Accept PROXY protocol
Lineconnect
nabble at felix.world
Mon Aug 2 10:55:18 CEST 2021
> For anyone who wants PROXY protocol support, please try v3.0.x.
It's working in general but has sometimes problems.
In the log below the connection was established from two different sources.
One from a VPS with static IP, no NAT etc.(165.22.89.224) and the other from a laptop in my home network(77.47.68.110). The second connection attemp is causing the server to crash.
Is something like this(in this context) better suited as github issue? Of course you have much stuff to do, you're responding *for free* and it's a bit hypocratic to say it needs some hours to write a reproducable explination of the bug (escpacially with the PROXY protocol forwarder etc.), but it's much faster. If it's better as github issue, i'm going to open one.
Debug Log below. I've shortend the logs for all lines where its says 'Waking up in x.x seconds.' because its 50k less lines.
```
FreeRADIUS Version 3.0.24
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/mods-available/always
including configuration file /usr/local/etc/raddb/mods-available/attr_filter
including configuration file /usr/local/etc/raddb/mods-available/date
including configuration file /usr/local/etc/raddb/mods-available/detail
including configuration file /usr/local/etc/raddb/mods-available/detail.log
including configuration file /usr/local/etc/raddb/mods-available/eap
including configuration file /usr/local/etc/raddb/mods-available/echo
including configuration file /usr/local/etc/raddb/mods-available/exec
including configuration file /usr/local/etc/raddb/mods-available/expiration
including configuration file /usr/local/etc/raddb/mods-available/expr
including configuration file /usr/local/etc/raddb/mods-available/logintime
including configuration file /usr/local/etc/raddb/mods-available/preprocess
including configuration file /usr/local/etc/raddb/mods-available/unix
including configuration file /usr/local/etc/raddb/mods-available/utf8
including configuration file /usr/local/etc/raddb/mods-available/linelog
including configuration file /usr/local/etc/raddb/mods-available/rest
including configuration file /usr/local/etc/raddb/mods-available/python3
including configuration file /usr/local/etc/raddb/mods-available/inner-eap
including configuration file /usr/local/etc/raddb/mods-available/mschap
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/sites-available/check-eap-tls
including configuration file /usr/local/etc/raddb/sites-available/virt-serv
including configuration file /usr/local/etc/raddb/sites-available/radsec-serv
including configuration file /usr/local/etc/raddb/sites-available/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/var/log/freeradius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/freeradius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/freeradius/accounting"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 5300000
postauth_client_lost = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = no
allow_vulnerable_openssl = "CVE-2016-6304"
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
Found debugger attached
# Creating Auth-Type = eap
# Creating Auth-Type = inner-eap
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-available/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-available/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-available/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-available/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-available/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-available/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-available/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-available/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-available/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-available/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /usr/local/etc/raddb/mods-available/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-available/detail
detail {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail auth_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail reply_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-available/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 5300000
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-available/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-available/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-available/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-available/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-available/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-available/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-available/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-available/utf8
# Loaded module rlm_linelog
# Loading module "log_reply" from file /usr/local/etc/raddb/mods-available/linelog
linelog log_reply {
filename = "/var/log/freeradius/radius-test-detail-log.json"
escape_filenames = no
syslog_severity = "info"
permissions = 420
format = "%t Log for %{jsonquote:%{User-Name}}"
reference = "messages.%{%{reply:Packet-Type}:-format}"
}
# Loading module "log_general_message" from file /usr/local/etc/raddb/mods-available/linelog
linelog log_general_message {
filename = "/var/log/freeradius/radius-test-detail-log.json"
escape_filenames = no
syslog_severity = "info"
permissions = 420
format = "%t Log for %{jsonquote:%{User-Name}}"
reference = "messages.%{%{Packet-Type}:-format}"
}
# Loaded module rlm_rest
# Loading module "rest" from file /usr/local/etc/raddb/mods-available/rest
rest {
connect_timeout = 4.000000
http_negotiation = "default"
}
# Loaded module rlm_python3
# Loading module "python3" from file /usr/local/etc/raddb/mods-available/python3
python3 {
mod_instantiate = "python-magic"
func_instantiate = "instantiate"
mod_authorize = "python-magic"
func_authorize = "authorize"
mod_authenticate = "python-magic"
func_authenticate = "authenticate"
mod_post_auth = "python-magic"
func_post_auth = "post_auth"
python_path = "/etc/raddb/mods-config/python3"
cext_compat = yes
pass_all_vps = no
pass_all_vps_dict = yes
}
# Loading module "inner-eap" from file /usr/local/etc/raddb/mods-available/inner-eap
eap inner-eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 5300000
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-available/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/coa
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-available/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-available/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-available/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
virtual_server = "check-eap-tls"
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/servercert.key"
certificate_file = "/etc/raddb/servercert.pem"
ca_file = "/etc/raddb/ca.crt"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH"
cipher_server_preference = yes
reject_unknown_intermediate_ca = no
ecdh_curve = "secp384r1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 2
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-available/expiration
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-available/logintime
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-available/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "log_reply" from file /usr/local/etc/raddb/mods-available/linelog
# Instantiating module "log_general_message" from file /usr/local/etc/raddb/mods-available/linelog
# Instantiating module "rest" from file /usr/local/etc/raddb/mods-available/rest
rlm_rest: libcurl version: libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
rlm_rest (rest): Initialising connection pool
pool {
start = 5
min = 5
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_rest (rest): Opening additional connection (0), 1 of 10 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (1), 1 of 9 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (2), 1 of 8 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (3), 1 of 7 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (4), 1 of 6 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
# Instantiating module "python3" from file /usr/local/etc/raddb/mods-available/python3
Python version: 3.8.10 (default, Jun 2 2021, 10:49:15) [GCC 9.4.0]
# Instantiating module "inner-eap" from file /usr/local/etc/raddb/mods-available/inner-eap
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-available/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server check-eap-tls { # from file /usr/local/etc/raddb/sites-available/check-eap-tls
# Loading authorize {...}
} # server check-eap-tls
server test { # from file /usr/local/etc/raddb/sites-available/virt-serv
# Loading authenticate {...}
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server test
server test-radsec { # from file /usr/local/etc/raddb/sites-available/radsec-serv
# Loading authenticate {...}
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server test-radsec
server inner-tunnel { # from file /usr/local/etc/raddb/sites-available/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type MS-CHAP for attr Auth-Type
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
thread pool {
start_servers = 3
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 300
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread 2 waiting to be assigned a request
Thread 1 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread 3 waiting to be assigned a request
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
client test {
ipaddr = *
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "test"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "acct"
ipaddr = *
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth+acct"
ipaddr = *
port = 2083
proto = "tcp"
proxy_protocol = yes
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/servercert-radsec.key"
certificate_file = "/etc/raddb/servercert-radsec.pem"
ca_file = "/etc/raddb/ca-radsec.crt"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH"
cipher_server_preference = yes
require_client_cert = yes
reject_unknown_intermediate_ca = no
ecdh_curve = "secp384r1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 2
softfail = yes
}
}
check_client_connections = no
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
client test-radsec {
ipaddr = *
require_message_authenticator = yes
secret = <<< secret >>>
proto = "tls"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server test
Listening on acct address * port 1813 bound to server test
Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server test-radsec
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
... new connection request on TCP socket
Listening on auth+acct from client (10.244.7.206, 37756) -> (*, 2083, virtual-server=test-radsec)
Waking up in 0.9 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) (TLS) Received PROXY protocol connection from client 165.22.89.224:33735 -> 10.244.7.206:2083, via proxy 10.244.7.206:37756 -> 0.0.0.0:2083
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.2 Handshake, Certificate
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS write key exchange
(0) (TLS) send TLS 1.2 Handshake, CertificateRequest
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate request
(0) (TLS) send TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) Server : Need to read more data: SSLv3/TLS write server done
(0) (TLS) In Handshake Phase
Waking up in 0.9 seconds.
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) recv TLS 1.2 Handshake, Certificate
(0) (TLS) Creating attributes from client certificate
(0) TLS-Client-Cert-Serial := "0fc40d25cf3141d795f4d3a26dd7d9ae"
(0) TLS-Client-Cert-Expiration := "220310102259Z"
(0) TLS-Client-Cert-Valid-Since := "210310101259Z"
(0) TLS-Client-Cert-Subject := "/CN=Proxycertificate"
(0) TLS-Client-Cert-Issuer := "/CN=Proxycertificate"
(0) TLS-Client-Cert-Common-Name := "Proxycertificate"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "proxy.test.net"
(0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:F3:93:AF:2A:A9:1A:D9:DC:B9:92:A0:F4:44:B1:D7:E6:DF:17:1A:AB\n"
(0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "F3:93:AF:2A:A9:1A:D9:DC:B9:92:A0:F4:44:B1:D7:E6:DF:17:1A:AB"
Certificate chain - 0 cert(s) untrusted
(TLS) untrusted certificate with depth [0] subject name /CN=Proxycertificate
(0) Starting OCSP Request
(0) WARNING: ocsp: No OCSP URL in certificate. Not doing OCSP
(0) WARNING: ocsp: Unable to check certificate, assuming it's valid
(0) WARNING: ocsp: This may be insecure
(0) (TLS) Handshake state - Server SSLv3/TLS read client certificate
(0) (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(0) (TLS) recv TLS 1.2 Handshake, CertificateVerify
(0) (TLS) Handshake state - Server SSLv3/TLS read certificate verify
(0) (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(0) (TLS) recv TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS read finished
(0) (TLS) send TLS 1.2 ChangeCipherSpec
(0) (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(0) (TLS) send TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS write finished
(0) (TLS) Handshake state - SSL negotiation finished successfully
(0) (TLS) Connection Established
(0) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(0) TLS-Session-Version = "TLS 1.2"
Waking up in 0.8 seconds.
Waking up in 29.4 seconds.
Reached idle timeout on socket auth+acct from client (165.22.89.224, 33735) -> (10.244.7.206, 2083, virtual-server=test-radsec)
... shutting down socket auth+acct from client (165.22.89.224, 33735) -> (10.244.7.206, 2083, virtual-server=test-radsec)
Waking up in 2.9 seconds.
... new connection request on TCP socket
Listening on auth+acct from client (10.244.7.206, 38074) -> (*, 2083, virtual-server=test-radsec)
Waking up in 0.4 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) (TLS) Received PROXY protocol connection from client 165.22.89.224:35251 -> 10.244.7.206:2083, via proxy 10.244.7.206:38074 -> 0.0.0.0:2083
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.2 Handshake, Certificate
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS write key exchange
(0) (TLS) send TLS 1.2 Handshake, CertificateRequest
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate request
(0) (TLS) send TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) Server : Need to read more data: SSLv3/TLS write server done
(0) (TLS) In Handshake Phase
Waking up in 0.4 seconds.
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) recv TLS 1.2 Handshake, Certificate
(0) (TLS) Creating attributes from client certificate
(0) TLS-Client-Cert-Serial := "0fc40d25cf3141d795f4d3a26dd7d9ae"
(0) TLS-Client-Cert-Expiration := "220310102259Z"
(0) TLS-Client-Cert-Valid-Since := "210310101259Z"
(0) TLS-Client-Cert-Subject := "/CN=Proxycertificate"
(0) TLS-Client-Cert-Issuer := "/CN=Proxycertificate"
(0) TLS-Client-Cert-Common-Name := "Proxycertificate"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "proxy.test.net"
(0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:F3:93:AF:2A:A9:1A:D9:DC:B9:92:A0:F4:44:B1:D7:E6:DF:17:1A:AB\n"
(0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "F3:93:AF:2A:A9:1A:D9:DC:B9:92:A0:F4:44:B1:D7:E6:DF:17:1A:AB"
Certificate chain - 0 cert(s) untrusted
(TLS) untrusted certificate with depth [0] subject name /CN=Proxycertificate
(0) Starting OCSP Request
(0) WARNING: ocsp: No OCSP URL in certificate. Not doing OCSP
(0) WARNING: ocsp: Unable to check certificate, assuming it's valid
(0) WARNING: ocsp: This may be insecure
(0) (TLS) Handshake state - Server SSLv3/TLS read client certificate
(0) (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(0) (TLS) recv TLS 1.2 Handshake, CertificateVerify
(0) (TLS) Handshake state - Server SSLv3/TLS read certificate verify
(0) (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(0) (TLS) recv TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS read finished
(0) (TLS) send TLS 1.2 ChangeCipherSpec
(0) (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(0) (TLS) send TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS write finished
(0) (TLS) Handshake state - SSL negotiation finished successfully
(0) (TLS) Connection Established
(0) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(0) TLS-Session-Version = "TLS 1.2"
Waking up in 0.4 seconds.
Waking up in 2.5 seconds.
... cleaning up socket auth+acct from client (165.22.89.224, 33735) -> (10.244.7.206, 2083, virtual-server=test-radsec)
Waking up in 26.9 seconds.
Reached idle timeout on socket auth+acct from client (165.22.89.224, 35251) -> (10.244.7.206, 2083, virtual-server=test-radsec)
... shutting down socket auth+acct from client (165.22.89.224, 35251) -> (10.244.7.206, 2083, virtual-server=test-radsec)
Waking up in 2.9 seconds.
... new connection request on TCP socket
Listening on auth+acct from client (10.244.7.206, 38408) -> (*, 2083, virtual-server=test-radsec)
Waking up in 0.4 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) (TLS) Received PROXY protocol connection from client 165.22.89.224:37477 -> 10.244.7.206:2083, via proxy 10.244.7.206:38408 -> 0.0.0.0:2083
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.2 Handshake, Certificate
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS write key exchange
(0) (TLS) send TLS 1.2 Handshake, CertificateRequest
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate request
(0) (TLS) send TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) Server : Need to read more data: SSLv3/TLS write server done
(0) (TLS) In Handshake Phase
Waking up in 0.4 seconds.
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) recv TLS 1.2 Handshake, Certificate
(0) (TLS) Creating attributes from client certificate
(0) TLS-Client-Cert-Serial := "0fc40d25cf3141d795f4d3a26dd7d9ae"
(0) TLS-Client-Cert-Expiration := "220310102259Z"
(0) TLS-Client-Cert-Valid-Since := "210310101259Z"
(0) TLS-Client-Cert-Subject := "/CN=Proxycertificate"
(0) TLS-Client-Cert-Issuer := "/CN=Proxycertificate"
(0) TLS-Client-Cert-Common-Name := "Proxycertificate"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "proxy.test.net"
(0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:F3:93:AF:2A:A9:1A:D9:DC:B9:92:A0:F4:44:B1:D7:E6:DF:17:1A:AB\n"
(0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "F3:93:AF:2A:A9:1A:D9:DC:B9:92:A0:F4:44:B1:D7:E6:DF:17:1A:AB"
Certificate chain - 0 cert(s) untrusted
(TLS) untrusted certificate with depth [0] subject name /CN=Proxycertificate
(0) Starting OCSP Request
(0) WARNING: ocsp: No OCSP URL in certificate. Not doing OCSP
(0) WARNING: ocsp: Unable to check certificate, assuming it's valid
(0) WARNING: ocsp: This may be insecure
(0) (TLS) Handshake state - Server SSLv3/TLS read client certificate
(0) (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(0) (TLS) recv TLS 1.2 Handshake, CertificateVerify
(0) (TLS) Handshake state - Server SSLv3/TLS read certificate verify
(0) (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(0) (TLS) recv TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS read finished
(0) (TLS) send TLS 1.2 ChangeCipherSpec
(0) (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(0) (TLS) send TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS write finished
(0) (TLS) Handshake state - SSL negotiation finished successfully
(0) (TLS) Connection Established
(0) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(0) TLS-Session-Version = "TLS 1.2"
Waking up in 0.4 seconds.
Waking up in 2.5 seconds.
... cleaning up socket auth+acct from client (165.22.89.224, 35251) -> (10.244.7.206, 2083, virtual-server=test-radsec)
Waking up in 26.9 seconds.
... new connection request on TCP socket
Listening on auth+acct from client (10.244.7.206, 38644) -> (*, 2083, virtual-server=test-radsec)
Waking up in 0.4 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) (TLS) Received PROXY protocol connection from client 77.47.68.110:38665 -> 10.244.7.206:2083, via proxy 10.244.7.206:38644 -> 0.0.0.0:2083
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.2 Handshake, Certificate
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS write key exchange
(0) (TLS) send TLS 1.2 Handshake, CertificateRequest
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate request
(0) (TLS) send TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) Server : Need to read more data: SSLv3/TLS write server done
(0) (TLS) In Handshake Phase
Waking up in 0.4 seconds.
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) recv TLS 1.2 Handshake, Certificate
(0) (TLS) Creating attributes from client certificate
(0) TLS-Client-Cert-Serial := "0fc40d25cf3141d795f4d3a26dd7d9ae"
(0) TLS-Client-Cert-Expiration := "220310102259Z"
(0) TLS-Client-Cert-Valid-Since := "210310101259Z"
(0) TLS-Client-Cert-Subject := "/CN=Proxycertificate"
(0) TLS-Client-Cert-Issuer := "/CN=Proxycertificate"
(0) TLS-Client-Cert-Common-Name := "Proxycertificate"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "proxy.test.net"
(0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:F3:93:AF:2A:A9:1A:D9:DC:B9:92:A0:F4:44:B1:D7:E6:DF:17:1A:AB\n"
(0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "F3:93:AF:2A:A9:1A:D9:DC:B9:92:A0:F4:44:B1:D7:E6:DF:17:1A:AB"
Certificate chain - 0 cert(s) untrusted
(TLS) untrusted certificate with depth [0] subject name /CN=Proxycertificate
(0) Starting OCSP Request
(0) WARNING: ocsp: No OCSP URL in certificate. Not doing OCSP
(0) WARNING: ocsp: Unable to check certificate, assuming it's valid
(0) WARNING: ocsp: This may be insecure
(0) (TLS) Server : Need to read more data: SSLv3/TLS read client certificate
(0) (TLS) In Handshake Phase
(0) (TLS) Application data.
... shutting down socket auth+acct from client (77.47.68.110, 38665) -> (10.244.7.206, 2083, virtual-server=test-radsec)
Waking up in 2.9 seconds.
REMOVED ALL LINES BETWEEN
Waking up in 0.1 seconds.
... cleaning up socket auth+acct from client (77.47.68.110, 38665) -> (10.244.7.206, 2083, virtual-server=test-radsec)
Bad talloc magic value - unknown value
talloc abort: Bad talloc magic value - unknown value
Backtrace of last 8 frames:
/usr/local/lib/libfreeradius-radius.so(+0xe661)[0x7f0ac07b6661]
/lib/x86_64-linux-gnu/libtalloc.so.2(+0x3ac8)[0x7f0ac042bac8]
/usr/local/sbin/radiusd(+0x56329)[0x5646f8e4a329]
/usr/local/lib/libfreeradius-radius.so(fr_event_loop+0x658)[0x7f0ac07e120a]
/usr/local/sbin/radiusd(radius_event_process+0x2a)[0x5646f8e4c596]
/usr/local/sbin/radiusd(main+0xcb5)[0x5646f8e33edf]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x7f0ac01f70b3]
/usr/local/sbin/radiusd(_start+0x2e)[0x5646f8e0bc3e]
```
--
Lineconnecct
More information about the Freeradius-Users
mailing list