
>> Finished request 0.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96
>> 	Acct-Session-Id = "5C0514303B2A00"
>> 	User-Name = "eric"
>> 	Acct-Status-Type = Start
>> 	Service-Type = Framed-User
>> 	Framed-Protocol = PPP
>> 	Acct-Authentic = RADIUS
>> 	NAS-Port-Type = Async
>> 	Framed-IP-Address = 192.168.6.100
>> 	NAS-IP-Address = 127.0.1.1
>> 	NAS-Port = 0
>> 	Acct-Delay-Time = 0
>> # Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default
>> +group preacct {
>> ++[preprocess] = ok
>> [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent
>> [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"'
>> [acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184".
>> ++[acct_unique] = ok
>> [suffix] No '@' in User-Name = "eric", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] = noop
>> ++[files] = noop
>> +} # group preacct = ok
>> # Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default
>> +group accounting {
>> [detail] 	expand: %{Packet-Src-IP-Address} -> 192.168.1.1
>> [detail] 	expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203
>> [detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203
>> [detail] 	expand: %t -> Mon Dec  3 06:32:00 2018
>> ++[detail] = ok
>> ++[exec] = noop
>> [attr_filter.accounting_response] 	expand: %{User-Name} -> eric
>> attr_filter: Matched entry DEFAULT at line 12
>> ++[attr_filter.accounting_response] = updated
>> +} # group accounting = updated
>> Sending Accounting-Response of id 3 to 192.168.1.1 port 40029
>> Finished request 1.
>> Cleaning up request 1 ID 3 with timestamp +23
>> Going to the next request
>> Waking up in 4.3 seconds.
>> Cleaning up request 0 ID 2 with timestamp +22
>> Ready to process requests.
>> 
>>> On Dec 3, 2018, at 6:26 AM, Eric Wittle <eric at wittle.net <mailto:eric at wittle.net>> wrote:
>>> 
>>> OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
>>> 
>>> Dec  3 2018 06:21:55 123216us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>> 
>>> So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
>>> 
>>> -Eric
>>> 
>>>> On Dec 3, 2018, at 6:14 AM, Eric Wittle <eric at wittle.net <mailto:eric at wittle.net>> wrote:
>>>> 
>>>> Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
>>>> 
>>>> The contents of ApplePasswordServer.Error.Log
>>>> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
>>>> -- Start: Server rolled log on: Nov 13 2018 21:17:19 --
>>>> Dec  2 2018 14:52:47 819295us    Requested SASL mechanism not loaded: SMB-NT
>>>> Dec  2 2018 15:03:43 692394us    Requested SASL mechanism not loaded: SMB-NT
>>>> Dec  2 2018 15:07:34 139111us    Requested SASL mechanism not loaded: SMB-NT
>>>> 
>>>> The tail end of ApplePasswordServer.Server.Log
>>>> 
>>>> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
>>>> Dec  2 2018 14:52:43 233320us    Stopping server processes ...
>>>> Dec  2 2018 14:52:43 234062us    Closing all incoming connections ...
>>>> Dec  2 2018 14:52:43 234097us    StopCentralThreads: Stopping Connection Listeners ...
>>>> Dec  2 2018 14:52:43 234645us    StopCentralThreads: Current Threads: 10
>>>> Dec  2 2018 14:52:43 234669us    Stopping Network Processes ...
>>>> Dec  2 2018 14:52:43 234682us    Deinitializing networking ...
>>>> Dec  2 2018 14:52:43 234701us    Server Processes Stopped ...
>>>> Dec  2 2018 14:52:43 234718us    RunAppThread Stopped
>>>> Dec  2 2018 14:52:43 234747us    RunAppThread Deleted
>>>> Dec  2 2018 14:52:47 755661us    Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec  2 14:52:47 2018
>>>> .
>>>> Dec  2 2018 14:52:47 755702us    RunAppThread Created
>>>> Dec  2 2018 14:52:47 755746us    RunAppThread Started
>>>> Dec  2 2018 14:52:47 755760us    Initializing Server Globals ...
>>>> Dec  2 2018 14:52:47 768754us    Initializing Networking ...
>>>> Dec  2 2018 14:52:47 768819us    Initializing TCP ...
>>>> Dec  2 2018 14:52:47 819245us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>>> Dec  2 2018 14:52:47 824367us    Starting Central Thread ...
>>>> Dec  2 2018 14:52:47 824401us    Starting other server processes ...
>>>> Dec  2 2018 14:52:47 824412us    StartCentralThreads: 1 threads to stop
>>>> Dec  2 2018 14:52:47 824451us    Initializing TCP ...
>>>> Dec  2 2018 14:52:47 824580us    Starting TCP/IP Listener on ethernet interface, port 106
>>>> Dec  2 2018 14:52:47 824630us    Starting TCP/IP Listener on ethernet interface, port 3659
>>>> Dec  2 2018 14:52:47 824723us    Starting TCP/IP Listener on interface lo0, port 106
>>>> Dec  2 2018 14:52:47 824762us    Starting TCP/IP Listener on interface lo0, port 3659
>>>> Dec  2 2018 14:52:47 824800us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>>> Dec  2 2018 14:52:47 824820us    Starting UNIX domain socket listener /var/run/passwordserver
>>>> Dec  2 2018 14:52:47 825558us    Finished starting other server processes ...
>>>> Dec  2 2018 14:52:47 825582us    -- Password Server successfully started --
>>>> Dec  2 2018 14:52:47 825592us    -- Start time: 0 sec, 74 msec --
>>>> Dec  2 2018 15:03:32 701865us    Stopping server processes ...
>>>> Dec  2 2018 15:03:32 702676us    Closing all incoming connections ...
>>>> Dec  2 2018 15:03:32 702706us    StopCentralThreads: Stopping Connection Listeners ...
>>>> Dec  2 2018 15:03:32 703903us    StopCentralThreads: Current Threads: 3
>>>> Dec  2 2018 15:03:32 703930us    Stopping Network Processes ...
>>>> Dec  2 2018 15:03:32 703944us    Deinitializing networking ...
>>>> Dec  2 2018 15:03:32 703960us    Server Processes Stopped ...
>>>> Dec  2 2018 15:03:32 703977us    RunAppThread Stopped
>>>> Dec  2 2018 15:03:32 703989us    RunAppThread Deleted
>>>> Dec  2 2018 15:03:33 705899us    Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec  2 15:03:33 2018
>>>> .
>>>> Dec  2 2018 15:03:43 644217us    Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec  2 15:03:43 2018
>>>> .
>>>> Dec  2 2018 15:03:43 644253us    RunAppThread Created
>>>> Dec  2 2018 15:03:43 644295us    RunAppThread Started
>>>> Dec  2 2018 15:03:43 644316us    Initializing Server Globals ...
>>>> Dec  2 2018 15:03:43 677609us    Initializing Networking ...
>>>> Dec  2 2018 15:03:43 677736us    Initializing TCP ...
>>>> Dec  2 2018 15:03:43 692357us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>>> Dec  2 2018 15:03:43 692877us    Starting Central Thread ...
>>>> Dec  2 2018 15:03:43 692895us    Starting other server processes ...
>>>> Dec  2 2018 15:03:43 692905us    StartCentralThreads: 1 threads to stop
>>>> Dec  2 2018 15:03:43 692938us    Initializing TCP ...
>>>> Dec  2 2018 15:03:43 693040us    Starting TCP/IP Listener on ethernet interface, port 106
>>>> Dec  2 2018 15:03:43 693082us    Starting TCP/IP Listener on ethernet interface, port 3659
>>>> Dec  2 2018 15:03:43 693110us    Starting TCP/IP Listener on interface lo0, port 106
>>>> Dec  2 2018 15:03:43 693133us    Starting TCP/IP Listener on interface lo0, port 3659
>>>> Dec  2 2018 15:03:43 693156us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>>> Dec  2 2018 15:03:43 693167us    Starting UNIX domain socket listener /var/run/passwordserver
>>>> Dec  2 2018 15:03:43 694190us    Finished starting other server processes ...
>>>> Dec  2 2018 15:03:43 694212us    -- Password Server successfully started --
>>>> Dec  2 2018 15:03:43 694222us    -- Start time: 0 sec, 54 msec --
>>>> Dec  2 2018 15:05:24 289083us    Stopping server processes ...
>>>> Dec  2 2018 15:05:24 289128us    Closing all incoming connections ...
>>>> Dec  2 2018 15:05:24 289150us    StopCentralThreads: Stopping Connection Listeners ...
>>>> Dec  2 2018 15:05:24 290059us    StopCentralThreads: Current Threads: 3
>>>> Dec  2 2018 15:05:24 290086us    Stopping Network Processes ...
>>>> Dec  2 2018 15:05:24 290098us    Deinitializing networking ...
>>>> Dec  2 2018 15:05:24 290113us    Server Processes Stopped ...
>>>> Dec  2 2018 15:05:24 290129us    RunAppThread Stopped
>>>> Dec  2 2018 15:05:24 290142us    RunAppThread Deleted
>>>> Dec  2 2018 15:05:26 221197us    Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec  2 15:05:26 2018
>>>> .
>>>> Dec  2 2018 15:07:34 103685us    Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec  2 15:07:34 2018
>>>> .
>>>> Dec  2 2018 15:07:34 103718us    RunAppThread Created
>>>> Dec  2 2018 15:07:34 103758us    RunAppThread Started
>>>> Dec  2 2018 15:07:34 103779us    Initializing Server Globals ...
>>>> Dec  2 2018 15:07:34 118899us    Initializing Networking ...
>>>> Dec  2 2018 15:07:34 118961us    Initializing TCP ...
>>>> Dec  2 2018 15:07:34 139076us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>>> Dec  2 2018 15:07:34 139134us    Starting Central Thread ...
>>>> Dec  2 2018 15:07:34 139141us    Starting other server processes ...
>>>> Dec  2 2018 15:07:34 139147us    StartCentralThreads: 1 threads to stop
>>>> Dec  2 2018 15:07:34 139174us    Initializing TCP ...
>>>> Dec  2 2018 15:07:34 139265us    Starting TCP/IP Listener on ethernet interface, port 106
>>>> Dec  2 2018 15:07:34 139302us    Starting TCP/IP Listener on ethernet interface, port 3659
>>>> Dec  2 2018 15:07:34 139322us    Starting TCP/IP Listener on interface lo0, port 106
>>>> Dec  2 2018 15:07:34 139350us    Starting TCP/IP Listener on interface lo0, port 3659
>>>> Dec  2 2018 15:07:34 139443us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>>> Dec  2 2018 15:07:34 139462us    Starting UNIX domain socket listener /var/run/passwordserver
>>>> Dec  2 2018 15:07:34 140156us    Finished starting other server processes ...
>>>> Dec  2 2018 15:07:34 140178us    -- Password Server successfully started --
>>>> Dec  2 2018 15:07:34 140190us    -- Start time: 0 sec, 41 msec --
>>>> Dec  2 2018 20:01:57 945387us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 20:35:44 395239us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 20:37:17 158109us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 20:37:43 63472us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 21:17:05 402081us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 21:37:24 961075us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> 
>>>> It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
>>>> 
>>>> I’ll take a look and see if radiusconfig is a script…
>>>> 
>>>> -Eric
>>>> 
>>>>> On Dec 3, 2018, at 5:41 AM, Eric Wittle <eric at wittle.net <mailto:eric at wittle.net>> wrote:
>>>>> 
>>>>> Pasted this time…
>>>>> 
>>>>> FreeRADIUS Version 3.0.17
>>>>> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
>>>>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>>>>> PARTICULAR PURPOSE
>>>>> You may redistribute copies of FreeRADIUS under the terms of the
>>>>> GNU General Public License
>>>>> For more information about these matters, see the file named COPYRIGHT
>>>>> Starting - reading configuration files ...
>>>>> including dictionary file /usr/local/share/freeradius/dictionary
>>>>> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
>>>>> including dictionary file /usr/local/share/freeradius/dictionary.vqp
>>>>> including dictionary file /usr/local/etc/raddb/dictionary
>>>>> including configuration file /usr/local/etc/raddb/radiusd.conf
>>>>> including configuration file /usr/local/etc/raddb/proxy.conf
>>>>> including configuration file /usr/local/etc/raddb/clients.conf
>>>>> including files in directory /usr/local/etc/raddb/mods-enabled/
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/always
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/chap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/date
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/detail
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/digest
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/eap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/echo
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/exec
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/expr
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/files
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/pap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/realm
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/soh
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/sql
>>>>> including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/unix
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
>>>>> including files in directory /usr/local/etc/raddb/policy.d/
>>>>> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
>>>>> including configuration file /usr/local/etc/raddb/policy.d/accounting
>>>>> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
>>>>> including configuration file /usr/local/etc/raddb/policy.d/control
>>>>> including configuration file /usr/local/etc/raddb/policy.d/cui
>>>>> including configuration file /usr/local/etc/raddb/policy.d/debug
>>>>> including configuration file /usr/local/etc/raddb/policy.d/dhcp
>>>>> including configuration file /usr/local/etc/raddb/policy.d/eap
>>>>> including configuration file /usr/local/etc/raddb/policy.d/filter
>>>>> including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
>>>>> including configuration file /usr/local/etc/raddb/policy.d/operator-name
>>>>> including files in directory /usr/local/etc/raddb/sites-enabled/
>>>>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>>>>> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>>>> main {
>>>>>  security {
>>>>>  	allow_core_dumps = no
>>>>>  }
>>>>> 	name = "radiusd"
>>>>> 	prefix = "/usr/local"
>>>>> 	localstatedir = "/var"
>>>>> 	logdir = "/var/log/radius"
>>>>> 	run_dir = "/var/run/radiusd"
>>>>> }
>>>>> main {
>>>>> 	name = "radiusd"
>>>>> 	prefix = "/usr/local"
>>>>> 	localstatedir = "/var"
>>>>> 	sbindir = "/usr/local/sbin"
>>>>> 	logdir = "/var/log/radius"
>>>>> 	run_dir = "/var/run/radiusd"
>>>>> 	libdir = "/usr/local/lib"
>>>>> 	radacctdir = "/var/log/radius/radacct"
>>>>> 	hostname_lookups = no
>>>>> 	max_request_time = 30
>>>>> 	cleanup_delay = 5
>>>>> 	max_requests = 16384
>>>>> 	pidfile = "/var/run/radiusd/radiusd.pid"
>>>>> 	checkrad = "/usr/local/sbin/checkrad"
>>>>> 	debug_level = 0
>>>>> 	proxy_requests = yes
>>>>>  log {
>>>>>  	stripped_names = no
>>>>>  	auth = no
>>>>>  	auth_badpass = no
>>>>>  	auth_goodpass = no
>>>>>  	colourise = yes
>>>>>  	msg_denied = "You are already logged in - access denied"
>>>>>  }
>>>>>  resources {
>>>>>  }
>>>>>  security {
>>>>>  	max_attributes = 200
>>>>>  	reject_delay = 1.000000
>>>>>  	status_server = yes
>>>>>  	allow_vulnerable_openssl = "no"
>>>>>  }
>>>>> }
>>>>> radiusd: #### Loading Realms and Home Servers ####
>>>>>  proxy server {
>>>>>  	retry_delay = 5
>>>>>  	retry_count = 3
>>>>>  	default_fallback = no
>>>>>  	dead_time = 120
>>>>>  	wake_all_if_all_dead = no
>>>>>  }
>>>>>  home_server localhost {
>>>>>  	ipaddr = 127.0.0.1
>>>>>  	port = 1812
>>>>>  	type = "auth"
>>>>>  	secret = <<< secret >>>
>>>>>  	response_window = 20.000000
>>>>>  	response_timeouts = 1
>>>>>  	max_outstanding = 65536
>>>>>  	zombie_period = 40
>>>>>  	status_check = "status-server"
>>>>>  	ping_interval = 30
>>>>>  	check_interval = 30
>>>>>  	check_timeout = 4
>>>>>  	num_answers_to_alive = 3
>>>>>  	revive_interval = 120
>>>>>   limit {
>>>>>   	max_connections = 16
>>>>>   	max_requests = 0
>>>>>   	lifetime = 0
>>>>>   	idle_timeout = 0
>>>>>   }
>>>>>   coa {
>>>>>   	irt = 2
>>>>>   	mrt = 16
>>>>>   	mrc = 5
>>>>>   	mrd = 30
>>>>>   }
>>>>>  }
>>>>>  home_server_pool my_auth_failover {
>>>>> 	type = fail-over
>>>>> 	home_server = localhost
>>>>>  }
>>>>>  realm example.com <http://example.com/> {
>>>>> 	auth_pool = my_auth_failover
>>>>>  }
>>>>>  realm LOCAL {
>>>>>  }
>>>>> radiusd: #### Loading Clients ####
>>>>>  client localhost {
>>>>>  	ipaddr = 127.0.0.1
>>>>>  	require_message_authenticator = no
>>>>>  	secret = <<< secret >>>
>>>>>  	nas_type = "other"
>>>>>  	proto = "*"
>>>>>   limit {
>>>>>   	max_connections = 16
>>>>>   	lifetime = 0
>>>>>   	idle_timeout = 30
>>>>>   }
>>>>>  }
>>>>>  client localhost_ipv6 {
>>>>>  	ipv6addr = ::1
>>>>>  	require_message_authenticator = no
>>>>>  	secret = <<< secret >>>
>>>>>   limit {
>>>>>   	max_connections = 16
>>>>>   	lifetime = 0
>>>>>   	idle_timeout = 30
>>>>>   }
>>>>>  }
>>>>> Debugger not attached
>>>>>  # Creating Auth-Type = mschap
>>>>>  # Creating Auth-Type = digest
>>>>>  # Creating Auth-Type = eap
>>>>>  # Creating Auth-Type = PAP
>>>>>  # Creating Auth-Type = CHAP
>>>>>  # Creating Auth-Type = MS-CHAP
>>>>>  # Creating Auth-Type = opendirectory
>>>>> radiusd: #### Instantiating modules ####
>>>>>  modules {
>>>>>   # Loaded module rlm_always
>>>>>   # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always reject {
>>>>>   	rcode = "reject"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always fail {
>>>>>   	rcode = "fail"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always ok {
>>>>>   	rcode = "ok"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always handled {
>>>>>   	rcode = "handled"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always invalid {
>>>>>   	rcode = "invalid"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always userlock {
>>>>>   	rcode = "userlock"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always notfound {
>>>>>   	rcode = "notfound"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always noop {
>>>>>   	rcode = "noop"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always updated {
>>>>>   	rcode = "updated"
>>>>>   	simulcount = 0
>>>>>   	mpp = no
>>>>>   }
>>>>>   # Loaded module rlm_attr_filter
>>>>>   # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.post-proxy {
>>>>>   	filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
>>>>>   	key = "%{Realm}"
>>>>>   	relaxed = no
>>>>>   }
>>>>>   # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.pre-proxy {
>>>>>   	filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
>>>>>   	key = "%{Realm}"
>>>>>   	relaxed = no
>>>>>   }
>>>>>   # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.access_reject {
>>>>>   	filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
>>>>>   	key = "%{User-Name}"
>>>>>   	relaxed = no
>>>>>   }
>>>>>   # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.access_challenge {
>>>>>   	filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
>>>>>   	key = "%{User-Name}"
>>>>>   	relaxed = no
>>>>>   }
>>>>>   # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.accounting_response {
>>>>>   	filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
>>>>>   	key = "%{User-Name}"
>>>>>   	relaxed = no
>>>>>   }
>>>>>   # Loaded module rlm_cache
>>>>>   # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>>>   cache cache_eap {
>>>>>   	driver = "rlm_cache_rbtree"
>>>>>   	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>>>>>   	ttl = 15
>>>>>   	max_entries = 0
>>>>>   	epoch = 0
>>>>>   	add_stats = no
>>>>>   }
>>>>>   # Loaded module rlm_chap
>>>>>   # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
>>>>>   # Loaded module rlm_date
>>>>>   # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
>>>>>   date {
>>>>>   	format = "%b %e %Y %H:%M:%S %Z"
>>>>>   	utc = no
>>>>>   }
>>>>>   # Loaded module rlm_detail
>>>>>   # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>>>>   detail {
>>>>>   	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>>>>>   	header = "%t"
>>>>>   	permissions = 384
>>>>>   	locking = no
>>>>>   	escape_filenames = no
>>>>>   	log_packet_header = no
>>>>>   }
>>>>>   # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   detail auth_log {
>>>>>   	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>>>>>   	header = "%t"
>>>>>   	permissions = 384
>>>>>   	locking = no
>>>>>   	escape_filenames = no
>>>>>   	log_packet_header = no
>>>>>   }
>>>>>   # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   detail reply_log {
>>>>>   	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>>>>>   	header = "%t"
>>>>>   	permissions = 384
>>>>>   	locking = no
>>>>>   	escape_filenames = no
>>>>>   	log_packet_header = no
>>>>>   }
>>>>>   # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   detail pre_proxy_log {
>>>>>   	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>>>>>   	header = "%t"
>>>>>   	permissions = 384
>>>>>   	locking = no
>>>>>   	escape_filenames = no
>>>>>   	log_packet_header = no
>>>>>   }
>>>>>   # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   detail post_proxy_log {
>>>>>   	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>>>>>   	header = "%t"
>>>>>   	permissions = 384
>>>>>   	locking = no
>>>>>   	escape_filenames = no
>>>>>   	log_packet_header = no
>>>>>   }
>>>>>   # Loaded module rlm_digest
>>>>>   # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
>>>>>   # Loaded module rlm_dynamic_clients
>>>>>   # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>>>>   # Loaded module rlm_eap
>>>>>   # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>>>>   eap {
>>>>>   	default_eap_type = "ttls"
>>>>>   	timer_expire = 60
>>>>>   	ignore_unknown_eap_types = no
>>>>>   	cisco_accounting_username_bug = no
>>>>>   	max_sessions = 16384
>>>>>   }
>>>>>   # Loaded module rlm_exec
>>>>>   # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
>>>>>   exec echo {
>>>>>   	wait = yes
>>>>>   	program = "/bin/echo %{User-Name}"
>>>>>   	input_pairs = "request"
>>>>>   	output_pairs = "reply"
>>>>>   	shell_escape = yes
>>>>>   }
>>>>>   # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
>>>>>   exec {
>>>>>   	wait = no
>>>>>   	input_pairs = "request"
>>>>>   	shell_escape = yes
>>>>>   	timeout = 10
>>>>>   }
>>>>>   # Loaded module rlm_expiration
>>>>>   # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>>>>   # Loaded module rlm_expr
>>>>>   # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
>>>>>   expr {
>>>>>   	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>>>>>   }
>>>>>   # Loaded module rlm_files
>>>>>   # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>>>>   files {
>>>>>   	filename = "/usr/local/etc/raddb/mods-config/files/authorize"
>>>>>   	acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
>>>>>   	preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
>>>>>   }
>>>>>   # Loaded module rlm_linelog
>>>>>   # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>>   linelog {
>>>>>   	filename = "/var/log/radius/linelog"
>>>>>   	escape_filenames = no
>>>>>   	syslog_severity = "info"
>>>>>   	permissions = 384
>>>>>   	format = "This is a log message for %{User-Name}"
>>>>>   	reference = "messages.%{%{reply:Packet-Type}:-default}"
>>>>>   }
>>>>>   # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>>   linelog log_accounting {
>>>>>   	filename = "/var/log/radius/linelog-accounting"
>>>>>   	escape_filenames = no
>>>>>   	syslog_severity = "info"
>>>>>   	permissions = 384
>>>>>   	format = ""
>>>>>   	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>>>>>   }
>>>>>   # Loaded module rlm_logintime
>>>>>   # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>>>>   logintime {
>>>>>   	minimum_timeout = 60
>>>>>   }
>>>>>   # Loaded module rlm_mschap
>>>>>   # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>>>>   mschap {
>>>>>   	use_mppe = yes
>>>>>   	require_encryption = no
>>>>>   	require_strong = no
>>>>>   	with_ntdomain_hack = yes
>>>>>    passchange {
>>>>>    }
>>>>>   	allow_retry = yes
>>>>>   	winbind_retry_with_normalised_username = no
>>>>>   	use_open_directory = yes
>>>>>   }
>>>>>   # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>>>>   exec ntlm_auth {
>>>>>   	wait = yes
>>>>>   	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>>>>>   	shell_escape = yes
>>>>>   }
>>>>>   # Loaded module rlm_opendirectory
>>>>>   # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
>>>>>   # Loaded module rlm_pap
>>>>>   # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>>>>   pap {
>>>>>   	normalise = yes
>>>>>   }
>>>>>   # Loaded module rlm_passwd
>>>>>   # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>>>>   passwd etc_passwd {
>>>>>   	filename = "/etc/passwd"
>>>>>   	format = "*User-Name:Crypt-Password:"
>>>>>   	delimiter = ":"
>>>>>   	ignore_nislike = no
>>>>>   	ignore_empty = yes
>>>>>   	allow_multiple_keys = no
>>>>>   	hash_size = 100
>>>>>   }
>>>>>   # Loaded module rlm_preprocess
>>>>>   # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>>>>   preprocess {
>>>>>   	huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
>>>>>   	hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
>>>>>   	with_ascend_hack = no
>>>>>   	ascend_channels_per_line = 23
>>>>>   	with_ntdomain_hack = no
>>>>>   	with_specialix_jetstream_hack = no
>>>>>   	with_cisco_vsa_hack = no
>>>>>   	with_alvarion_vsa_hack = no
>>>>>   }
>>>>>   # Loaded module rlm_radutmp
>>>>>   # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
>>>>>   radutmp {
>>>>>   	filename = "/var/log/radius/radutmp"
>>>>>   	username = "%{User-Name}"
>>>>>   	case_sensitive = yes
>>>>>   	check_with_nas = yes
>>>>>   	permissions = 384
>>>>>   	caller_id = yes
>>>>>   }
>>>>>   # Loaded module rlm_realm
>>>>>   # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   realm IPASS {
>>>>>   	format = "prefix"
>>>>>   	delimiter = "/"
>>>>>   	ignore_default = no
>>>>>   	ignore_null = no
>>>>>   }
>>>>>   # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   realm suffix {
>>>>>   	format = "suffix"
>>>>>   	delimiter = "@"
>>>>>   	ignore_default = no
>>>>>   	ignore_null = no
>>>>>   }
>>>>>   # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   realm realmpercent {
>>>>>   	format = "suffix"
>>>>>   	delimiter = "%"
>>>>>   	ignore_default = no
>>>>>   	ignore_null = no
>>>>>   }
>>>>>   # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   realm ntdomain {
>>>>>   	format = "prefix"
>>>>>   	delimiter = "\\"
>>>>>   	ignore_default = no
>>>>>   	ignore_null = no
>>>>>   }
>>>>>   # Loaded module rlm_replicate
>>>>>   # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
>>>>>   # Loaded module rlm_soh
>>>>>   # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
>>>>>   soh {
>>>>>   	dhcp = yes
>>>>>   }
>>>>>   # Loaded module rlm_sql
>>>>>   # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>>>>   sql {
>>>>>   	driver = "rlm_sql_sqlite"
>>>>>   	server = ""
>>>>>   	port = 0
>>>>>   	login = ""
>>>>>   	password = <<< secret >>>
>>>>>   	radius_db = "radius"
>>>>>   	read_groups = yes
>>>>>   	read_profiles = yes
>>>>>   	read_clients = yes
>>>>>   	delete_stale_sessions = yes
>>>>>   	sql_user_name = "%{User-Name}"
>>>>>   	default_user_profile = ""
>>>>>   	client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
>>>>>   	authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>>>>   	authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>>>>   	authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>>>>   	authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>>>>   	group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
>>>>>   	simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
>>>>>   	simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
>>>>>   	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>>>>>    accounting {
>>>>>    	reference = "%{tolower:type.%{Acct-Status-Type}.query}"
>>>>>     type {
>>>>>      accounting-on {
>>>>>      	query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime	= (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>>>>      }
>>>>>      accounting-off {
>>>>>      	query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime	= (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>>>>      }
>>>>>      start {
>>>>>      	query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
>>>>>      }
>>>>>      interim-update {
>>>>>      	query = "UPDATE radacct SET acctupdatetime  = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval    = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>>>>      }
>>>>>      stop {
>>>>>      	query = "UPDATE radacct SET acctstoptime	= %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime	= %{%{Acct-Session-Time}:-NULL}, acctinputoctets	= %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>>>>      }
>>>>>     }
>>>>>    }
>>>>>    post-auth {
>>>>>    	reference = ".query"
>>>>>    	query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
>>>>>    }
>>>>>   }
>>>>> rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
>>>>> Creating attribute SQL-Group
>>>>>   # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
>>>>>   radutmp sradutmp {
>>>>>   	filename = "/var/log/radius/sradutmp"
>>>>>   	username = "%{User-Name}"
>>>>>   	case_sensitive = yes
>>>>>   	check_with_nas = yes
>>>>>   	permissions = 420
>>>>>   	caller_id = no
>>>>>   }
>>>>>   # Loaded module rlm_unix
>>>>>   # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
>>>>>   unix {
>>>>>   	radwtmp = "/var/log/radius/radwtmp"
>>>>>   }
>>>>> Creating attribute Unix-Group
>>>>>   # Loaded module rlm_unpack
>>>>>   # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
>>>>>   # Loaded module rlm_utf8
>>>>>   # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
>>>>>   instantiate {
>>>>>   }
>>>>>   # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
>>>>>   # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
>>>>>   # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
>>>>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" 	found in filter list for realm "DEFAULT". 
>>>>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" 	found in filter list for realm "DEFAULT". 
>>>>>   # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
>>>>>   # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
>>>>>   # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>>> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
>>>>>   # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>>>>   # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
>>>>>   # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>>>>    # Linked to sub-module rlm_eap_md5
>>>>>    # Linked to sub-module rlm_eap_leap
>>>>>    # Linked to sub-module rlm_eap_gtc
>>>>>    gtc {
>>>>>    	challenge = "Password: "
>>>>>    	auth_type = "PAP"
>>>>>    }
>>>>>    # Linked to sub-module rlm_eap_tls
>>>>>    tls {
>>>>>    	tls = "tls-common"
>>>>>    }
>>>>>    tls-config tls-common {
>>>>>    	verify_depth = 0
>>>>>    	ca_path = "/usr/local/etc/raddb/certs"
>>>>>    	pem_file_type = yes
>>>>>    	private_key_file = "/usr/local/etc/raddb/certs/server.key"
>>>>>    	certificate_file = "/usr/local/etc/raddb/certs/server.crt"
>>>>>    	ca_file = "/usr/local/etc/raddb/certs/ca.pem"
>>>>>    	dh_file = "/usr/local/etc/raddb/certs/dh"
>>>>>    	random_file = "/dev/urandom"
>>>>>    	fragment_size = 1024
>>>>>    	include_length = yes
>>>>>    	auto_chain = yes
>>>>>    	check_crl = no
>>>>>    	check_all_crl = no
>>>>>    	cipher_list = "DEFAULT"
>>>>>    	cipher_server_preference = no
>>>>>    	ecdh_curve = "prime256v1"
>>>>>    	tls_max_version = ""
>>>>>    	tls_min_version = "1.0"
>>>>>     cache {
>>>>>     	enable = no
>>>>>     	lifetime = 24
>>>>>     	max_entries = 255
>>>>>     }
>>>>>     verify {
>>>>>     	skip_if_ocsp_ok = no
>>>>>     }
>>>>>     ocsp {
>>>>>     	enable = no
>>>>>     	override_cert_url = yes
>>>>>     	url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
>>>>>     	use_nonce = yes
>>>>>     	timeout = 0
>>>>>     	softfail = no
>>>>>     }
>>>>>    }
>>>>>    # Linked to sub-module rlm_eap_ttls
>>>>>    ttls {
>>>>>    	tls = "tls-common"
>>>>>    	default_eap_type = "mschapv2"
>>>>>    	copy_request_to_tunnel = no
>>>>>    	use_tunneled_reply = no
>>>>>    	virtual_server = "inner-tunnel"
>>>>>    	include_length = yes
>>>>>    	require_client_cert = no
>>>>>    }
>>>>> tls: Using cached TLS configuration from previous invocation
>>>>>    # Linked to sub-module rlm_eap_peap
>>>>>    peap {
>>>>>    	tls = "tls-common"
>>>>>    	default_eap_type = "mschapv2"
>>>>>    	copy_request_to_tunnel = no
>>>>>    	use_tunneled_reply = no
>>>>>    	proxy_tunneled_request_as_eap = yes
>>>>>    	virtual_server = "inner-tunnel"
>>>>>    	soh = no
>>>>>    	require_client_cert = no
>>>>>    }
>>>>> tls: Using cached TLS configuration from previous invocation
>>>>>    # Linked to sub-module rlm_eap_mschapv2
>>>>>    mschapv2 {
>>>>>    	with_ntdomain_hack = no
>>>>>    	send_error = no
>>>>>    }
>>>>>   # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>>>>   # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
>>>>>   # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>>   # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>>   # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>>>>   # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>>>> rlm_mschap (mschap): using internal authentication
>>>>>   # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>>>>   # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>>>> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>>>>>   # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
>>>>>   # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>>>> rlm_sql_sqlite: libsqlite version: 3.19.3
>>>>>    sqlite {
>>>>>    	filename = "/var/db/radius/freeradius.db"
>>>>>    	busy_timeout = 200
>>>>>    }
>>>>> rlm_sql (sql): Attempting to connect to database "radius"
>>>>> rlm_sql (sql): Initialising connection pool
>>>>>    pool {
>>>>>    	start = 5
>>>>>    	min = 3
>>>>>    	max = 32
>>>>>    	spare = 10
>>>>>    	uses = 0
>>>>>    	lifetime = 0
>>>>>    	cleanup_interval = 30
>>>>>    	idle_timeout = 60
>>>>>    	retry_delay = 30
>>>>>    	spread = no
>>>>>    }
>>>>> rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Processing generate_sql_clients
>>>>> rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
>>>>> rlm_sql (sql): Reserved connection (0)
>>>>> rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
>>>>> rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
>>>>> rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
>>>>> rlm_sql (sql): Released connection (0)
>>>>> Need 5 more connections to reach 10 spares
>>>>> rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>>  } # modules
>>>>> radiusd: #### Loading Virtual Servers ####
>>>>> server { # from file /usr/local/etc/raddb/radiusd.conf
>>>>> } # server
>>>>> server default { # from file /usr/local/etc/raddb/sites-enabled/default
>>>>>  # Loading authenticate {...}
>>>>>  # Loading authorize {...}
>>>>>  # Loading preacct {...}
>>>>>  # Loading accounting {...}
>>>>>  # Loading post-proxy {...}
>>>>>  # Loading post-auth {...}
>>>>> } # server default
>>>>> server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>>>>  # Loading authenticate {...}
>>>>>  # Loading authorize {...}
>>>>> Ignoring "ldap" (see raddb/mods-available/README.rst)
>>>>>  # Loading session {...}
>>>>>  # Loading post-proxy {...}
>>>>>  # Loading post-auth {...}
>>>>>  # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
>>>>> } # server inner-tunnel
>>>>> radiusd: #### Opening IP addresses and Ports ####
>>>>> listen {
>>>>>   	type = "auth"
>>>>>   	ipaddr = *
>>>>>   	port = 0
>>>>>    limit {
>>>>>    	max_connections = 16
>>>>>    	lifetime = 0
>>>>>    	idle_timeout = 30
>>>>>    }
>>>>> }
>>>>> listen {
>>>>>   	type = "acct"
>>>>>   	ipaddr = *
>>>>>   	port = 0
>>>>>    limit {
>>>>>    	max_connections = 16
>>>>>    	lifetime = 0
>>>>>    	idle_timeout = 30
>>>>>    }
>>>>> }
>>>>> listen {
>>>>>   	type = "auth"
>>>>>   	ipv6addr = ::
>>>>>   	port = 0
>>>>>    limit {
>>>>>    	max_connections = 16
>>>>>    	lifetime = 0
>>>>>    	idle_timeout = 30
>>>>>    }
>>>>> }
>>>>> listen {
>>>>>   	type = "acct"
>>>>>   	ipv6addr = ::
>>>>>   	port = 0
>>>>>    limit {
>>>>>    	max_connections = 16
>>>>>    	lifetime = 0
>>>>>    	idle_timeout = 30
>>>>>    }
>>>>> }
>>>>> listen {
>>>>>   	type = "auth"
>>>>>   	ipaddr = 127.0.0.1
>>>>>   	port = 18120
>>>>> }
>>>>> Listening on auth address * port 1812 bound to server default
>>>>> Listening on acct address * port 1813 bound to server default
>>>>> Listening on auth address :: port 1812 bound to server default
>>>>> Listening on acct address :: port 1813 bound to server default
>>>>> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
>>>>> Listening on proxy address * port 59453
>>>>> Listening on proxy address :: port 59454
>>>>> Ready to process requests
>>>>> (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
>>>>> (0)   Service-Type = Framed-User
>>>>> (0)   Framed-Protocol = PPP
>>>>> (0)   User-Name = "eric"
>>>>> (0)   MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
>>>>> (0)   MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
>>>>> (0)   NAS-IP-Address = 127.0.1.1
>>>>> (0)   NAS-Port = 0
>>>>> (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
>>>>> (0)   authorize {
>>>>> (0)     policy filter_username {
>>>>> (0)       if (&User-Name) {
>>>>> (0)       if (&User-Name)  -> TRUE
>>>>> (0)       if (&User-Name)  {
>>>>> (0)         if (&User-Name =~ / /) {
>>>>> (0)         if (&User-Name =~ / /)  -> FALSE
>>>>> (0)         if (&User-Name =~ /@[^@]*@/ ) {
>>>>> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>>>> (0)         if (&User-Name =~ /\.\./ ) {
>>>>> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
>>>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>>>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>>>>> (0)         if (&User-Name =~ /\.$/)  {
>>>>> (0)         if (&User-Name =~ /\.$/)   -> FALSE
>>>>> (0)         if (&User-Name =~ /@\./)  {
>>>>> (0)         if (&User-Name =~ /@\./)   -> FALSE
>>>>> (0)       } # if (&User-Name)  = notfound
>>>>> (0)     } # policy filter_username = notfound
>>>>> (0)     [preprocess] = ok
>>>>> (0)     [chap] = noop
>>>>> (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>>>>> (0)     [mschap] = ok
>>>>> (0)     [digest] = noop
>>>>> (0) suffix: Checking for suffix after "@"
>>>>> (0) suffix: No '@' in User-Name = "eric", looking up realm NULL
>>>>> (0) suffix: No such realm "NULL"
>>>>> (0)     [suffix] = noop
>>>>> (0) eap: No EAP-Message, not doing EAP
>>>>> (0)     [eap] = noop
>>>>> (0) files: users: Matched entry DEFAULT at line 181
>>>>> (0)     [files] = ok
>>>>> (0) opendirectory: The host 192.168.1.1 does not have an access group.
>>>>> (0)     [opendirectory] = ok
>>>>> (0) sql: EXPAND %{User-Name}
>>>>> (0) sql:    --> eric
>>>>> (0) sql: SQL-User-Name set to 'eric'
>>>>> rlm_sql (sql): Reserved connection (1)
>>>>> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
>>>>> (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>>>>> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>>>>> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
>>>>> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>>>>> (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>>>>> (0) sql: User not found in any groups
>>>>> rlm_sql (sql): Released connection (1)
>>>>> Need 4 more connections to reach 10 spares
>>>>> rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> (0)     [sql] = notfound
>>>>> (0)     [expiration] = noop
>>>>> (0)     [logintime] = noop
>>>>> (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
>>>>> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
>>>>> (0)     [pap] = noop
>>>>> (0)   } # authorize = ok
>>>>> (0) Found Auth-Type = mschap
>>>>> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>>>>> (0)   authenticate {
>>>>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>>>>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
>>>>> (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
>>>>> (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) 
>>>>> (0) mschap:   Stepbuf server challenge : 
>>>>> ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
>>>>> (0) mschap:   Stepbuf peer challenge   : 
>>>>> ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
>>>>> (0) mschap:   Stepbuf p24              : 
>>>>> 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
>>>>> (0)     [mschap] = ok
>>>>> (0)   } # authenticate = ok
>>>>> (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
>>>>> (0)   post-auth {
>>>>> (0)     update {
>>>>> (0)       No attributes updated
>>>>> (0)     } # update = noop
>>>>> (0) sql: EXPAND .query
>>>>> (0) sql:    --> .query
>>>>> (0) sql: Using query template 'query'
>>>>> rlm_sql (sql): Reserved connection (2)
>>>>> (0) sql: EXPAND %{User-Name}
>>>>> (0) sql:    --> eric
>>>>> (0) sql: SQL-User-Name set to 'eric'
>>>>> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
>>>>> (0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>>>>> (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>>>>> (0) sql: SQL query returned: success
>>>>> (0) sql: 1 record(s) updated
>>>>> rlm_sql (sql): Released connection (2)
>>>>> (0)     [sql] = ok
>>>>> (0)     [exec] = noop
>>>>> (0)     policy remove_reply_message_if_eap {
>>>>> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
>>>>> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>>>>> (0)       else {
>>>>> (0)         [noop] = noop
>>>>> (0)       } # else = noop
>>>>> (0)     } # policy remove_reply_message_if_eap = noop
>>>>> (0)   } # post-auth = ok
>>>>> (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
>>>>> (0)   Framed-Protocol = PPP
>>>>> (0)   Framed-Compression = Van-Jacobson-TCP-IP
>>>>> (0) Finished request
>>>>> Waking up in 4.9 seconds.
>>>>> (0) Cleaning up request packet ID 0 with timestamp +27
>>>>> Ready to process requests
>>>>> 
>>>>> 
>>>>>> On Dec 2, 2018, at 9:47 PM, Eric Wittle <eric at wittle.net <mailto:eric at wittle.net>> wrote:
>>>>>> 
>>>>>> I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails. 
>>>>>> 
>>>>>> I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
>>>>>> 
>>>>>> Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
>>>>>> 
>>>>>> Thanks in advance.
>>>>>> 
>>>>>> -Eric 
>>>>>> 
>>>>>> <debugfile>
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> 



More information about the Freeradius-Users mailing list