Accept PROXY protocol
Lineconnect
nabble at felix.world
Thu Jul 22 13:22:53 CEST 2021
Hi,
we're running the FreeRADIUS server in a Kubernetes cluster and accepting only RadSec connections and forwarding the requests with Traefik as TCProute to FreeRADIUS.
However it would be nice to preserve the actual IP address of the sender in the requests. Traefik has the opportunity to forward the requests with the PROXY protocol.
Is there any change to accept and interpret the requests correct with the PROXY protocol in FreeRADIUS? Hopefully i haven't overlooked something in the documentation.
After enabling i see only things like this('radiusd -fxxx'):
```
Thu Jul 22 10:12:01 2021 : Info: Ready to process requests
Thu Jul 22 10:12:09 2021 : Debug: ... new connection request on TCP socket
Thu Jul 22 10:12:09 2021 : Debug: Listening on auth+acct from client (10.244.11.70, 36504) -> (*, 2083, virtual-server=felix-radsec)
Thu Jul 22 10:12:09 2021 : Debug: Waking up in 0.4 seconds.
Thu Jul 22 10:12:09 2021 : Debug: (0) (TLS) Initiating new session
Thu Jul 22 10:12:09 2021 : Debug: (0) (TLS) Setting verify mode to require certificate from client
Thu Jul 22 10:12:09 2021 : Debug: (0) Reading from socket 11
READ FROM SSL 342
00: 50 52 4f 58 59 20 54 43 50 34 20 37 37 2e 34 37
10: 2e 36 38 2e 31 31 30 20 31 30 2e 32 34 34 2e 31
20: 31 2e 37 30 20 34 34 33 34 35 20 32 30 38 33 0d
30: 0a 16 03 01 01 20 01 00 01 1c 03 03 01 87 ca 71
40: 59 fb 6b f8 d3 bb cd d4 db d3 e1 08 1f 1b e2 fc
50: 80 41 31 49 14 eb 8e 42 50 2a c9 d3 20 e9 e9 78
60: c4 3b 39 cc fa 60 65 95 96 3d b5 b9 6d 44 69 1a
70: 72 4f 0c ef c9 e6 c7 69 92 21 fe cc 45 00 3e 13
80: 02 13 03 13 01 c0 2c c0 30 00 9f cc a9 cc a8 cc
90: aa c0 2b c0 2f 00 9e c0 24 c0 28 00 6b c0 23 c0
a0: 27 00 67 c0 0a c0 14 00 39 c0 09 c0 13 00 33 00
b0: 9d 00 9c 00 3d 00 3c 00 35 00 2f 00 ff 01 00 00
c0: 95 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00
d0: 1d 00 17 00 1e 00 19 00 18 00 23 00 00 00 16 00
e0: 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 06
f0: 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08
Thu Jul 22 10:12:09 2021 : Debug: (0) Non-TLS data sent to TLS socket: closing
Thu Jul 22 10:12:09 2021 : Debug: Closing TLS socket from client port 36504
Thu Jul 22 10:12:09 2021 : Debug: Client has closed connection
Thu Jul 22 10:12:09 2021 : Info: ... shutting down socket auth+acct from client (10.244.11.70, 36504) -> (*, 2083, virtual-server=felix-radsec)
Thu Jul 22 10:12:09 2021 : Debug: Waking up in 2.9 seconds.
```
Full Debug log('radiusd -fxx'):
Yes the server is loading UDP servers as well because if the Azure loadbalancer would be able to forward the requests correctly(maybe in the next decade...), we would be able to allow those connections too.
```
FreeRADIUS Version 3.0.24
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/mods-available/always
including configuration file /usr/local/etc/raddb/mods-available/attr_filter
including configuration file /usr/local/etc/raddb/mods-available/date
including configuration file /usr/local/etc/raddb/mods-available/detail
including configuration file /usr/local/etc/raddb/mods-available/detail.log
including configuration file /usr/local/etc/raddb/mods-available/eap
including configuration file /usr/local/etc/raddb/mods-available/echo
including configuration file /usr/local/etc/raddb/mods-available/exec
including configuration file /usr/local/etc/raddb/mods-available/expiration
including configuration file /usr/local/etc/raddb/mods-available/expr
including configuration file /usr/local/etc/raddb/mods-available/logintime
including configuration file /usr/local/etc/raddb/mods-available/preprocess
including configuration file /usr/local/etc/raddb/mods-available/unix
including configuration file /usr/local/etc/raddb/mods-available/utf8
including configuration file /usr/local/etc/raddb/mods-available/linelog
including configuration file /usr/local/etc/raddb/mods-available/rest
including configuration file /usr/local/etc/raddb/mods-available/python3
including configuration file /usr/local/etc/raddb/mods-available/inner-eap
including configuration file /usr/local/etc/raddb/mods-available/mschap
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/sites-available/check-eap-tls
including configuration file /usr/local/etc/raddb/sites-available/virt-serv
including configuration file /usr/local/etc/raddb/sites-available/radsec-serv
including configuration file /usr/local/etc/raddb/sites-available/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/var/log/freeradius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/freeradius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/freeradius/accounting"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 5300000
postauth_client_lost = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = no
allow_vulnerable_openssl = "CVE-2016-6304"
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
Found debugger attached
# Creating Auth-Type = eap
# Creating Auth-Type = inner-eap
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-available/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-available/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-available/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-available/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-available/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-available/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-available/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-available/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-available/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-available/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /usr/local/etc/raddb/mods-available/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-available/detail
detail {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail auth_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail reply_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-available/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 5300000
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-available/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-available/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-available/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-available/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-available/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-available/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-available/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-available/utf8
# Loaded module rlm_linelog
# Loading module "log_reply" from file /usr/local/etc/raddb/mods-available/linelog
linelog log_reply {
filename = "/var/log/freeradius/radius-test-detail-log.json"
escape_filenames = no
syslog_severity = "info"
permissions = 420
format = "%t Log for %{jsonquote:%{User-Name}}"
reference = "messages.%{%{reply:Packet-Type}:-format}"
}
# Loading module "log_general_message" from file /usr/local/etc/raddb/mods-available/linelog
linelog log_general_message {
filename = "/var/log/freeradius/radius-test-detail-log.json"
escape_filenames = no
syslog_severity = "info"
permissions = 420
format = "%t Log for %{jsonquote:%{User-Name}}"
reference = "messages.%{%{Packet-Type}:-format}"
}
# Loaded module rlm_rest
# Loading module "rest" from file /usr/local/etc/raddb/mods-available/rest
rest {
connect_timeout = 4.000000
http_negotiation = "default"
}
# Loaded module rlm_python3
# Loading module "python3" from file /usr/local/etc/raddb/mods-available/python3
python3 {
mod_instantiate = "python-magic"
func_instantiate = "instantiate"
mod_authorize = "python-magic"
func_authorize = "authorize"
mod_authenticate = "python-magic"
func_authenticate = "authenticate"
mod_post_auth = "python-magic"
func_post_auth = "post_auth"
python_path = "/etc/raddb/mods-config/python3"
cext_compat = yes
pass_all_vps = no
pass_all_vps_dict = yes
}
# Loading module "inner-eap" from file /usr/local/etc/raddb/mods-available/inner-eap
eap inner-eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 5300000
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-available/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/coa
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-available/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-available/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-available/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
virtual_server = "check-eap-tls"
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/servercert.key"
certificate_file = "/etc/raddb/servercert.pem"
ca_file = "/etc/raddb/ca.crt"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH"
cipher_server_preference = yes
ecdh_curve = "secp384r1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 2
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-available/expiration
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-available/logintime
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-available/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "log_reply" from file /usr/local/etc/raddb/mods-available/linelog
# Instantiating module "log_general_message" from file /usr/local/etc/raddb/mods-available/linelog
# Instantiating module "rest" from file /usr/local/etc/raddb/mods-available/rest
rlm_rest: libcurl version: libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
rlm_rest (rest): Initialising connection pool
pool {
start = 5
min = 5
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_rest (rest): Opening additional connection (0), 1 of 10 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (1), 1 of 9 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (2), 1 of 8 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (3), 1 of 7 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (4), 1 of 6 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
# Instantiating module "python3" from file /usr/local/etc/raddb/mods-available/python3
Python version: 3.8.5 (default, May 27 2021, 13:30:53) [GCC 9.3.0]
# Instantiating module "inner-eap" from file /usr/local/etc/raddb/mods-available/inner-eap
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-available/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server check-eap-tls { # from file /usr/local/etc/raddb/sites-available/check-eap-tls
# Loading authorize {...}
} # server check-eap-tls
server test { # from file /usr/local/etc/raddb/sites-available/virt-serv
# Loading authenticate {...}
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server test
server test-radsec { # from file /usr/local/etc/raddb/sites-available/radsec-serv
# Loading authenticate {...}
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server test-radsec
server inner-tunnel { # from file /usr/local/etc/raddb/sites-available/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type MS-CHAP for attr Auth-Type
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
thread pool {
start_servers = 3
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 300
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
Thread 3 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 1 waiting to be assigned a request
client test {
ipaddr = *
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "test"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "acct"
ipaddr = *
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth+acct"
ipaddr = *
port = 2083
proto = "tcp"
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/servercert-radsec.key"
certificate_file = "/etc/raddb/servercert-radsec.pem"
ca_file = "/etc/raddb/ca-radsec.crt"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH"
cipher_server_preference = yes
require_client_cert = yes
ecdh_curve = "secp384r1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 2
softfail = yes
}
}
check_client_connections = no
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
client test-radsec {
ipaddr = *
require_message_authenticator = yes
secret = <<< secret >>>
proto = "tls"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server test
Listening on acct address * port 1813 bound to server test
Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server test-radsec
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
... new connection request on TCP socket
Listening on auth+acct from client (10.244.11.70, 37068) -> (*, 2083, virtual-server=test-radsec)
Waking up in 0.3 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) Non-TLS data sent to TLS socket: closing
Closing TLS socket from client port 37068
Client has closed connection
... shutting down socket auth+acct from client (10.244.11.70, 37068) -> (*, 2083, virtual-server=test-radsec)
Waking up in 2.9 seconds.
```
Regards,
Lineconnect
More information about the Freeradius-Users
mailing list