cisco phones
Vacheslav
m_zouhairy at skno.by
Thu Feb 1 07:14:53 CET 2018
Well diamonds to swine are worthless but crap is worthy to them.
I tried to stop free radius and it failed to stop, status revealed that it crashed!
However, radiusd -X worked.
SELECT * FROM radcheck;
| 50 | CP-3905-SEP2C0BA7291783| Cleartext-Password | := | communistssuck |
| 60 | CP-3905-SEP2C0BA7291783| Cisco-AVPair | := | device-traffic-class=voice |
SELECT * FROM radreply;
| id | username | attribute | op | value |
+----+-------------------------+-------------------------+----+----------+
| 7 | CP-3905-SEP2C0BA7291783| Tunnel-Type | := | VLAN |
| 8 | CP-3905-SEP2C0BA7291783| Tunnel-Medium-Type | := | IEEE-802 |
| 9 | CP-3905-SEP2C0BA7291783| Tunnel-Private-Group-Id | := | 23 |
+----+-------------------------+-------------------------+----+----------+
FreeRADIUS Version 3.0.15
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/sql
including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/expiration
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/abfab-tr
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sql.conf
main {
security {
user = "radius"
group = "radius"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/lib"
logdir = "/var/log/radius"
run_dir = "/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/lib"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/run/radiusd"
libdir = "/usr/lib64"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client Switch {
ipv4addr = 10.0.0.143/24
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "radius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
instantiate {
}
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "sql" from file /etc/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.29-MariaDB
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 55989
Listening on proxy address :: port 60892
Ready to process requests
(0) Received Access-Request Id 88 from 10.0.0.143:1645 to 10.0.11.117:1812 length 186
(0) User-Name = "CP-3905-SEP2C0BA7291783"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1500
(0) Called-Station-Id = "AC-7E-8A-EB-86-2D"
(0) Calling-Station-Id = "2C-0B-E9-04-28-92"
(0) EAP-Message = 0x0201001c0143502d333930352d534550324330424539303432383932
(0) Message-Authenticator = 0x13fbef916e14dd6489ff6407f194d7b4
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50145
(0) NAS-Port-Id = "GigabitEthernet1/0/45"
(0) NAS-IP-Address = 10.0.0.143
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "CP-3905-SEP2C0BA7291783", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 28
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0xa79cd138a79ed587
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 88 from 10.0.11.117:1812 to 10.0.0.143:1645 length 0
(0) EAP-Message = 0x010200160410e487f4dfe24e098ca725b6e6ef54b9d6
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xa79cd138a79ed5872e402a36c30c6a20
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 89 from 10.0.0.143:1645 to 10.0.11.117:1812 length 186
(1) User-Name = "CP-3905-SEP2C0BA7291783"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1500
(1) Called-Station-Id = "AC-7E-8A-EB-86-2D"
(1) Calling-Station-Id = "2C-0B-E9-04-28-92"
(1) EAP-Message = 0x0201001c0143502d333930352d534550324330424539303432383932
(1) Message-Authenticator = 0x4d05f2913326ddfcac12288c5212127d
(1) NAS-Port-Type = Ethernet
(1) NAS-Port = 50145
(1) NAS-Port-Id = "GigabitEthernet1/0/45"
(1) NAS-IP-Address = 10.0.0.143
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "CP-3905-SEP2C0BA7291783", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 28
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_md5 to process data
(1) eap_md5: Issuing MD5 Challenge
(1) eap: Sending EAP Request (code 1) ID 2 length 22
(1) eap: EAP session adding &reply:State = 0x84360afd84340efc
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 89 from 10.0.11.117:1812 to 10.0.0.143:1645 length 0
(1) EAP-Message = 0x010200160410042e6e06c3809c1cff134b2787fb6291
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x84360afd84340efcda38388a1765ed18
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 90 from 10.0.0.143:1645 to 10.0.11.117:1812 length 198
(2) User-Name = "CP-3905-SEP2C0BA7291783"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1500
(2) Called-Station-Id = "AC-7E-8A-EB-86-2D"
(2) Calling-Station-Id = "2C-0B-E9-04-28-92"
(2) EAP-Message = 0x020200160410925c98c49db5167473e9f3c43f9909db
(2) Message-Authenticator = 0x9755a81d5fcd90df4e51a08e2cd143a9
(2) NAS-Port-Type = Ethernet
(2) NAS-Port = 50145
(2) NAS-Port-Id = "GigabitEthernet1/0/45"
(2) State = 0x84360afd84340efcda38388a1765ed18
(2) NAS-IP-Address = 10.0.0.143
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "CP-3905-SEP2C0BA7291783", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 22
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) sql: EXPAND %{User-Name}
(2) sql: --> CP-3905-SEP2C0BA7291783
(2) sql: SQL-User-Name set to 'CP-3905-SEP2C0BA7291783'
rlm_sql (sql): Reserved connection (0)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'CP-3905-SEP2C0BA7291783' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'CP-3905-SEP2C0BA7291783' ORDER BY id
(2) sql: User found in radcheck table
(2) sql: Conditional check items matched, merging assignment check items
(2) sql: Cleartext-Password := "communistssuck"
(2) sql: Cisco-AVPair := "device-traffic-class=voice"
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'CP-3905-SEP2C0BA7291783' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'CP-3905-SEP2C0BA7291783' ORDER BY id
(2) sql: ERROR: Failed to create the pair: Invalid character ' ' in attribute
(2) sql: ERROR: Error parsing user data from database result
(2) sql: ERROR: SQL query error getting reply attributes
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
(2) [sql] = fail
(2) } # authorize = fail
(2) Invalid user (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2C0BA7291783/<via Auth-Type = eap>] (from client Switch port 50145 cli 2C-0B-E9-04-28-92)
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Post-Auth-Type REJECT {
(2) sql: EXPAND .query
(2) sql: --> .query
(2) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(2) sql: EXPAND %{User-Name}
(2) sql: --> CP-3905-SEP2C0BA7291783
(2) sql: SQL-User-Name set to 'CP-3905-SEP2C0BA7291783'
(2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(2) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'CP-3905-SEP2C0BA7291783', '', 'Access-Reject', '2018-02-01 08:33:08')
(2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'CP-3905-SEP2C0BA7291783', '', 'Access-Reject', '2018-02-01 08:33:08')
(2) sql: SQL query returned: success
(2) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(2) [sql] = ok
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject: --> CP-3905-SEP2C0BA7291783
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2) [attr_filter.access_reject] = updated
(2) eap: Expiring EAP session with state 0xa79cd138a79ed587
(2) eap: Finished EAP session with state 0x84360afd84340efc
(2) eap: Previous EAP request found for state 0x84360afd84340efc, released from the list
(2) eap: Request was previously rejected, inserting EAP-Failure
(2) eap: Sending EAP Failure (code 4) ID 2 length 4
(2) [eap] = updated
(2) policy remove_reply_message_if_eap {
(2) if (&reply:EAP-Message && &reply:Reply-Message) {
(2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(2) else {
(2) [noop] = noop
(2) } # else = noop
(2) } # policy remove_reply_message_if_eap = noop
(2) } # Post-Auth-Type REJECT = updated
(2) Login incorrect (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2C0BA7291783/<via Auth-Type = eap>] (from client Switch port 50145 cli 2C-0B-E9-04-28-92)
(2) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 90 from 10.0.11.117:1812 to 10.0.0.143:1645 length 44
(2) EAP-Message = 0x04020004
(2) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 88 with timestamp +44
(1) Cleaning up request packet ID 89 with timestamp +44
(2) Cleaning up request packet ID 90 with timestamp +44
Ready to process requests
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by at lists.freeradius.org] On Behalf Of Alan Buxey
Sent: Wednesday, January 31, 2018 1:13 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: cisco phones
>hi,
>freeradius debug
>radiusd -X
>from the very start to the final packet sent back to the NAS.
> i dont care about cisco debug.
That's a lie!
alan
On 31 January 2018 at 08:10, Vacheslav <m_zouhairy at skno.by> wrote:
> Did you mean a radius debug?... I thought of a cisco debug. I am sure
> about freeradius like you most likely haven't heard of Dr. Bob Beck's
> purifier.
> I changed the following to reply attributes:
> Tunnel-Type:=VLAN
> Tunnel-Medium-Type:= IEEE-802
> Tunnel-Private-Group-Id:=23
>
> Got:
>
> Auth: (192) Invalid user (sql: Failed to create the pair: Invalid
> character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via
> Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83)
> Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to
> create the pair: Invalid character ' ' in attribute):
> [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client
> Switch port 50145 cli 2D1B-E9-04-29-83)
>
> Cisco output:
>
> 381355: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Reauthenticating
> client 0x36000F6B (2c0b.e904.2892)
> 381356: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Already
> authenticating client 0x36000F6B (2c0b.e904.2892)
> 381357: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting
> QUIET_WHILE_EXPIRE on Client 0x36000F6B
> 381358: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state
> auth_held, got event 5(quietWhile_expire)
> 381359: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_held ->
> auth_restart
> 381360: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_held_exit called
> 381361: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_restart_enter called
> 381362: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending create new
> context event to EAP for 0x36000F6B (2c0b.e904.2892)
> 381363: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_held_restart_action called
> 381364: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting !EAP_RESTART
> on Client 0x36000F6B
> 381365: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state
> auth_restart, got event 6(no_eapRestart)
> 381366: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_restart ->
> auth_connecting
> 381367: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_connecting_enter called
> 381368: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_restart_connecting_action
> called
> 381369: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting RX_REQ on
> Client 0x36000F6B
> 381370: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state
> auth_connecting, got event 10(eapReq_no_reAuthMax)
> 381371: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_connecting
> -> auth_authenticating
> 381372: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_authenticating_enter
> called
> 381373: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_connecting_authenticating_action called
> 381374: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting AUTH_START
> for 0x36000F6B
> 381375: Jan 30 17:44:11.045: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_idle, got event 4(eapReq_authStart)
> 381376: Jan 30 17:44:11.045: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_idle
> -> auth_bend_request
> 381377: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_enter called
> 381378: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending EAPOL packet
> to
> 2c0b.e904.2892
> 381379: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381380: Jan 30 17:44:11.049:
> dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381381: Jan 30 17:44:11.049: dot1x-ev(Gi1/0/45): Sending out EAPOL
> packet
> 381382: Jan 30 17:44:11.049: EAPOL pak dump Tx
> 381383: Jan 30 17:44:11.049: EAPOL Version: 0x3 type: 0x0 length:
> 0x0005
> 381384: Jan 30 17:44:11.049: EAP code: 0x1 id: 0x3 length: 0x0005 type:
> 0x1
> 381385: Jan 30 17:44:11.049: dot1x-packet(Gi1/0/45): EAPOL packet sent
> to client 0x36000F6B (2c0b.e904.2892)
> 381386: Jan 30 17:44:11.049: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_idle_request_action
> called
> 381387: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381388: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Queuing an EAPOL
> pkt on Authenticator Q
> 381389: Jan 30 17:44:11.052: dot1x-ev:Enqueued the eapol packet to the
> global authenticator queue
> 381390: Jan 30 17:44:11.052: EAPOL pak dump rx
> 381391: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length:
> 0x001C
> 381392: Jan 30 17:44:11.052: dot1x-ev:
> dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 1,LEN= 28
>
> 381393: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAPOL
> frame
> 381394: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Received pkt saddr
> =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type =
> 888e.0100.001c
> 381395: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP
> packet
> 381396: Jan 30 17:44:11.052: EAPOL pak dump rx
> 381397: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length:
> 0x001C
> 381398: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP
> packet from 2c0b.e904.2892
> 381399: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for
> 0x36000F6B
> 381400: Jan 30 17:44:11.052: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 6(eapolEap)
> 381401: Jan 30 17:44:11.052: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_response
> 381402: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_enter called
> 381403: Jan 30 17:44:11.056: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer:
> Response sent to the server from 0x36000F6B (2c0b.e904.2892)
> 381404: Jan 30 17:44:11.056: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_response_action called
> 381405: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): Posting EAP_REQ for
> 0x36000F6B
> 381406: Jan 30 17:44:11.063: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_response, got event 7(eapReq)
> 381407: Jan 30 17:44:11.063: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_response -> auth_bend_request
> 381408: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_exit called
> 381409: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_enter called
> 381410: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending EAPOL packet
> to
> 2c0b.e904.2892
> 381411: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381412: Jan 30 17:44:11.063:
> dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381413: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending out EAPOL
> packet
> 381414: Jan 30 17:44:11.063: EAPOL pak dump Tx
> 381415: Jan 30 17:44:11.063: EAPOL Version: 0x3 type: 0x0 length:
> 0x0016
> 381416: Jan 30 17:44:11.063: EAP code: 0x1 id: 0x4 length: 0x0016 type:
> 0x4
> 381417: Jan 30 17:44:11.063: dot1x-packet(Gi1/0/45): EAPOL packet sent
> to client 0x36000F6B (2c0b.e904.2892)
> 381418: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_request_action called
> 381419: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381420: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Queuing an EAPOL
> pkt on Authenticator Q
> 381421: Jan 30 17:44:11.066: dot1x-ev:Enqueued the eapol packet to the
> global authenticator queue
> 381422: Jan 30 17:44:11.066: EAPOL pak dump rx
> 381423: Jan 30 17:44:11.066: EAPOL Version: 0x1 type: 0x0 length:
> 0x0016
> 381424: Jan 30 17:44:11.066: dot1x-ev:
> dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 4,LEN= 22
>
> 381425: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Received an EAPOL
> frame
> 381426: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Received pkt saddr
> =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type =
> 888e.0100.0016
> 381427: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP
> packet
> 381428: Jan 30 17:44:11.070: EAPOL pak dump rx
> 381429: Jan 30 17:44:11.070: EAPOL Version: 0x1 type: 0x0 length:
> 0x0016
> 381430: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP
> packet from 2c0b.e904.2892
> 381431: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for
> 0x36000F6B
> 381432: Jan 30 17:44:11.070: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 6(eapolEap)
> 381433: Jan 30 17:44:11.070: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_response
> 381434: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_enter called Switch#
> 381435: Jan 30 17:44:11.070: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer:
> Response sent to the server from 0x36000F6B (2c0b.e904.2892)
> 381436: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_response_action called
> 381437: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): Posting EAP_REQ for
> 0x31000F6C
> 381438: Jan 30 17:44:11.489: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 7(eapReq)
> 381439: Jan 30 17:44:11.489: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_request
> 381440: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45):
> 0x31000F6C:auth_bend_request_request_action called
> 381441: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45):
> 0x31000F6C:auth_bend_request_enter called
> 381442: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending EAPOL packet
> to
> c46e.1f05.8999
> 381443: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381444: Jan 30 17:44:11.489:
> dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381445: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending out EAPOL
> packet
> 381446: Jan 30 17:44:11.489: EAPOL pak dump Tx
> 381447: Jan 30 17:44:11.489: EAPOL Version: 0x3 type: 0x0 length:
> 0x0005
> 381448: Jan 30 17:44:11.489: EAP code: 0x1 id: 0x1 length: 0x0005 type:
> 0x1
> 381449: Jan 30 17:44:11.489: dot1x-packet(Gi1/0/45): EAPOL packet sent
> to client 0x31000F6C (c46e.1f05.8999)
> 381450: Jan 30 17:44:12.087: dot1x-ev(Gi1/0/45): Received an EAP Fail
> 381451: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting EAP_FAIL for
> 0x36000F6B
> 381452: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_response, got event 10(eapFail)
> 381453: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_response -> auth_bend_fail
> 381454: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_exit called
> 381455: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_fail_enter called
> 381456: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_fail_action called
> 381457: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: idle during
> state auth_bend_fail
> 381458: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_fail
> -> auth_bend_idle
> 381459: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_idle_enter called
> 381460: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting AUTH_FAIL on
> Client 0x36000F6B
> 381461: Jan 30 17:44:12.087: dot1x_auth Gi1/0/45: during state
> auth_authenticating, got event 15(authFail)
> 381462: Jan 30 17:44:12.087: @@@ dot1x_auth Gi1/0/45:
> auth_authenticating
> -> auth_authc_result
> 381463: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_authenticating_exit
> called
> 381464: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_authc_result_enter called
> 381465: Jan 30 17:44:12.091: %DOT1X-5-FAIL: Authentication failed for
> client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID
> 0A6000FC0001DEAA32DDD387
> 381466: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending event (2) to
> Auth Mgr for 2c0b.e904.2892
> 381467: Jan 30 17:44:12.091: %AUTHMGR-7-RESULT: Authentication result
> 'fail' from 'dot1x' for client (2c0b.e904.2892) on Interface Gi1/0/45
> AuditSessionID 0A6000FC0001DEAA32DDD387
> 381468: Jan 30 17:44:12.091: %AUTHMGR-5-FAIL: Authorization failed or
> unapplied for client (2c0b.e904.2892) on Interface Gi1/0/45
> AuditSessionID
> 0A6000FC0001DEAA32DDD387
> 381469: Jan 30 17:44:12.091: dot1x-redundancy: State for client
> 2c0b.e904.2892 successfully retrieved
> 381470: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Received Authz fail
> for the client 0x36000F6B (2c0b.e904.2892)
> 381471: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): Posting_AUTHZ_FAIL on
> Client 0x36000F6B
> 381472: Jan 30 17:44:12.091: dot1x_auth Gi1/0/45: during state
> auth_authc_result, got event 22(authzFail)
> 381473: Jan 30 17:44:12.091: @@@ dot1x_auth Gi1/0/45:
> auth_authc_result -> auth_held
> 381474: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_held_enter called
> 381475: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending EAPOL packet
> to
> 2c0b.e904.2892
> Switch#
> 381476: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381477: Jan 30 17:44:12.091:
> dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381478: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending out EAPOL
> packet
> 381479: Jan 30 17:44:12.091: EAPOL pak dump Tx
> 381480: Jan 30 17:44:12.091: EAPOL Version: 0x3 type: 0x0 length:
> 0x0004
> 381481: Jan 30 17:44:12.091: EAP code: 0x4 id: 0x4 length: 0x0004
> 381482: Jan 30 17:44:12.091: dot1x-packet(Gi1/0/45): EAPOL packet sent
> to client 0x36000F6B (2c0b.e904.2892)
>
> Actual values have been substituted from ill hackers especially those
> communists
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=
> skno.by at lists.freeradius.org] On Behalf Of Alan Buxey
> Sent: Tuesday, January 30, 2018 3:58 PM
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: RE: cisco phones
>
> >Are you sure that you don't want these to be reply attributes? Show
> >debug
> to see what's coming through.
>
> alan
>
> On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy at skno.by> wrote:
>
> > Thanks for the tip.
> > According to https://supportforums.cisco.com/t5/other-security-
> > subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-
> > ph
> > one/
> > td-p/1652836
> > These need to be added
> > cisco-avpair="device-traffic-class=voice"
> > Tunnel-Type=1:VLAN
> > Tunnel-Medium-Type=1:802
> > Tunnel-Private-Group-ID=1:VOICE-LAN
> >
> > So I added them as check attributes, with := but I got:
> > Auth: (163) Invalid user (sql: Error parsing value: Unknown or
> > invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone
> > name/<via Auth-Type =
> > eap>] (from client Switch port 50145 cli mac)
> > Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error
> > parsing
> > value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type):
> > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145
> > cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does
> > not matter if I set it as a reply attribute, same error) I get:
> > Auth: (159) Invalid user (sql: Error parsing value: Unknown or
> > invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone
> > name<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
> > Tue Jan 30
> > 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing
> > value: Unknown or invalid value "1:802" for attribute
> Tunnel-Medium-Type):
> > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145
> > cli
> > mac)
> > The progress is that the ip phone now shows dropping packets on the
> > voice vlan which means it accepted:
> > Tunnel-Private-Group-ID:=1:VOICE-LAN
> > After reading an email here: I'm inclined to replace ":=" with = but
> > I have a limited lunch break to test these settings each day so
> > perhaps someone who has dealt with this can save me some wasted time?
> >
> >
> > -----Original Message-----
> > From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=
> > skno.by at lists.freeradius.org] On Behalf Of Alan DeKok
> > Sent: Friday, January 26, 2018 4:07 PM
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: cisco phones
> >
> > On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy at skno.by> wrote:
> > >
> > > I still can't authenticate the ip phones using md5 on the voice
> > > vlan,
> > they keep getting authenticated on the data vlan. I ducked ducked
> > the internet and found that:
> > > "device-traffic-class=voice:= Cisco-AVPair"
> > > Must be added. So I added it username of the ip phone in
> > > daloradius but
> > the behavior has not changed. Perhaps, that must be added manually
> > to the users file for it work. I only found documentation on how to
> > do that in cisco ACS.
> >
> > > That documentation tells you what attributes to return, and what
> > > values
> > to use for those attributes. Do the same thing in FreeRADIUS.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list