Password Change Prompt on NAS
Feagles, Arthur B III CTR (USA)
arthur.feagles1.ctr at navy.mil
Sat Jan 23 02:46:41 CET 2021
Thanks to Alan’s guide “Configuring Authentication with Active Directory",
users are successfully authenticating their network device logons
(Cisco/Juniper) via AD.
• What: I would like password expiration prompts be made available on the
network devices
• Why: To use the burden of changing expired passwords
• what you expect the server to do: pass the error code 648
ERROR_PASSWD_EXPIRED to the NAS, and by some magic I don't understand prompt
the user to change their password
• what the server does instead (i.e. debug output): debug below; NAS does
not prompt for password change, but instead repeats password: prompt.
Thanks
-Art-
1 FreeRADIUS Version 3.0.13
2 Copyright (C) 1999-2017 The FreeRADIUS server project and
contributors
3 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
4 PARTICULAR PURPOSE
5 You may redistribute copies of FreeRADIUS under the terms of the
6 GNU General Public License
7 For more information about these matters, see the file named
COPYRIGHT
8 Starting - reading configuration files ...
9 including dictionary file /usr/share/freeradius/dictionary
10 including dictionary file /usr/share/freeradius/dictionary.dhcp
11 including dictionary file /usr/share/freeradius/dictionary.vqp
12 including dictionary file /etc/raddb/dictionary
13 including configuration file /etc/raddb/radiusd.conf
14 including configuration file /etc/raddb/proxy.conf
15 including configuration file /etc/raddb/clients.conf
16 including files in directory /etc/raddb/mods-enabled/
17 including configuration file /etc/raddb/mods-enabled/always
18 including configuration file /etc/raddb/mods-enabled/attr_filter
19 including configuration file /etc/raddb/mods-enabled/cache_eap
20 including configuration file /etc/raddb/mods-enabled/chap
21 including configuration file /etc/raddb/mods-enabled/date
22 including configuration file /etc/raddb/mods-enabled/detail
23 including configuration file /etc/raddb/mods-enabled/detail.log
24 including configuration file /etc/raddb/mods-enabled/dhcp
25 including configuration file /etc/raddb/mods-enabled/digest
26 including configuration file /etc/raddb/mods-enabled/dynamic_clients
27 including configuration file /etc/raddb/mods-enabled/eap
28 including configuration file /etc/raddb/mods-enabled/echo
29 including configuration file /etc/raddb/mods-enabled/exec
30 including configuration file /etc/raddb/mods-enabled/expiration
31 including configuration file /etc/raddb/mods-enabled/expr
32 including configuration file /etc/raddb/mods-enabled/files
33 including configuration file /etc/raddb/mods-enabled/linelog
34 including configuration file /etc/raddb/mods-enabled/logintime
35 including configuration file /etc/raddb/mods-enabled/mschap
36 including configuration file /etc/raddb/mods-enabled/ntlm_auth
37 including configuration file /etc/raddb/mods-enabled/pap
38 including configuration file /etc/raddb/mods-enabled/passwd
39 including configuration file /etc/raddb/mods-enabled/preprocess
40 including configuration file /etc/raddb/mods-enabled/radutmp
41 including configuration file /etc/raddb/mods-enabled/realm
42 including configuration file /etc/raddb/mods-enabled/replicate
43 including configuration file /etc/raddb/mods-enabled/soh
44 including configuration file /etc/raddb/mods-enabled/sradutmp
45 including configuration file /etc/raddb/mods-enabled/unix
46 including configuration file /etc/raddb/mods-enabled/unpack
47 including configuration file /etc/raddb/mods-enabled/utf8
48 including files in directory /etc/raddb/policy.d/
49 including configuration file /etc/raddb/policy.d/accounting
50 including configuration file /etc/raddb/policy.d/canonicalization
51 including configuration file /etc/raddb/policy.d/control
52 including configuration file /etc/raddb/policy.d/cui
53 including configuration file /etc/raddb/policy.d/debug
54 including configuration file /etc/raddb/policy.d/dhcp
55 including configuration file /etc/raddb/policy.d/eap
56 including configuration file /etc/raddb/policy.d/filter
57 including configuration file /etc/raddb/policy.d/operator-name
58 including files in directory /etc/raddb/sites-enabled/
59 including configuration file /etc/raddb/sites-enabled/inner-tunnel
60 including configuration file /etc/raddb/sites-enabled/default
61 main {
62 security {
63 user = "radiusd"
64 group = "radiusd"
65 allow_core_dumps = no
66 }
67 name = "radiusd"
68 prefix = "/usr"
69 localstatedir = "/var"
70 logdir = "/var/log/radius"
71 run_dir = "/var/run/radiusd"
72 }
73 main {
74 name = "radiusd"
75 prefix = "/usr"
76 localstatedir = "/var"
77 sbindir = "/usr/sbin"
78 logdir = "/var/log/radius"
79 run_dir = "/var/run/radiusd"
80 libdir = "/usr/lib64/freeradius"
81 radacctdir = "/var/log/radius/radacct"
82 hostname_lookups = no
83 max_request_time = 30
84 cleanup_delay = 5
85 max_requests = 16384
86 pidfile = "/var/run/radiusd/radiusd.pid"
87 checkrad = "/usr/sbin/checkrad"
88 debug_level = 0
89 proxy_requests = yes
90 log {
91 stripped_names = no
92 auth = yes
93 auth_badpass = no
94 auth_goodpass = no
95 colourise = yes
96 msg_denied = "You are already logged in - access denied"
97 }
98 resources {
99 }
100 security {
101 max_attributes = 200
102 reject_delay = 1.000000
103 status_server = yes
104 }
105 }
106 radiusd: #### Loading Realms and Home Servers ####
107 proxy server {
108 retry_delay = 5
109 retry_count = 3
110 default_fallback = no
111 dead_time = 120
112 wake_all_if_all_dead = no
113 }
114 home_server localhost {
115 ipaddr = 127.0.0.1
116 port = 1812
117 type = "auth"
118 secret = <<< secret >>>
119 response_window = 20.000000
120 response_timeouts = 1
121 max_outstanding = 65536
122 zombie_period = 40
123 status_check = "status-server"
124 ping_interval = 30
125 check_interval = 30
126 check_timeout = 4
127 num_answers_to_alive = 3
128 revive_interval = 120
129 limit {
130 max_connections = 16
131 max_requests = 0
132 lifetime = 0
133 idle_timeout = 0
134 }
135 coa {
136 irt = 2
137 mrt = 16
138 mrc = 5
139 mrd = 30
140 }
141 }
142 home_server_pool my_auth_failover {
143 type = fail-over
144 home_server = localhost
145 }
146 realm example.com {
147 auth_pool = my_auth_failover
148 }
149 realm LOCAL {
150 }
151 radiusd: #### Loading Clients ####
152 client localhost {
153 ipaddr = 127.0.0.1
154 require_message_authenticator = no
155 secret = <<< secret >>>
156 nas_type = "other"
157 proto = "*"
158 limit {
159 max_connections = 16
160 lifetime = 0
161 idle_timeout = 30
162 }
163 }
164 client localhost_ipv6 {
165 ipv6addr = ::1
166 require_message_authenticator = no
167 secret = <<< secret >>>
168 limit {
169 max_connections = 16
170 lifetime = 0
171 idle_timeout = 30
Clients removed
1603 }
1604 Debugger not attached
1605 # Creating Auth-Type = mschap
1606 # Creating Auth-Type = eap
1607 # Creating Auth-Type = PAP
1608 # Creating Auth-Type = CHAP
1609 # Creating Auth-Type = MS-CHAP
1610 # Creating Auth-Type = ntlm_auth
1611 # Creating Auth-Type = digest
1612 radiusd: #### Instantiating modules ####
1613 modules {
1614 # Loaded module rlm_always
1615 # Loading module "reject" from file /etc/raddb/mods-enabled/always
1616 always reject {
1617 rcode = "reject"
1618 simulcount = 0
1619 mpp = no
1620 }
1621 # Loading module "fail" from file /etc/raddb/mods-enabled/always
1622 always fail {
1623 rcode = "fail"
1624 simulcount = 0
1625 mpp = no
1626 }
1627 # Loading module "ok" from file /etc/raddb/mods-enabled/always
1628 always ok {
1629 rcode = "ok"
1630 simulcount = 0
1631 mpp = no
1632 }
1633 # Loading module "handled" from file
/etc/raddb/mods-enabled/always
1634 always handled {
1635 rcode = "handled"
1636 simulcount = 0
1637 mpp = no
1638 }
1639 # Loading module "invalid" from file
/etc/raddb/mods-enabled/always
1640 always invalid {
1641 rcode = "invalid"
1642 simulcount = 0
1643 mpp = no
1644 }
1645 # Loading module "userlock" from file
/etc/raddb/mods-enabled/always
1646 always userlock {
1647 rcode = "userlock"
1648 simulcount = 0
1649 mpp = no
1650 }
1651 # Loading module "notfound" from file
/etc/raddb/mods-enabled/always
1652 always notfound {
1653 rcode = "notfound"
1654 simulcount = 0
1655 mpp = no
1656 }
1657 # Loading module "noop" from file /etc/raddb/mods-enabled/always
1658 always noop {
1659 rcode = "noop"
1660 simulcount = 0
1661 mpp = no
1662 }
1663 # Loading module "updated" from file
/etc/raddb/mods-enabled/always
1664 always updated {
1665 rcode = "updated"
1666 simulcount = 0
1667 mpp = no
1668 }
1669 # Loaded module rlm_attr_filter
1670 # Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
1671 attr_filter attr_filter.post-proxy {
1672 filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
1673 key = "%{Realm}"
1674 relaxed = no
1675 }
1676 # Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
1677 attr_filter attr_filter.pre-proxy {
1678 filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
1679 key = "%{Realm}"
1680 relaxed = no
1681 }
1682 # Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
1683 attr_filter attr_filter.access_reject {
1684 filename =
"/etc/raddb/mods-config/attr_filter/access_reject"
1685 key = "%{User-Name}"
1686 relaxed = no
1687 }
1688 # Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
1689 attr_filter attr_filter.access_challenge {
1690 filename =
"/etc/raddb/mods-config/attr_filter/access_challenge"
1691 key = "%{User-Name}"
1692 relaxed = no
1693 }
1694 # Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
1695 attr_filter attr_filter.accounting_response {
1696 filename =
"/etc/raddb/mods-config/attr_filter/accounting_response"
1697 key = "%{User-Name}"
1698 relaxed = no
1699 }
1700 # Loaded module rlm_cache
1701 # Loading module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
1702 cache cache_eap {
1703 driver = "rlm_cache_rbtree"
1704 key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
1705 ttl = 15
1706 max_entries = 0
1707 epoch = 0
1708 add_stats = no
1709 }
1710 # Loaded module rlm_chap
1711 # Loading module "chap" from file /etc/raddb/mods-enabled/chap
1712 # Loaded module rlm_date
1713 # Loading module "date" from file /etc/raddb/mods-enabled/date
1714 date {
1715 format = "%b %e %Y %H:%M:%S %Z"
1716 }
1717 # Loaded module rlm_detail
1718 # Loading module "detail" from file /etc/raddb/mods-enabled/detail
1719 detail {
1720 filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"
1721 header = "%t"
1722 permissions = 384
1723 locking = no
1724 escape_filenames = no
1725 log_packet_header = no
1726 }
1727 # Loading module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
1728 detail auth_log {
1729 filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"
1730 header = "%t"
1731 permissions = 384
1732 locking = no
1733 escape_filenames = no
1734 log_packet_header = no
1735 }
1736 # Loading module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
1737 detail reply_log {
1738 filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"
1739 header = "%t"
1740 permissions = 384
1741 locking = no
1742 escape_filenames = no
1743 log_packet_header = no
1744 }
1745 # Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
1746 detail pre_proxy_log {
1747 filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"
1748 header = "%t"
1749 permissions = 384
1750 locking = no
1751 escape_filenames = no
1752 log_packet_header = no
1753 }
1754 # Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
1755 detail post_proxy_log {
1756 filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"
1757 header = "%t"
1758 permissions = 384
1759 locking = no
1760 escape_filenames = no
1761 log_packet_header = no
1762 }
1763 # Loaded module rlm_dhcp
1764 # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
1765 # Loaded module rlm_digest
1766 # Loading module "digest" from file /etc/raddb/mods-enabled/digest
1767 # Loaded module rlm_dynamic_clients
1768 # Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
1769 # Loaded module rlm_eap
1770 # Loading module "eap" from file /etc/raddb/mods-enabled/eap
1771 eap {
1772 default_eap_type = "md5"
1773 timer_expire = 60
1774 ignore_unknown_eap_types = no
1775 cisco_accounting_username_bug = no
1776 max_sessions = 16384
1777 }
1778 # Loaded module rlm_exec
1779 # Loading module "echo" from file /etc/raddb/mods-enabled/echo
1780 exec echo {
1781 wait = yes
1782 program = "/bin/echo %{User-Name}"
1783 input_pairs = "request"
1784 output_pairs = "reply"
1785 shell_escape = yes
1786 }
1787 # Loading module "exec" from file /etc/raddb/mods-enabled/exec
1788 exec {
1789 wait = no
1790 input_pairs = "request"
1791 shell_escape = yes
1792 timeout = 10
1793 }
1794 # Loaded module rlm_expiration
1795 # Loading module "expiration" from file
/etc/raddb/mods-enabled/expiration
1796 # Loaded module rlm_expr
1797 # Loading module "expr" from file /etc/raddb/mods-enabled/expr
1798 expr {
1799 safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
1800 }
1801 # Loaded module rlm_files
1802 # Loading module "files" from file /etc/raddb/mods-enabled/files
1803 files {
1804 filename = "/etc/raddb/mods-config/files/authorize"
1805 acctusersfile = "/etc/raddb/mods-config/files/accounting"
1806 preproxy_usersfile =
"/etc/raddb/mods-config/files/pre-proxy"
1807 }
1808 # Loaded module rlm_linelog
1809 # Loading module "linelog" from file
/etc/raddb/mods-enabled/linelog
1810 linelog {
1811 filename = "/var/log/radius/linelog"
1812 escape_filenames = no
1813 syslog_severity = "info"
1814 permissions = 384
1815 format = "This is a log message for %{User-Name}"
1816 reference = "messages.%{%{reply:Packet-Type}:-default}"
1817 }
1818 # Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
1819 linelog log_accounting {
1820 filename = "/var/log/radius/linelog-accounting"
1821 escape_filenames = no
1822 syslog_severity = "info"
1823 permissions = 384
1824 format = ""
1825 reference =
"Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
1826 }
1827 # Loaded module rlm_logintime
1828 # Loading module "logintime" from file
/etc/raddb/mods-enabled/logintime
1829 logintime {
1830 minimum_timeout = 60
1831 }
1832 # Loaded module rlm_mschap
1833 # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
1834 mschap {
1835 use_mppe = yes
1836 require_encryption = no
1837 require_strong = no
1838 with_ntdomain_hack = yes
1839 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-DOMAIN.REMOVED}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
1840 passchange {
1841 ntlm_auth = "/usr/bin/ntlm_auth
--helper-protocol=ntlm-change-password-1"
1842 ntlm_auth_username = "username: %{mschap:User-Name}"
1843 ntlm_auth_domain = "nt-domain:
%{%{mschap:NT-Domain}:-DOMAIN.REMOVED}"
1844 }
1845 allow_retry = yes
1846 winbind_retry_with_normalised_username = no
1847 }
1848 # Loading module "ntlm_auth" from file
/etc/raddb/mods-enabled/ntlm_auth
1849 exec ntlm_auth {
1850 wait = yes
1851 program = "/usr/bin/ntlm_auth --request-nt-key
--domain=DOMAIN.REMOVED --username=%{mschap:User-Name}
--password=%{User-Password}"
1852 shell_escape = yes
1853 }
1854 # Loaded module rlm_pap
1855 # Loading module "pap" from file /etc/raddb/mods-enabled/pap
1856 pap {
1857 normalise = yes
1858 }
1859 # Loaded module rlm_passwd
1860 # Loading module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
1861 passwd etc_passwd {
1862 filename = "/etc/passwd"
1863 format = "*User-Name:Crypt-Password:"
1864 delimiter = ":"
1865 ignore_nislike = no
1866 ignore_empty = yes
1867 allow_multiple_keys = no
1868 hash_size = 100
1869 }
1870 # Loaded module rlm_preprocess
1871 # Loading module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
1872 preprocess {
1873 huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
1874 hints = "/etc/raddb/mods-config/preprocess/hints"
1875 with_ascend_hack = no
1876 ascend_channels_per_line = 23
1877 with_ntdomain_hack = no
1878 with_specialix_jetstream_hack = no
1879 with_cisco_vsa_hack = no
1880 with_alvarion_vsa_hack = no
1881 }
1882 # Loaded module rlm_radutmp
1883 # Loading module "radutmp" from file
/etc/raddb/mods-enabled/radutmp
1884 radutmp {
1885 filename = "/var/log/radius/radutmp"
1886 username = "%{User-Name}"
1887 case_sensitive = yes
1888 check_with_nas = yes
1889 permissions = 384
1890 caller_id = yes
1891 }
1892 # Loaded module rlm_realm
1893 # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
1894 realm IPASS {
1895 format = "prefix"
1896 delimiter = "/"
1897 ignore_default = no
1898 ignore_null = no
1899 }
1900 # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
1901 realm suffix {
1902 format = "suffix"
1903 delimiter = "@"
1904 ignore_default = no
1905 ignore_null = no
1906 }
1907 # Loading module "realmpercent" from file
/etc/raddb/mods-enabled/realm
1908 realm realmpercent {
1909 format = "suffix"
1910 delimiter = "%"
1911 ignore_default = no
1912 ignore_null = no
1913 }
1914 # Loading module "ntdomain" from file
/etc/raddb/mods-enabled/realm
1915 realm ntdomain {
1916 format = "prefix"
1917 delimiter = "\\"
1918 ignore_default = no
1919 ignore_null = no
1920 }
1921 # Loaded module rlm_replicate
1922 # Loading module "replicate" from file
/etc/raddb/mods-enabled/replicate
1923 # Loaded module rlm_soh
1924 # Loading module "soh" from file /etc/raddb/mods-enabled/soh
1925 soh {
1926 dhcp = yes
1927 }
1928 # Loading module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
1929 radutmp sradutmp {
1930 filename = "/var/log/radius/sradutmp"
1931 username = "%{User-Name}"
1932 case_sensitive = yes
1933 check_with_nas = yes
1934 permissions = 420
1935 caller_id = no
1936 }
1937 # Loaded module rlm_unix
1938 # Loading module "unix" from file /etc/raddb/mods-enabled/unix
1939 unix {
1940 radwtmp = "/var/log/radius/radwtmp"
1941 }
1942 Creating attribute Unix-Group
1943 # Loaded module rlm_unpack
1944 # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
1945 # Loaded module rlm_utf8
1946 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
1947 instantiate {
1948 }
1949 # Instantiating module "reject" from file
/etc/raddb/mods-enabled/always
1950 # Instantiating module "fail" from file
/etc/raddb/mods-enabled/always
1951 # Instantiating module "ok" from file
/etc/raddb/mods-enabled/always
1952 # Instantiating module "handled" from file
/etc/raddb/mods-enabled/always
1953 # Instantiating module "invalid" from file
/etc/raddb/mods-enabled/always
1954 # Instantiating module "userlock" from file
/etc/raddb/mods-enabled/always
1955 # Instantiating module "notfound" from file
/etc/raddb/mods-enabled/always
1956 # Instantiating module "noop" from file
/etc/raddb/mods-enabled/always
1957 # Instantiating module "updated" from file
/etc/raddb/mods-enabled/always
1958 # Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
1959 reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
1960 # Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
1961 reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
1962 # Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
1963 reading pairlist file
/etc/raddb/mods-config/attr_filter/access_reject
1964 [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
1965 [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
1966 # Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
1967 reading pairlist file
/etc/raddb/mods-config/attr_filter/access_challenge
1968 # Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
1969 reading pairlist file
/etc/raddb/mods-config/attr_filter/accounting_response
1970 # Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
1971 rlm_cache (cache_eap): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
1972 # Instantiating module "detail" from file
/etc/raddb/mods-enabled/detail
1973 # Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
1974 rlm_detail (auth_log): 'User-Password' suppressed, will not appear
in detail output
1975 # Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
1976 # Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
1977 # Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
1978 # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
1979 # Linked to sub-module rlm_eap_md5
1980 # Linked to sub-module rlm_eap_leap
1981 # Linked to sub-module rlm_eap_gtc
1982 gtc {
1983 challenge = "Password: "
1984 auth_type = "PAP"
1985 }
1986 # Linked to sub-module rlm_eap_tls
1987 tls {
1988 tls = "tls-common"
1989 }
1990 tls-config tls-common {
1991 verify_depth = 0
1992 ca_path = "/etc/raddb/certs"
1993 pem_file_type = yes
1994 private_key_file = "/etc/raddb/certs/server.pem"
1995 certificate_file = "/etc/raddb/certs/server.pem"
1996 ca_file = "/etc/raddb/certs/ca.pem"
1997 private_key_password = <<< secret >>>
1998 dh_file = "/etc/raddb/certs/dh"
1999 fragment_size = 1024
2000 include_length = yes
2001 auto_chain = yes
2002 check_crl = no
2003 check_all_crl = no
2004 cipher_list = "DEFAULT"
2005 cipher_server_preference = no
2006 ecdh_curve = "prime256v1"
2007 cache {
2008 enable = no
2009 lifetime = 24
2010 max_entries = 255
2011 }
2012 verify {
2013 skip_if_ocsp_ok = no
2014 }
2015 ocsp {
2016 enable = no
2017 override_cert_url = yes
2018 url = "http://127.0.0.1/ocsp/"
2019 use_nonce = yes
2020 timeout = 0
2021 softfail = no
2022 }
2023 }
2024 # Linked to sub-module rlm_eap_ttls
2025 ttls {
2026 tls = "tls-common"
2027 default_eap_type = "md5"
2028 copy_request_to_tunnel = no
2029 use_tunneled_reply = no
2030 virtual_server = "inner-tunnel"
2031 include_length = yes
2032 require_client_cert = no
2033 }
2034 tls: Using cached TLS configuration from previous invocation
2035 # Linked to sub-module rlm_eap_peap
2036 peap {
2037 tls = "tls-common"
2038 default_eap_type = "mschapv2"
2039 copy_request_to_tunnel = no
2040 use_tunneled_reply = no
2041 proxy_tunneled_request_as_eap = yes
2042 virtual_server = "inner-tunnel"
2043 soh = no
2044 require_client_cert = no
2045 }
2046 tls: Using cached TLS configuration from previous invocation
2047 # Linked to sub-module rlm_eap_mschapv2
2048 mschapv2 {
2049 with_ntdomain_hack = no
2050 send_error = no
2051 }
2052 # Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
2053 # Instantiating module "files" from file
/etc/raddb/mods-enabled/files
2054 reading pairlist file /etc/raddb/mods-config/files/authorize
2055 reading pairlist file /etc/raddb/mods-config/files/accounting
2056 reading pairlist file /etc/raddb/mods-config/files/pre-proxy
2057 # Instantiating module "linelog" from file
/etc/raddb/mods-enabled/linelog
2058 # Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
2059 # Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
2060 # Instantiating module "mschap" from file
/etc/raddb/mods-enabled/mschap
2061 rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
2062 # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
2063 # Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
2064 rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
2065 # Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
2066 reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
2067 reading pairlist file /etc/raddb/mods-config/preprocess/hints
2068 # Instantiating module "IPASS" from file
/etc/raddb/mods-enabled/realm
2069 # Instantiating module "suffix" from file
/etc/raddb/mods-enabled/realm
2070 # Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
2071 # Instantiating module "ntdomain" from file
/etc/raddb/mods-enabled/realm
2072 } # modules
2073 radiusd: #### Loading Virtual Servers ####
2074 server { # from file /etc/raddb/radiusd.conf
2075 } # server
2076 server inner-tunnel { # from file
/etc/raddb/sites-enabled/inner-tunnel
2077 # Loading authenticate {...}
2078 # Loading authorize {...}
2079 Ignoring "sql" (see raddb/mods-available/README.rst)
2080 Ignoring "ldap" (see raddb/mods-available/README.rst)
2081 # Loading session {...}
2082 # Loading post-proxy {...}
2083 # Loading post-auth {...}
2084 # Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:330
2085 } # server inner-tunnel
2086 server default { # from file /etc/raddb/sites-enabled/default
2087 # Loading authenticate {...}
2088 # Loading authorize {...}
2089 # Loading preacct {...}
2090 # Loading accounting {...}
2091 # Loading post-proxy {...}
2092 # Loading post-auth {...}
2093 } # server default
2094 radiusd: #### Opening IP addresses and Ports ####
2095 listen {
2096 type = "auth"
2097 ipaddr = 127.0.0.1
2098 port = 18120
2099 }
2100 listen {
2101 type = "auth"
2102 ipaddr = *
2103 port = 0
2104 limit {
2105 max_connections = 16
2106 lifetime = 0
2107 idle_timeout = 30
2108 }
2109 }
2110 listen {
2111 type = "acct"
2112 ipaddr = *
2113 port = 0
2114 limit {
2115 max_connections = 16
2116 lifetime = 0
2117 idle_timeout = 30
2118 }
2119 }
2120 listen {
2121 type = "auth"
2122 ipv6addr = ::
2123 port = 0
2124 limit {
2125 max_connections = 16
2126 lifetime = 0
2127 idle_timeout = 30
2128 }
2129 }
2130 listen {
2131 type = "acct"
2132 ipv6addr = ::
2133 port = 0
2134 limit {
2135 max_connections = 16
2136 lifetime = 0
2137 idle_timeout = 30
2138 }
2139 }
2140 Listening on auth address 127.0.0.1 port 18120 bound to server
inner-tunnel
2141 Listening on auth address * port 1812 bound to server default
2142 Listening on acct address * port 1813 bound to server default
2143 Listening on auth address :: port 1812 bound to server default
2144 Listening on acct address :: port 1813 bound to server default
2145 Listening on proxy address * port 49658
2146 Listening on proxy address :: port 33500
2147 Ready to process requests
2148 (0) Received Access-Request Id 90 from IP-REMOVED:61997 to
IP-REMOVED:1812 length 90
2149 (0) User-Name = "USERNAME-REMOVED"
2150 (0) User-Password = "PASSWORD-REMOVED"
2151 (0) NAS-Identifier = "JUNIPER-DEVICE-NAME-REMOVED"
2152 (0) Calling-Station-Id = "IP-REMOVED"
2153 (0) NAS-IP-Address = IP-REMOVED
2154 (0) # Executing section authorize from file
/etc/raddb/sites-enabled/default
2155 (0) authorize {
2156 (0) policy filter_username {
2157 (0) if (&User-Name) {
2158 (0) if (&User-Name) -> TRUE
2159 (0) if (&User-Name) {
2160 (0) if (&User-Name =~ / /) {
2161 (0) if (&User-Name =~ / /) -> FALSE
2162 (0) if (&User-Name =~ /@[^@]*@/ ) {
2163 (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
2164 (0) if (&User-Name =~ /\.\./ ) {
2165 (0) if (&User-Name =~ /\.\./ ) -> FALSE
2166 (0) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) {
2167 (0) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
2168 (0) if (&User-Name =~ /\.$/) {
2169 (0) if (&User-Name =~ /\.$/) -> FALSE
2170 (0) if (&User-Name =~ /@\./) {
2171 (0) if (&User-Name =~ /@\./) -> FALSE
2172 (0) } # if (&User-Name) = notfound
2173 (0) } # policy filter_username = notfound
2174 (0) [preprocess] = ok
2175 (0) [chap] = noop
2176 (0) [mschap] = noop
2177 (0) [digest] = noop
2178 (0) suffix: Checking for suffix after "@"
2179 (0) suffix: No '@' in User-Name = "USERNAME-REMOVED", looking up
realm NULL
2180 (0) suffix: No such realm "NULL"
2181 (0) [suffix] = noop
2182 (0) eap: No EAP-Message, not doing EAP
2183 (0) [eap] = noop
2184 (0) files: users: Matched entry USERNAME-REMOVED at line 96
2185 (0) [files] = ok
2186 (0) [expiration] = noop
2187 (0) [logintime] = noop
2188 (0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
2189 (0) pap: WARNING: Authentication will fail unless a "known good"
password is available
2190 (0) [pap] = noop
2191 (0) } # authorize = ok
2192 (0) Found Auth-Type = ntlm_auth
2193 (0) # Executing group from file /etc/raddb/sites-enabled/default
2194 (0) authenticate {
2195 (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
--domain=DOMAIN.REMOVED --username=%{mschap:User-Name}
--password=%{User-Password}:
2196 (0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
2197 (0) ntlm_auth: --> --username=USERNAME-REMOVED
2198 (0) ntlm_auth: EXPAND --password=%{User-Password}
2199 (0) ntlm_auth: --> --password=PASSWORD-REMOVED
2200 (0) ntlm_auth: ERROR: Program returned code (1) and output
'NT_STATUS_PASSWORD_MUST_CHANGE: The user password must be changed before
logging on the first time. (0xc0000224)'
2201 (0) [ntlm_auth] = reject
2202 (0) } # authenticate = reject
2203 (0) Failed to authenticate the user
2204 (0) Login incorrect (ntlm_auth: Program returned code (1) and output
'NT_STATUS_PASSWORD_MUST_CHANGE: The user password must be changed before
logging on the first time. (0xc0000224)'): [USERNAME-REMOVED] (from client
IP-REMOVED port 0 cli IP-REMOVED)
2205 (0) Using Post-Auth-Type Reject
2206 (0) # Executing group from file /etc/raddb/sites-enabled/default
2207 (0) Post-Auth-Type REJECT {
2208 (0) attr_filter.access_reject: EXPAND %{User-Name}
2209 (0) attr_filter.access_reject: --> USERNAME-REMOVED
2210 (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
2211 (0) [attr_filter.access_reject] = updated
2212 (0) [eap] = noop
2213 (0) policy remove_reply_message_if_eap {
2214 (0) if (&reply:EAP-Message && &reply:Reply-Message) {
2215 (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
2216 (0) else {
2217 (0) [noop] = noop
2218 (0) } # else = noop
2219 (0) } # policy remove_reply_message_if_eap = noop
2220 (0) } # Post-Auth-Type REJECT = updated
2221 (0) Delaying response for 1.000000 seconds
2222 Waking up in 0.9 seconds.
2223 (0) (0) Discarding duplicate request from client IP-REMOVED port
61997 - ID: 90 due to delayed response
2224 Waking up in 0.2 seconds.
2225 (0) Sending delayed response
2226 (0) Sent Access-Reject Id 90 from IP-REMOVED:1812 to
IP-REMOVED:61997 length 20
2227 Waking up in 3.9 seconds.
2228 (0) Cleaning up request packet ID 90 with timestamp +10
2229 Ready to process requests
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5457 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210123/77507b69/attachment-0001.bin>
More information about the Freeradius-Users
mailing list