FreeRADIUS v4 test Segfault
Fabrice Durand
fdurand at inverse.ca
Wed Apr 20 19:30:20 UTC 2022
Hello All,
I started to play with FreeRADIUS v4 and i use the Dockerfile (Debian 11) in order to have the lastest FreeRADIUS v4 version (last commit id) running.
The only thing i changed from the default configuration is the clients.conf file just to add my my source ip:
```
client test {
ipaddr = 172.17.0.1
secret = testing123
}
```
I did a simple test with eapol_test with a fake account and it end with a seg fault.
eapol_test -c v4_peap_user.conf -s testing123 -a 172.17.0.1 -M de:ad:be:ef:42:42 -N 30:s:00:11:22:33:44:55:UConnect -N4:x:c0a80001
v4_peap_user.conf:
```
network={
ssid="UConnect"
key_mgmt=WPA-EAP
eap=PEAP
identity="testuser at testuser.ca"
anonymous_identity="testuser at testuser.ca"
password="strongestpasswordintheworld"
phase2="autheap=MSCHAPV2"
#
# Uncomment the following to perform server certificate validation.
# ca_cert="/etc/raddb/certs/ca.der"
}
```
```
(6.0) eap.peap - Virtual server (null) received request
(6.0) eap.peap - EAP-Identity = "testuser at testuser.ca"
(6.0) eap.peap - EAP-Type = PEAP
(6.0) eap.peap - server (null) {
CAUGHT SIGNAL: Segmentation fault
Backtrace of last 2 frames:
/opt/freeradius/lib/libfreeradius-util.so(fr_fault+0xe8)[0x7f6ea5a1106b]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x14140)[0x7f6ea5797140]
No panic action set
_EXIT(139) CALLED src/lib/util/debug.c[1052]
```
Not sure what happen exactly, but can it be a configuration issue or is it too early to start to test FreeRADIUS 4 ?
Thanks
Regards
Fabrice
```
root at d8616b73313c:/opt/freeradius# ./sbin/radiusd -X
Info : FreeRADIUS Version 4.0.0
Info : Copyright 1999-2022 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Getting debug state failed: ptrace capability not set. If debugger detection is required run as root or: setcap cap_sys_ptrace+ep <path_to_binary>
Info : Starting - reading configuration files ...
Debug : Including dictionary file "/opt/freeradius/etc/raddb/dictionary"
including configuration file /opt/freeradius/etc/raddb/radiusd.conf
Including files in directory "/opt/freeradius/etc/raddb/template.d/"
including configuration file /opt/freeradius/etc/raddb/template.d/default
including configuration file /opt/freeradius/etc/raddb/clients.conf
Including files in directory "/opt/freeradius/etc/raddb/mods-enabled/"
including configuration file /opt/freeradius/etc/raddb/mods-enabled/always
including configuration file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
including configuration file /opt/freeradius/etc/raddb/mods-enabled/cache_eap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/chap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/client
including configuration file /opt/freeradius/etc/raddb/mods-enabled/delay
including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail
including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail.log
including configuration file /opt/freeradius/etc/raddb/mods-enabled/digest
including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap_inner
including configuration file /opt/freeradius/etc/raddb/mods-enabled/echo
including configuration file /opt/freeradius/etc/raddb/mods-enabled/escape
including configuration file /opt/freeradius/etc/raddb/mods-enabled/exec
including configuration file /opt/freeradius/etc/raddb/mods-enabled/expr
including configuration file /opt/freeradius/etc/raddb/mods-enabled/files
including configuration file /opt/freeradius/etc/raddb/mods-enabled/linelog
including configuration file /opt/freeradius/etc/raddb/mods-enabled/logintime
including configuration file /opt/freeradius/etc/raddb/mods-enabled/mschap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/ntlm_auth
including configuration file /opt/freeradius/etc/raddb/mods-enabled/pap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/passwd
including configuration file /opt/freeradius/etc/raddb/mods-enabled/radutmp
including configuration file /opt/freeradius/etc/raddb/mods-enabled/soh
including configuration file /opt/freeradius/etc/raddb/mods-enabled/sradutmp
including configuration file /opt/freeradius/etc/raddb/mods-enabled/stats
including configuration file /opt/freeradius/etc/raddb/mods-enabled/unix
including configuration file /opt/freeradius/etc/raddb/mods-enabled/unpack
including configuration file /opt/freeradius/etc/raddb/mods-enabled/utf8
Including files in directory "/opt/freeradius/etc/raddb/policy.d/"
including configuration file /opt/freeradius/etc/raddb/policy.d/abfab-tr
including configuration file /opt/freeradius/etc/raddb/policy.d/accounting
including configuration file /opt/freeradius/etc/raddb/policy.d/canonicalisation
including configuration file /opt/freeradius/etc/raddb/policy.d/control
including configuration file /opt/freeradius/etc/raddb/policy.d/cui
including configuration file /opt/freeradius/etc/raddb/policy.d/debug
including configuration file /opt/freeradius/etc/raddb/policy.d/dhcp
including configuration file /opt/freeradius/etc/raddb/policy.d/eap
including configuration file /opt/freeradius/etc/raddb/policy.d/filter
including configuration file /opt/freeradius/etc/raddb/policy.d/operator-name
including configuration file /opt/freeradius/etc/raddb/policy.d/tacacs
including configuration file /opt/freeradius/etc/raddb/policy.d/time
including configuration file /opt/freeradius/etc/raddb/policy.d/vendor
Including files in directory "/opt/freeradius/etc/raddb/sites-enabled/"
including configuration file /opt/freeradius/etc/raddb/sites-enabled/default
Loaded module "process_radius"
Loaded module "proto_radius"
including configuration file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
prefix = /opt/freeradius
security {
allow_core_dumps = no
allow_vulnerable_openssl = yes
openssl_fips_mode = no
}
name = radiusd
local_state_dir = "/opt/freeradius/var"
run_dir = /opt/freeradius/var/run/radiusd
}
Parsing main configuration.
main {
server default {
namespace = radius
radius {
Access-Request {
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
session {
timeout = 15
max = 4096
}
}
}
listen {
type = Access-Request
type = Status-Server
transport = udp
Loaded module "proto_radius_udp"
udp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.068619887
idle_timeout = 60.068619887
nak_lifetime = 30.068619887
max_connections = 256
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen {
type = Access-Request
type = Status-Server
transport = tcp
Loaded module "proto_radius_tcp"
tcp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 16.70678144
idle_timeout = 36.719805145
nak_lifetime = 37.379572924
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen {
type = Accounting-Request
transport = udp
udp {
ipaddr = *
port = 1813
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 21.384014109
idle_timeout = 41.397037814
nak_lifetime = 42.056805593
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
server inner-tunnel {
namespace = radius
radius {
Access-Request {
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
session {
timeout = 15
max = 4096
}
}
}
listen {
type = Access-Request
transport = udp
udp {
ipaddr = 127.0.0.1
port = 18120
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 16.966142743
idle_timeout = 36.979166448
nak_lifetime = 37.638934227
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
security {
}
sbin_dir = "/opt/freeradius/sbin"
logdir = /opt/freeradius/var/log/radius
radacctdir = /opt/freeradius/var/log/radius/radacct
reverse_lookups = no
hostname_lookups = yes
max_request_time = 30
pidfile = /opt/freeradius/var/run/radiusd/radiusd.pid
debug_level = 0
max_requests = 16384
log {
colourise = yes
}
resources {
}
thread pool {
num_networks = 1
num_workers = 0
Setting thread.workers = 2
openssl_async_pool_init = 64
openssl_async_pool_max = 1024
}
}
Switching to configured log settings
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
dedup_authenticator = no
secret = <<< secret >>>
proto = *
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
dedup_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client test {
ipaddr = 172.17.0.1
require_message_authenticator = no
dedup_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debug state unknown (cap_sys_ptrace capability not set)
systemd watchdog is disabled
pre-suid-down capabilities: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
trigger { ... } subsection not found, triggers will be disabled
#### Bootstrapping listeners ####
client localhost {
ipaddr = 192.0.2.1
require_message_authenticator = no
dedup_authenticator = no
secret = <<< secret >>>
shortname = sample
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Creating Auth-Type = pap
Creating Auth-Type = chap
Creating Auth-Type = mschap
Creating Auth-Type = digest
Creating Auth-Type = ldap
Creating Auth-Type = eap
#### Bootstrapping modules ####
modules {
Loaded module "rlm_always"
always reject {
rcode = reject
simulcount = 0
mpp = no
}
Bootstrapping module "reject"
always fail {
rcode = fail
simulcount = 0
mpp = no
}
Bootstrapping module "fail"
always ok {
rcode = ok
simulcount = 0
mpp = no
}
Bootstrapping module "ok"
always handled {
rcode = handled
simulcount = 0
mpp = no
}
Bootstrapping module "handled"
always invalid {
rcode = invalid
simulcount = 0
mpp = no
}
Bootstrapping module "invalid"
always disallow {
rcode = disallow
simulcount = 0
mpp = no
}
Bootstrapping module "disallow"
always notfound {
rcode = notfound
simulcount = 0
mpp = no
}
Bootstrapping module "notfound"
always noop {
rcode = noop
simulcount = 0
mpp = no
}
Bootstrapping module "noop"
always updated {
rcode = updated
simulcount = 0
mpp = no
}
Bootstrapping module "updated"
Loaded module "rlm_attr_filter"
attr_filter attr_filter.pre-proxy {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.post-proxy {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.access_reject {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.access_challenge {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.accounting_response {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
key = "%{User-Name}"
relaxed = no
}
Loaded module "rlm_cache"
cache cache_eap {
driver = rbtree
Loaded module "rlm_cache_rbtree"
key = "%{%{control.State}:-%{%{reply.State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
Bootstrapping module "cache_eap"
Loaded module "rlm_chap"
Loaded module "rlm_client"
Loaded module "rlm_delay"
delay {
delay = 1.0
relative = no
force_reschedule = no
}
Bootstrapping module "delay"
delay delay_reject {
delay = "%{%{reply.FreeRADIUS-Response-Delay}:-1}"
relative = yes
force_reschedule = no
}
Bootstrapping module "delay_reject"
Loaded module "rlm_detail"
detail {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail auth_log {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail reply_log {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail pre_proxy_log {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail post_proxy_log {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
Loaded module "rlm_digest"
Loaded module "rlm_eap"
eap {
require_identity_realm = nai
type = md5
Loaded module "rlm_eap_md5"
type = gtc
Loaded module "rlm_eap_gtc"
gtc {
challenge = "Password: "
auth_type = PAP
}
type = tls
Loaded module "rlm_eap_tls"
tls {
tls = tls-common
require_client_cert = yes
include_length = yes
}
type = ttls
Loaded module "rlm_eap_ttls"
ttls {
tls = tls-common
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
type = mschapv2
Loaded module "rlm_eap_mschapv2"
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = peap
Loaded module "rlm_eap_peap"
peap {
tls = tls-common
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
ignore_unknown_eap_types = no
}
Bootstrapping module "eap"
eap inner-eap {
require_identity_realm = nai
default_eap_type = mschapv2
type = md5
type = gtc
gtc {
challenge = "Password: "
auth_type = PAP
}
type = mschapv2
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = tls
tls {
tls = tls-peer
require_client_cert = yes
include_length = yes
}
ignore_unknown_eap_types = no
}
Bootstrapping module "inner-eap"
Loaded module "rlm_exec"
exec echo {
wait = yes
program = "/bin/echo Tmp-String-0 := %{User-Name}"
input_pairs = request
output_pairs = reply
shell_escape = yes
env_inherit = no
}
Bootstrapping module "echo"
Loaded module "rlm_escape"
escape {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
Bootstrapping module "escape"
exec {
wait = yes
input_pairs = request
shell_escape = yes
env_inherit = no
timeout = 10
}
Bootstrapping module "exec"
Loaded module "rlm_expr"
Bootstrapping module "expr"
Loaded module "rlm_files"
files {
filename = /opt/freeradius/etc/raddb/mods-config/files/authorize
acctusersfile = /opt/freeradius/etc/raddb/mods-config/files/accounting
key = "%{%{Stripped-User-Name}:-%{User-Name}}"
}
Loaded module "rlm_linelog"
linelog {
destination = file
delimiter = "\n"
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply.Packet-Type}:-default}"
file {
filename = /opt/freeradius/var/log/radius/linelog
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
server = localhost IPv4 address [127.0.0.1]
port = 514
timeout = 7.284352243
}
udp {
server = localhost IPv4 address [127.0.0.1]
port = 514
timeout = 4.749470769
}
}
linelog log_accounting {
destination = file
delimiter = "\n"
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
file {
filename = /opt/freeradius/var/log/radius/linelog-accounting
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
Loaded module "rlm_logintime"
logintime {
minimum_timeout = 60
}
Loaded module "rlm_mschap"
mschap {
normalise = yes
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind {
retry_with_normalised_username = no
}
}
Bootstrapping module "mschap"
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%(mschap:User-Name) --password=%{User-Password}"
shell_escape = yes
env_inherit = no
}
Bootstrapping module "ntlm_auth"
Loaded module "rlm_pap"
pap {
normalise = yes
}
Loaded module "rlm_passwd"
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
Loaded module "rlm_radutmp"
radutmp {
filename = /opt/freeradius/var/log/radius/radutmp
username = "%{User-Name}"
check_with_nas = yes
permissions = 384
caller_id = no
}
Loaded module "rlm_soh"
soh {
dhcp = yes
}
Bootstrapping module "soh"
radutmp sradutmp {
filename = /opt/freeradius/var/log/radius/sradutmp
username = "%{User-Name}"
check_with_nas = yes
permissions = 420
caller_id = no
}
Loaded module "rlm_stats"
stats {
}
Loaded module "rlm_unix"
unix {
}
Bootstrapping module "unix"
Creating attribute Unix-Group
Loaded module "rlm_unpack"
Bootstrapping module "unpack"
Loaded module "rlm_utf8"
} # modules
#### Instantiating listeners ####
Compiling policies in server default { ... }
Compiling policies in - recv Access-Request {...}
/opt/freeradius/etc/raddb/sites-enabled/default[795]: Ignoring "-sql" as the "sql" module is not enabled.
/opt/freeradius/etc/raddb/sites-enabled/default[811]: Ignoring "-ldap" as the "ldap" module is not enabled.
Compiling policies in - send Access-Accept {...}
/opt/freeradius/etc/raddb/sites-enabled/default[1122]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Access-Challenge {...}
Compiling policies in - send Access-Reject {...}
/opt/freeradius/etc/raddb/sites-enabled/default[1239]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - recv Accounting-Request {...}
Compiling policies in - send Accounting-Response {...}
/opt/freeradius/etc/raddb/sites-enabled/default[1458]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - recv Status-Server {...}
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate digest {...}
Compiling policies in - authenticate ldap {...}
/opt/freeradius/etc/raddb/sites-enabled/default[981]: Ignoring "-ldap" as the "ldap" module is not enabled.
Compiling policies in - authenticate eap {...}
Compiling policies in - accounting Start {...}
Compiling policies in - accounting Stop {...}
Compiling policies in - accounting Alive {...}
Compiling policies in - accounting Accounting-On {...}
Compiling policies in - accounting Accounting-Off {...}
Compiling policies in - accounting Failed {...}
/opt/freeradius/etc/raddb/sites-enabled/default[80]: radius { ... } section is unused
Compiling policies in server inner-tunnel { ... }
Compiling policies in - recv Access-Request {...}
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[124]: Ignoring "-sql" as the "sql" module is not enabled.
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[134]: Ignoring "-ldap" as the "ldap" module is not enabled.
Compiling policies in - send Access-Accept {...}
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[269]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Access-Reject {...}
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[304]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate eap {...}
src/lib/server/virtual_servers.c[380]: radius { ... } section is unused
#### Instantiating modules ####
Instantiating module "attr_filter.access_challenge"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
Instantiating module "attr_filter.access_reject"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject
Instantiating module "attr_filter.accounting_response"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
Instantiating module "attr_filter.post-proxy"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
Instantiating module "attr_filter.pre-proxy"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating module "auth_log"
auth_log - 'User-Password' suppressed, will not appear in detail output
Instantiating module "cache_eap"
Instantiating module "chap"
Instantiating module "detail"
Instantiating module "digest"
Instantiating module "disallow"
Instantiating module "eap"
Instantiating module "echo"
Instantiating module "etc_passwd"
Instantiating module "exec"
Instantiating module "fail"
Instantiating module "files"
Reading file /opt/freeradius/etc/raddb/mods-config/files/authorize
Reading file /opt/freeradius/etc/raddb/mods-config/files/accounting
Instantiating module "handled"
Instantiating module "inner-eap"
inner-eap - Failed to find 'authenticate inner-eap {...}' section. EAP authentication will likely not work
Instantiating module "invalid"
Instantiating module "linelog"
Instantiating module "log_accounting"
Instantiating module "logintime"
Instantiating module "mschap"
mschap - Using internal authentication
Instantiating module "noop"
Instantiating module "notfound"
Instantiating module "ntlm_auth"
Instantiating module "ok"
Instantiating module "pap"
Instantiating module "post_proxy_log"
Instantiating module "pre_proxy_log"
Instantiating module "reject"
Instantiating module "reply_log"
Instantiating module "stats"
Instantiating module "updated"
Instantiating module "cache_eap.rbtree"
Instantiating module "eap.mschapv2"
Instantiating module "eap.peap"
tls-config tls-common {
chain rsa {
format = pem
certificate_file = /opt/freeradius/etc/raddb/certs/rsa/server.pem
private_key_password = <<< secret >>>
private_key_file = /opt/freeradius/etc/raddb/certs/rsa/server.key
ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem
verify_mode = hard
include_root_ca = no
}
verify_depth = 0
ca_path = /opt/freeradius/etc/raddb/certs
ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem
dh_file = /opt/freeradius/etc/raddb/certs/dh
fragment_size = 1024
cipher_list = "DEFAULT"
cipher_server_preference = yes
allow_renegotiation = no
ecdh_curve = prime256v1
tls_min_version = 1.200000
session {
mode = auto
name = "%{EAP-Type}%{Virtual-Server}"
lifetime = 86400
require_extended_master_secret = yes
require_perfect_forward_secrecy = no
}
verify {
mode = all
attribute_mode = client-and-issuer
check_crl = no
}
}
tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless"
Instantiating module "eap.tls"
tls - Using cached TLS configuration from previous invocation
Instantiating module "eap.ttls"
tls - Using cached TLS configuration from previous invocation
Instantiating module "inner-eap.mschapv2"
Instantiating module "inner-eap.tls"
tls-config tls-peer {
chain {
format = pem
certificate_file = /opt/freeradius/etc/raddb/certs/rsa/server.pem
private_key_password = <<< secret >>>
private_key_file = /opt/freeradius/etc/raddb/certs/rsa/server.key
ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem
verify_mode = hard
include_root_ca = no
}
verify_depth = 0
ca_path = /opt/freeradius/etc/raddb/certs
ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem
dh_file = /opt/freeradius/etc/raddb/certs/dh
fragment_size = 16384
cipher_server_preference = yes
allow_renegotiation = no
ecdh_curve = "prime256v1"
tls_min_version = 1.200000
session {
mode = auto
name = "%{EAP-Type}%{Virtual-Server}"
lifetime = 86400
require_extended_master_secret = yes
require_perfect_forward_secrecy = no
}
verify {
mode = all
attribute_mode = client-and-issuer
check_crl = no
}
}
tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless"
Scheduler created in single-threaded mode
#### Opening listener interfaces ####
Listening on radius_udp server * port 1812 bound to virtual server default
Listening on radius_tcp server * port 1812 bound to virtual server default
Listening on radius_udp server * port 1813 bound to virtual server default
Listening on radius_udp server 127.0.0.1 port 18120 bound to virtual server inner-tunnel
post-suid-down capabilities: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Ready to process requests
proto_radius_udp - Received Access-Request ID 0 length 182 radius_udp server * port 1812
Worker - Resetting cleanup timer to +30
(0) default {
(0) Received Access-Request ID 0 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(0) User-Name = "testuser at testuser.ca"
(0) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(0) NAS-IP-Address = 192.168.0.1
(0) EAP-Message = 0x02e100190174657374757365724074657374757365722e6361
(0) Message-Authenticator = 0x0974fe1b57a5e18d67d63ebca3cca28b
(0) Packet-Type = Access-Request
(0) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) recv Access-Request {
(0) policy filter_username {
(0) if (&State) {
(0) ...
(0) }
(0) elsif (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) ...
(0) }
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) ...
(0) }
(0) if (&User-Name =~ /\.\./ ) {
(0) ...
(0) }
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(0) ...
(0) }
(0) if (&User-Name =~ /\.$/) {
(0) ...
(0) }
(0) if (&User-Name =~ /@\./) {
(0) ...
(0) }
(0) update session-state {
(0) &Session-State-User-Name := &User-Name -> "testuser at testuser.ca"
(0) } # update session-state (noop)
(0) } # elsif (&User-Name) (noop)
(0) } # policy filter_username (noop)
(0) chap (noop)
(0) mschap (noop)
(0) digest (noop)
(0) eap - Peer sent EAP Response (code 2) ID 225 length 25
(0) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(0) eap - Setting &control.Auth-Type = eap
(0) eap (ok)
(0) } # recv Access-Request (ok)
(0) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) authenticate eap {
(0) eap - New EAP session started
(0) eap - Peer sent packet with EAP method Identity (1)
(0) eap - Calling submodule eap_md5
(0) subrequest {
(0.0) eap.md5 - Issuing MD5 Challenge
(0.0) eap.md5 (handled)
(0) subrequest - Resuming execution
(0) } # subrequest (noop)
(0) eap - Sending EAP Request (code 1) ID 226 length 22
(0) eap (handled)
(0) } # authenticate eap (handled)
(0) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) send Access-Challenge {
(0) attr_filter.access_challenge - EXPAND %{User-Name}
(0) attr_filter.access_challenge - --> testuser at testuser.ca
(0) attr_filter.access_challenge - --> testuser at testuser.ca
(0) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(0) attr_filter.access_challenge.post-auth (updated)
(0) handled (handled)
(0) } # send Access-Challenge (handled)
(0) radius - Saving &session-state
(0) radius - &session-state.Session-State-User-Name = "testuser at testuser.ca"
(0) radius (ok)
(0) } # default (ok)
(0) Done request
(0) Sending Access-Challenge ID 0 from 172.17.0.2:1812 to 172.17.0.1:49022 length 80 via socket radius_udp server * port 1812
(0) EAP-Message = 0x01e200160410cf1c6b1980299aa0d90419f575e2436d
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x01018d0013280e7289558d518d7bb3b9
(0) Packet-Type = Access-Challenge
(0) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 1 length 181 radius_udp server * port 1812
(1) default {
(1) Received Access-Request ID 1 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(1) User-Name = "testuser at testuser.ca"
(1) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(1) NAS-IP-Address = 192.168.0.1
(1) EAP-Message = 0x02e200060319
(1) State = 0x01018d0013280e7289558d518d7bb3b9
(1) Message-Authenticator = 0x497720a6d791a595ceaa6044754cf031
(1) Packet-Type = Access-Request
(1) Restored &session-state
(1) &session-state.Session-State-User-Name = "testuser at testuser.ca"
(1) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) recv Access-Request {
(1) policy filter_username {
(1) if (&State) {
(1) if (&User-Name) {
(1) if (!&session-state.Session-State-User-Name) {
(1) ...
(1) }
(1) if (&User-Name != &session-state.Session-State-User-Name) {
(1) ...
(1) }
(1) } # if (&User-Name) (noop)
(1) } # if (&State) (noop)
(1) } # policy filter_username (noop)
(1) chap (noop)
(1) mschap (noop)
(1) digest (noop)
(1) eap - Peer sent EAP Response (code 2) ID 226 length 6
(1) eap - Continuing on-going EAP conversation
(1) eap - Setting &control.Auth-Type = eap
(1) eap (updated)
(1) files - EXPAND %{Stripped-User-Name}
(1) files - -->
(1) files - EXPAND %{User-Name}
(1) files - --> testuser at testuser.ca
(1) files - EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(1) files - --> testuser at testuser.ca
(1) files (noop)
(1) policy expiration {
(1) if (&control.Expiration) {
(1) ...
(1) }
(1) } # policy expiration (updated)
(1) logintime (noop)
(1) pap (noop)
(1) } # recv Access-Request (updated)
(1) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) authenticate eap {
(1) eap - Continuing EAP session
(1) eap - Peer sent packet with EAP method NAK (3)
(1) eap - Calling submodule eap_peap
(1) subrequest {
(1.0) eap.peap - Initiating new TLS session
(1.0) eap.peap - EXPAND %{EAP-Type}
(1.0) eap.peap - --> PEAP
(1.0) eap.peap - EXPAND %{Virtual-Server}
(1.0) eap.peap - -->
(1.0) eap.peap (handled)
(1) subrequest - Resuming execution
(1) } # subrequest (noop)
(1) eap - Sending EAP Request (code 1) ID 227 length 6
(1) eap (handled)
(1) } # authenticate eap (handled)
(1) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) send Access-Challenge {
(1) attr_filter.access_challenge - EXPAND %{User-Name}
(1) attr_filter.access_challenge - --> testuser at testuser.ca
(1) attr_filter.access_challenge - --> testuser at testuser.ca
(1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(1) attr_filter.access_challenge.post-auth (updated)
(1) handled (handled)
(1) } # send Access-Challenge (handled)
(1) radius - Saving &session-state
(1) radius - &session-state.Session-State-User-Name = "testuser at testuser.ca"
(1) radius (ok)
(1) } # default (ok)
(1) Done request
(1) Sending Access-Challenge ID 1 from 172.17.0.2:1812 to 172.17.0.1:49022 length 64 via socket radius_udp server * port 1812
(1) EAP-Message = 0x01e300061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x02038d008bd3a65c89558d518d7bb3b9
(1) Packet-Type = Access-Challenge
(1) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 2 length 375 radius_udp server * port 1812
(2) default {
(2) Received Access-Request ID 2 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(2) User-Name = "testuser at testuser.ca"
(2) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(2) NAS-IP-Address = 192.168.0.1
(2) EAP-Message = 0x02e300c81980000000be16030100b9010000b5030340c75eff9a2146e20efd7538a0308ec6ed2d6df3a09d48d5f53abb65ccdaf553000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(2) State = 0x02038d008bd3a65c89558d518d7bb3b9
(2) Message-Authenticator = 0xf0aedc9cd95dfc616efb7c16b85ac4ca
(2) Packet-Type = Access-Request
(2) Restored &session-state
(2) &session-state.Session-State-User-Name = "testuser at testuser.ca"
(2) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) recv Access-Request {
(2) policy filter_username {
(2) if (&State) {
(2) if (&User-Name) {
(2) if (!&session-state.Session-State-User-Name) {
(2) ...
(2) }
(2) if (&User-Name != &session-state.Session-State-User-Name) {
(2) ...
(2) }
(2) } # if (&User-Name) (noop)
(2) } # if (&State) (noop)
(2) } # policy filter_username (noop)
(2) chap (noop)
(2) mschap (noop)
(2) digest (noop)
(2) eap - Peer sent EAP Response (code 2) ID 227 length 200
(2) eap - Continuing tunnel setup
(2) eap - Setting &control.Auth-Type = eap
(2) eap (ok)
(2) } # recv Access-Request (ok)
(2) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) authenticate eap {
(2) eap - Continuing EAP session
(2) eap - Peer sent packet with EAP method PEAP (25)
(2) eap - Calling submodule eap_peap
(2) subrequest {
(2.0) eap.peap - Continuing EAP-TLS
(2.0) eap.peap - Peer indicated complete TLS record size will be 190 bytes
(2.0) eap.peap - Got complete TLS record, with length field (190 bytes)
(2.0) eap.peap - [eap-tls verify] = complete
(2.0) Handshake state - before SSL initialization (0)
(2.0) Handshake state - Server before SSL initialization (0)
(2.0) Handshake state - Server before SSL initialization (0)
(2.0) <<< recv TLS 1.3, handshake[length 185], client_hello
(2.0) Allowing future session-resumption
(2.0) Handshake state - Server SSLv3/TLS read client hello (20)
(2.0) >>> send TLS 1.2, handshake[length 61], server_hello
(2.0) Handshake state - Server SSLv3/TLS write server hello (22)
(2.0) >>> send TLS 1.2, handshake[length 1397], certificate
(2.0) Handshake state - Server SSLv3/TLS write certificate (23)
(2.0) >>> send TLS 1.2, handshake[length 333], server_key_exchange
(2.0) Handshake state - Server SSLv3/TLS write key exchange (24)
(2.0) >>> send TLS 1.2, handshake[length 4], server_hello_done
(2.0) Handshake state - Server SSLv3/TLS write server done (26)
(2.0) Need more data from client
(2.0) SSL_read (tls_session_async_handshake_cont) - SSL_ERROR_WANT_READ (2)
(2.0) Complete TLS record (1815 bytes) larger than MTU (990 bytes), will fragment
(2.0) Sending first TLS record fragment (990 bytes), 825 bytes remaining
(2.0) eap.peap - [eap-tls process] = handled
(2.0) eap.peap (handled)
(2) subrequest - Resuming execution
(2) } # subrequest (noop)
(2) eap - Sending EAP Request (code 1) ID 228 length 1000
(2) eap (handled)
(2) } # authenticate eap (handled)
(2) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) send Access-Challenge {
(2) attr_filter.access_challenge - EXPAND %{User-Name}
(2) attr_filter.access_challenge - --> testuser at testuser.ca
(2) attr_filter.access_challenge - --> testuser at testuser.ca
(2) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(2) attr_filter.access_challenge.post-auth (updated)
(2) handled (handled)
(2) } # send Access-Challenge (handled)
(2) radius - Saving &session-state
(2) radius - &session-state.Session-State-User-Name = "testuser at testuser.ca"
(2) radius (ok)
(2) } # default (ok)
(2) Done request
(2) Sending Access-Challenge ID 2 from 172.17.0.2:1812 to 172.17.0.1:49022 length 1064 via socket radius_udp server * port 1812
(2) EAP-Message = 0x01e403e819c000000717160303003d020000390303d477d2cab8c6e912f6ef31ac9b07c9c80d7ba2779e10ab73444f574e4752440100c030000011ff01000100000b0004030001020017000016030305750b00057100056e00056b308205673082044fa003020102020101300d06092a864886f70d01010b0500308192310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531143012060355040a0c0b4578616d706c6520496e633120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303431323134303733385a170d3232303631313134303733385a307b310b3009060355040613024652310f300d06035504080c0652616469757331143012060355040a0c0b4578616d706c6520496e633123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e2eae82feaa1c197c639331ba5b8dd5320f9a880088620953e3bceb947e3df8192158f5ee6544cc63104c322da2f345ea14c23892f10cdfb888707e06e0b968be0f322858e5c0c30811986d836886b88b210bd23fcb8eae1a2ff65608d1c799927a4dfaf5401e9b793698ab6ff9193fdf193d18e972b89adb1c07d8f1be784e7d8540fe70bfa8a23bb6cea24aec8a7611c6121b1fd4550fbd927595b66038f972be2508ee3e9cb8ec388e9fa7ea7ff4ef6284767d66ea3cf9c56f31480ae767300aba7e448d1b8158f354023508eac4e9e8dd8643229620e09ff1d74001dc4302ee4d343d49c52bf7b66d54cecf9b232fb46e78a31087f39bb2a8d7b6a139b6d0203010001a38201dc308201d8301d0603551d0e0416041431dc74562239f150d15fd33ce06d6189473c69f63081d20603551d230481ca3081c780147ddde3d24fb7f2c6258d40079b632740a6d36deda18198a48195308192310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531143012060355040a0c0b4578616d706c6520496e633120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982146a1367d2f5e1005ae876ac00c9def9da9e3c943830090603551d1304023000300b0603551d0f0404030205e0301d
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x03018d0013280e7289558d518d7bb3b9
(2) Packet-Type = Access-Challenge
(2) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 3 length 181 radius_udp server * port 1812
(3) default {
(3) Received Access-Request ID 3 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(3) User-Name = "testuser at testuser.ca"
(3) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(3) NAS-IP-Address = 192.168.0.1
(3) EAP-Message = 0x02e400061900
(3) State = 0x03018d0013280e7289558d518d7bb3b9
(3) Message-Authenticator = 0x6828bc2a6be551813cfe294e29a7817d
(3) Packet-Type = Access-Request
(3) Restored &session-state
(3) &session-state.Session-State-User-Name = "testuser at testuser.ca"
(3) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) recv Access-Request {
(3) policy filter_username {
(3) if (&State) {
(3) if (&User-Name) {
(3) if (!&session-state.Session-State-User-Name) {
(3) ...
(3) }
(3) if (&User-Name != &session-state.Session-State-User-Name) {
(3) ...
(3) }
(3) } # if (&User-Name) (noop)
(3) } # if (&State) (noop)
(3) } # policy filter_username (noop)
(3) chap (noop)
(3) mschap (noop)
(3) digest (noop)
(3) eap - Peer sent EAP Response (code 2) ID 228 length 6
(3) eap - Continuing tunnel setup
(3) eap - Setting &control.Auth-Type = eap
(3) eap (ok)
(3) } # recv Access-Request (ok)
(3) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) authenticate eap {
(3) eap - Continuing EAP session
(3) eap - Peer sent packet with EAP method PEAP (25)
(3) eap - Calling submodule eap_peap
(3) subrequest {
(3.0) eap.peap - Continuing EAP-TLS
(3.0) eap.peap - Peer ACKed our handshake fragment
(3.0) eap.peap - [eap-tls verify] = request
(3.0) eap.peap - Sending final TLS record fragment (825 bytes)
(3.0) eap.peap - [eap-tls process] = handled
(3.0) eap.peap (handled)
(3) subrequest - Resuming execution
(3) } # subrequest (noop)
(3) eap - Sending EAP Request (code 1) ID 229 length 831
(3) eap (handled)
(3) } # authenticate eap (handled)
(3) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) send Access-Challenge {
(3) attr_filter.access_challenge - EXPAND %{User-Name}
(3) attr_filter.access_challenge - --> testuser at testuser.ca
(3) attr_filter.access_challenge - --> testuser at testuser.ca
(3) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(3) attr_filter.access_challenge.post-auth (updated)
(3) handled (handled)
(3) } # send Access-Challenge (handled)
(3) radius - Saving &session-state
(3) radius - &session-state.Session-State-User-Name = "testuser at testuser.ca"
(3) radius (ok)
(3) } # default (ok)
(3) Done request
(3) Sending Access-Challenge ID 3 from 172.17.0.2:1812 to 172.17.0.1:49022 length 895 via socket radius_udp server * port 1812
(3) EAP-Message = 0x01e5033f19000603551d250416301406082b0601050507030106082b0601050507030e30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c303706082b06010505070101042b3029302706082b06010505073001861b687474703a2f2f7777772e6578616d706c652e6f72672f6f637370303a0603551d110433303182127261646975732e6578616d706c652e6f7267a01b06082b06010505070808a00f0c0d2a2e6578616d706c652e636f6d300d06092a864886f70d01010b05000382010100678d89096e6b3e48248e71e584e9faf3aa8098dd75bf170fb9cb754086997897441c3e72dee297dfa73c153d203c2eda6a06d403b12732d3ac8f7bbf64c20c3be5a9580892abc692368bf68b3cc31bf41a175cf374e0d3bcef0f9fcda4bda7b33544c7e5a4170bb3345bf5f385a54ae974fb97c862dcc35ea0f116efedcc7ac4b89bc2db453dada5ba77f16d5c8b9c5dbd2e8dfb65400cc3f1e14ad9789a83ba32fc6304f7f4f07ad99f3a73cd4faab8cc2131e9b906a46395530d28b0ec95148f7a210853bdfa024623c6ecb41d5c9f20cf27b56a8d40885d7fd81afe4aef185e58819100ac5aee5e20c08333dbad3e16750472614ca278405106d1986fa3f4160303014d0c000149030017410476028412e9b00c2630154399c78ae7b787ed8f87e0a714cbe3b3dc73651afbbe104b6b0e49f83cf27fec9379764f4bab6ba48ca1dc415068fd1bd69e671a421e0804010049f912f96ead536a287d6ff62c6bdf45cf0671b73f530402157bc31789aa3352ac7d72803bc668fee51eb8a6c01eb064f51c003a34284e120f5d856b50c705050c0c04b126f5783f5ac4b7f137109225c2da4cd612e8ace939012af571bc0acc70f25d4dfcdd52c5f741ace11c7cba85e3c0920b935fe920a54db3b056c7434f21a0e4b14cff035d445ff2ceca367a6446120dff3e1aa93190360d07a22cb9bf9503255989d9fd4459fd20486ed1af4082df96acd9516b2c6c4c4e1d57af8675796d98c09424751707adcfb9871438aac2527d1edcfc402c6b08ba52c4b196fffda00564b7d6cfe8c5875e6119914bada29860db0bd4ad3cf5cf75851a5aaeed16030300040e000000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x04078d008bd3a65c89558d518d7bb3b9
(3) Packet-Type = Access-Challenge
(3) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 4 length 311 radius_udp server * port 1812
(4) default {
(4) Received Access-Request ID 4 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(4) User-Name = "testuser at testuser.ca"
(4) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(4) NAS-IP-Address = 192.168.0.1
(4) EAP-Message = 0x02e5008819800000007e1603030046100000424104af5f0fd9357c5f1ef85c44412ded07130f03214653071decbdd2423cb8d921a4f1fc02b262f63b1ac40dee0720d86e6327a0240932586a76dd4827c434e3bf0e1403030001011603030028f54dfcc389a7197acb64f4cac2ddd2e4602d8a8909d86a71b151adc37da7fa6fbf1625581506cb05
(4) State = 0x04078d008bd3a65c89558d518d7bb3b9
(4) Message-Authenticator = 0x5321739cd526678d61b3d552e3ea2aa0
(4) Packet-Type = Access-Request
(4) Restored &session-state
(4) &session-state.Session-State-User-Name = "testuser at testuser.ca"
(4) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) recv Access-Request {
(4) policy filter_username {
(4) if (&State) {
(4) if (&User-Name) {
(4) if (!&session-state.Session-State-User-Name) {
(4) ...
(4) }
(4) if (&User-Name != &session-state.Session-State-User-Name) {
(4) ...
(4) }
(4) } # if (&User-Name) (noop)
(4) } # if (&State) (noop)
(4) } # policy filter_username (noop)
(4) chap (noop)
(4) mschap (noop)
(4) digest (noop)
(4) eap - Peer sent EAP Response (code 2) ID 229 length 136
(4) eap - Continuing tunnel setup
(4) eap - Setting &control.Auth-Type = eap
(4) eap (ok)
(4) } # recv Access-Request (ok)
(4) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) authenticate eap {
(4) eap - Continuing EAP session
(4) eap - Peer sent packet with EAP method PEAP (25)
(4) eap - Calling submodule eap_peap
(4) subrequest {
(4.0) eap.peap - Continuing EAP-TLS
(4.0) eap.peap - Peer indicated complete TLS record size will be 126 bytes
(4.0) eap.peap - Got complete TLS record, with length field (126 bytes)
(4.0) eap.peap - [eap-tls verify] = complete
(4.0) Handshake state - Server SSLv3/TLS write server done (26)
(4.0) <<< recv TLS 1.2, handshake[length 70], client_key_exchange
(4.0) Handshake state - Server SSLv3/TLS read client key exchange (28)
(4.0) Handshake state - Server SSLv3/TLS read change cipher spec (31)
(4.0) <<< recv TLS 1.2, handshake[length 16], finished
(4.0) Handshake state - Server SSLv3/TLS read finished (32)
(4.0) >>> send TLS 1.2, change_cipher_spec[length 1]
(4.0) Handshake state - Server SSLv3/TLS write change cipher spec (35)
(4.0) >>> send TLS 1.2, handshake[length 16], finished
(4.0) Handshake state - Server SSLv3/TLS write finished (36)
(4.0) Handshake state - SSL negotiation finished successfully (1)
(4.0) SSL_read (tls_session_async_handshake_cont) - SSL_ERROR_WANT_READ (2)
(4.0) Cipher suite: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
(4.0) Adding TLS session information to request
(4.0) &session-state.TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4.0) &session-state.TLS-Session-Version := "TLS 1.2"
(4.0) Sending complete TLS record (51 bytes)
(4.0) eap.peap - [eap-tls process] = handled
(4.0) eap.peap (handled)
(4) subrequest - Resuming execution
(4) } # subrequest (noop)
(4) eap - Sending EAP Request (code 1) ID 230 length 57
(4) eap (handled)
(4) } # authenticate eap (handled)
(4) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) send Access-Challenge {
(4) attr_filter.access_challenge - EXPAND %{User-Name}
(4) attr_filter.access_challenge - --> testuser at testuser.ca
(4) attr_filter.access_challenge - --> testuser at testuser.ca
(4) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(4) attr_filter.access_challenge.post-auth (updated)
(4) handled (handled)
(4) } # send Access-Challenge (handled)
(4) radius - Saving &session-state
(4) radius - &session-state.Session-State-User-Name = "testuser at testuser.ca"
(4) radius (ok)
(4) } # default (ok)
(4) Done request
(4) Sending Access-Challenge ID 4 from 172.17.0.2:1812 to 172.17.0.1:49022 length 115 via socket radius_udp server * port 1812
(4) EAP-Message = 0x01e600391900140303000101160303002855e89feef9aefa2d98c2a520be9d5ba60e5becc07fd359d0f164a8ac94bb6c198ab372d7cf082a1f
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x05018d0013280e7289558d518d7bb3b9
(4) Packet-Type = Access-Challenge
(4) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 5 length 181 radius_udp server * port 1812
(5) default {
(5) Received Access-Request ID 5 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(5) User-Name = "testuser at testuser.ca"
(5) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(5) NAS-IP-Address = 192.168.0.1
(5) EAP-Message = 0x02e600061900
(5) State = 0x05018d0013280e7289558d518d7bb3b9
(5) Message-Authenticator = 0xaa9bd0de2ab4c9a24039a10d8964adf3
(5) Packet-Type = Access-Request
(5) Restored &session-state
(5) &session-state.Session-State-User-Name = "testuser at testuser.ca"
(5) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) recv Access-Request {
(5) policy filter_username {
(5) if (&State) {
(5) if (&User-Name) {
(5) if (!&session-state.Session-State-User-Name) {
(5) ...
(5) }
(5) if (&User-Name != &session-state.Session-State-User-Name) {
(5) ...
(5) }
(5) } # if (&User-Name) (noop)
(5) } # if (&State) (noop)
(5) } # policy filter_username (noop)
(5) chap (noop)
(5) mschap (noop)
(5) digest (noop)
(5) eap - Peer sent EAP Response (code 2) ID 230 length 6
(5) eap - Continuing tunnel setup
(5) eap - Setting &control.Auth-Type = eap
(5) eap (ok)
(5) } # recv Access-Request (ok)
(5) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) authenticate eap {
(5) eap - Continuing EAP session
(5) eap - Peer sent packet with EAP method PEAP (25)
(5) eap - Calling submodule eap_peap
(5) subrequest {
(5.0) eap.peap - Continuing EAP-TLS
(5.0) eap.peap - Peer ACKed our handshake fragment. handshake is finished
(5.0) eap.peap - [eap-tls verify] = established
(5.0) eap.peap - [eap-tls process] = established
(5.0) eap.peap - Session established. Decoding tunneled data
(5.0) eap.peap - PEAP state TUNNEL ESTABLISHED
(5.0) eap.peap - TLS application data to encrypt (5 bytes)
(5.0) eap.peap - Sending complete TLS record (34 bytes)
(5.0) eap.peap (handled)
(5) subrequest - Resuming execution
(5) } # subrequest (noop)
(5) eap - Sending EAP Request (code 1) ID 231 length 40
(5) eap (handled)
(5) } # authenticate eap (handled)
(5) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) send Access-Challenge {
(5) attr_filter.access_challenge - EXPAND %{User-Name}
(5) attr_filter.access_challenge - --> testuser at testuser.ca
(5) attr_filter.access_challenge - --> testuser at testuser.ca
(5) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(5) attr_filter.access_challenge.post-auth (updated)
(5) handled (handled)
(5) } # send Access-Challenge (handled)
(5) radius - Saving &session-state
(5) radius - &session-state.Session-State-User-Name = "testuser at testuser.ca"
(5) radius (ok)
(5) } # default (ok)
(5) Done request
(5) Sending Access-Challenge ID 5 from 172.17.0.2:1812 to 172.17.0.1:49022 length 98 via socket radius_udp server * port 1812
(5) EAP-Message = 0x01e700281900170303001d55e89feef9aefa2eddf781269ef2298c0b711bd2d99a629cc468e62cca
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x06038d008bd3a65c89558d518d7bb3b9
(5) Packet-Type = Access-Challenge
(5) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 6 length 231 radius_udp server * port 1812
(6) default {
(6) Received Access-Request ID 6 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(6) User-Name = "testuser at testuser.ca"
(6) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(6) NAS-IP-Address = 192.168.0.1
(6) EAP-Message = 0x02e700381900170303002df54dfcc389a7197b019fe17a87ecd0b81c18c14ca1e4037c6fe4b296706a65ddb4acef536fc00eb2744373cacb
(6) State = 0x06038d008bd3a65c89558d518d7bb3b9
(6) Message-Authenticator = 0xf56634caef4bef32092ba0e149273533
(6) Packet-Type = Access-Request
(6) Restored &session-state
(6) &session-state.Session-State-User-Name = "testuser at testuser.ca"
(6) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(6) recv Access-Request {
(6) policy filter_username {
(6) if (&State) {
(6) if (&User-Name) {
(6) if (!&session-state.Session-State-User-Name) {
(6) ...
(6) }
(6) if (&User-Name != &session-state.Session-State-User-Name) {
(6) ...
(6) }
(6) } # if (&User-Name) (noop)
(6) } # if (&State) (noop)
(6) } # policy filter_username (noop)
(6) chap (noop)
(6) mschap (noop)
(6) digest (noop)
(6) eap - Peer sent EAP Response (code 2) ID 231 length 56
(6) eap - Continuing tunnel setup
(6) eap - Setting &control.Auth-Type = eap
(6) eap (ok)
(6) } # recv Access-Request (ok)
(6) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(6) authenticate eap {
(6) eap - Continuing EAP session
(6) eap - Peer sent packet with EAP method PEAP (25)
(6) eap - Calling submodule eap_peap
(6) subrequest {
(6.0) eap.peap - Continuing EAP-TLS
(6.0) eap.peap - Got complete TLS record (50 bytes)
(6.0) eap.peap - [eap-tls verify] = complete
(6.0) eap.peap - Decrypted TLS application data (21 bytes)
(6.0) eap.peap - [eap-tls process] = complete
(6.0) eap.peap - Session established. Decoding tunneled data
(6.0) eap.peap - PEAP state WAITING FOR INNER IDENTITY
(6.0) eap.peap - Received EAP-Identity-Response
(6.0) eap.peap - Got inner identity "testuser at testuser.ca"
(6.0) eap.peap - Got tunneled request
(6.0) eap.peap - EAP-Message = 0x02e700190174657374757365724074657374757365722e6361
(6.0) eap.peap - Setting &request.User-Name from tunneled (inner) identity "testuser at testuser.ca"
(6.0) eap.peap - Running request through virtual server "(null)"
(6.0) eap.peap - Virtual server (null) received request
(6.0) eap.peap - EAP-Identity = "testuser at testuser.ca"
(6.0) eap.peap - EAP-Type = PEAP
(6.0) eap.peap - server (null) {
CAUGHT SIGNAL: Segmentation fault
Backtrace of last 2 frames:
/opt/freeradius/lib/libfreeradius-util.so(fr_fault+0xe8)[0x7f6ea5a1106b]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x14140)[0x7f6ea5797140]
No panic action set
_EXIT(139) CALLED src/lib/util/debug.c[1052]
```
Fabrice Durand
Software Engineer Principal
Office: +1.514.447.4918Akamai Technologies
7000 Parc Avenue
Montreal, QC H3N1X1 Canada
Connect with Us:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5114 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220420/bcf4d3cd/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1446 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220420/bcf4d3cd/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1255 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220420/bcf4d3cd/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1239 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220420/bcf4d3cd/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 1149 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220420/bcf4d3cd/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 1308 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220420/bcf4d3cd/attachment-0011.png>
More information about the Freeradius-Users
mailing list