rlm_ldap: Successful login with empty password

Mon May 6 10:30:26 UTC 2024

Hello everyone,

I am currently testing version 4. I am using the latest commit (3b422574). I noticed that if the LDAP module is configured with an Active Directory, a user can successfully log in with an empty password. I think that this behaviour is not correct or?
It also works with the Radius protocol instead of Tacacs and with Alpha version 4.

First I perform the login with the correct password and then with an empty password.
This is the output of freeradius -X:

Info : Copyright 1999-2024 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Info : Starting - reading configuration files ...
Debug : Including dictionary file "/etc/raddb/dictionary"
including configuration file /etc/raddb/radiusd.conf
Including files in directory "/etc/raddb/template.d/"
including configuration file /etc/raddb/template.d/default
including configuration file /etc/raddb/clients.conf
Including files in directory "/etc/raddb/global.d/"
including configuration file /etc/raddb/global.d/ldap
including configuration file /etc/raddb/global.d/python
Including files in directory "/etc/raddb/mods-enabled/"
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/client
including configuration file /etc/raddb/mods-enabled/delay
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/eap_inner
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/escape
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/stats
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
Including files in directory "/etc/raddb/policy.d/"
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalisation
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/time
including configuration file /etc/raddb/policy.d/vendor
Including files in directory "/etc/raddb/sites-enabled/"
including configuration file /etc/raddb/sites-enabled/default
Loaded module process_radius
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/tacacs
Loaded module process_tacacs
Parsing initial logging configuration.
main {
prefix = /usr/local/freeradius
log {
destination = file
syslog_facility = daemon
local_state_dir = "/usr/local/freeradius/var"
logdir = "/usr/local/freeradius/var/log"
file = /usr/local/freeradius/var/log/radius/radius.log
suppress_secrets = no
}
}
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
log {
}
security {
allow_core_dumps = no
allow_vulnerable_openssl = no
openssl_fips_mode = no
}
name = radiusd
local_state_dir = "/usr/local/freeradius/var"
run_dir = /usr/local/freeradius/var/run/radiusd
}
Parsing main configuration
main {
server default {
namespace = radius
radius {
Access-Request {
session {
timeout = 15
max = 4096
}
}
}
Loaded module proto_radius
listen {
type = Access-Request
type = Status-Server
transport = udp
Loaded module proto_radius_udp
udp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 60.0
nak_lifetime = 30.0
max_connections = 256
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen tcp_auth {
type = Access-Request
type = Status-Server
transport = tcp
Loaded module proto_radius_tcp
tcp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen udp_acct {
type = Accounting-Request
transport = udp
udp {
ipaddr = *
port = 1813
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
server inner-tunnel {
namespace = radius
radius {
Access-Request {
session {
timeout = 15
max = 4096
}
}
}
listen {
type = Access-Request
transport = udp
udp {
ipaddr = 127.0.0.1
port = 18120
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
server tacacs {
namespace = tacacs
tacacs {
Authentication {
session {
timeout = 15
max = 4096
max_rounds = 4
}
}
}
Loaded module proto_tacacs
listen {
type = Authentication-Start
type = Authentication-Continue
type = Authorization-Request
type = Accounting-Request
transport = tcp
Loaded module proto_tacacs_tcp
tcp {
ipaddr = *
port = 49
networks {
}
max_packet_size = 4096
max_attributes = 256
}
limit {
idle_timeout = 60.0
max_connections = 256
}
priority {
Authentication-Start = high
Authentication-Continue = high
Authorization-Request = normal
Accounting-Request = low
}
}
}
log {
colourise = yes
}
security {
}
sbin_dir = "/usr/local/freeradius/sbin"
logdir = /usr/local/freeradius/var/log/radius
radacctdir = /usr/local/freeradius/var/log/radius/radacct
reverse_lookups = no
hostname_lookups = yes
max_request_time = 30
pidfile = /usr/local/freeradius/var/run/radiusd/radiusd.pid
debug_level = 0
max_requests = 16384
resources {
}
thread pool {
num_networks = 1
Dynamically determined thread.workers = 15
num_workers = 15
openssl_async_pool_init = 64
openssl_async_pool_max = 1024
}
migrate {
rewrite_update = false
forbid_update = false
}
interpret {
}
}
Switching to configured log settings
log debug {
destination = null
timestamp = yes
colourise = no
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
secret = <<< secret >>>
require_message_authenticator = no
proto = *
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
Debugger not attached
trigger { ... } subsection not found, triggers will be disabled
#### Instantiating libraries ####
#### Bootstrapping process modules ####
Bootstrapping process_radius "default"
Creating Auth-Type = pap
Creating Auth-Type = chap
Creating Auth-Type = mschap
Creating Auth-Type = digest
Creating Auth-Type = ldap
Creating Auth-Type = eap
Bootstrapping process_radius "inner-tunnel"
Bootstrapping process_tacacs "tacacs"
Creating Auth-Type = ASCII
#### Bootstrapping protocol modules ####
Bootstrapping proto_radius "default.radius"
client localhost {
ipaddr = 192.0.2.1
secret = <<< secret >>>
shortname = sample
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
Bootstrapping proto_radius "default.tcp_auth"
Bootstrapping proto_radius "default.udp_acct"
Bootstrapping proto_radius "inner-tunnel.radius"
Bootstrapping proto_tacacs "tacacs.tacacs"
Ignoring "nak_lifetime = 0", forcing to "nak_lifetime = 1"
client tacacs {
ipaddr = 127.0.0.1
secret = <<< secret >>>
proto = tcp
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
#### Instantiating libraries ####
#### Bootstrapping modules ####
modules {
Loaded module rlm_always
always reject {
rcode = reject
simulcount = 0
mpp = no
}
always fail {
rcode = fail
simulcount = 0
mpp = no
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
always handled {
rcode = handled
simulcount = 0
mpp = no
}
always invalid {
rcode = invalid
simulcount = 0
mpp = no
}
always disallow {
rcode = disallow
simulcount = 0
mpp = no
}
always notfound {
rcode = notfound
simulcount = 0
mpp = no
}
always noop {
rcode = noop
simulcount = 0
mpp = no
}
always updated {
rcode = updated
simulcount = 0
mpp = no
}
Loaded module rlm_attr_filter
attr_filter attr_filter.pre-proxy {
filename = /etc/raddb/mods-config/attr_filter/pre-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.post-proxy {
filename = /etc/raddb/mods-config/attr_filter/post-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.access_reject {
filename = /etc/raddb/mods-config/attr_filter/access_reject
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.access_challenge {
filename = /etc/raddb/mods-config/attr_filter/access_challenge
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.accounting_response {
filename = /etc/raddb/mods-config/attr_filter/accounting_response
key = "%{User-Name}"
relaxed = no
}
Loaded module rlm_cache
cache cache_eap {
driver = rbtree
Loaded module rlm_cache_rbtree
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
Loaded module rlm_chap
chap {
min_challenge_len = 16
}
Loaded module rlm_client
Loaded module rlm_delay
delay {
delay = 1.0s
relative = no
force_reschedule = no
}
delay delay_reject {
delay = "%{&reply.FreeRADIUS-Response-Delay || 1}"
relative = yes
force_reschedule = no
}
Loaded module rlm_detail
detail {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail auth_log {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail reply_log {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail pre_proxy_log {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail post_proxy_log {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
Loaded module rlm_digest
Loaded module rlm_eap
eap {
require_identity_realm = nai
type = md5
Loaded module rlm_eap_md5
type = gtc
Loaded module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = PAP
}
type = tls
Loaded module rlm_eap_tls
tls {
tls = tls-common
require_client_cert = yes
include_length = yes
}
type = ttls
Loaded module rlm_eap_ttls
ttls {
tls = tls-common
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
type = mschapv2
Loaded module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = peap
Loaded module rlm_eap_peap
peap {
tls = tls-common
virtual_server = "inner-tunnel"
require_client_cert = no
}
ignore_unknown_eap_types = no
}
eap inner-eap {
require_identity_realm = nai
default_eap_type = mschapv2
type = md5
type = gtc
gtc {
challenge = "Password: "
auth_type = PAP
}
type = mschapv2
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = tls
tls {
tls = tls-peer
require_client_cert = yes
include_length = yes
}
ignore_unknown_eap_types = no
}
Loaded module rlm_exec
exec echo {
wait = yes
input_pairs = &request
output_pairs = &reply
shell_escape = yes
env_inherit = no
}
Loaded module rlm_escape
escape {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
exec {
wait = yes
input_pairs = &request
shell_escape = yes
env_inherit = no
timeout = 10
}
Loaded module rlm_files
files {
filename = /etc/raddb/mods-config/files/authorize
}
files files_accounting {
filename = /etc/raddb/mods-config/files/accounting
}
Instantiating ldap
ldap {
ldap_debug = 0x0000
}
global - ldap - libldap vendor: OpenLDAP, version: 20517
global - ldap - extension: X_OPENLDAP
global - ldap - extension: THREAD_SAFE
global - ldap - extension: SESSION_THREAD_SAFE
global - ldap - extension: OPERATION_THREAD_SAFE
global - ldap - extension: X_OPENLDAP_REENTRANT
global - ldap - extension: X_OPENLDAP_THREAD_SAFE
Loaded module rlm_ldap
ldap {
server = 'ldaps://WIN-DV0HIUUHTPI.freeradius.local:636'
identity = 'cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local'
password = <<< secret >>>
sasl {
}
options {
chase_referrals = yes
use_referral_credentials = no
referral_depth = 5
rebind = yes
net_timeout = 10
idle = 60
probes = 3
interval = 3
srv_timelimit = 3
res_timeout = 10
idle_timeout = 300
reconnection_delay = 10
}
tls {
ca_file = /etc/raddb/certs/cacert.pem
start_tls = no
}
session_tracking = no
user {
scope = sub
access_positive = yes
access_value_negate = "false"
access_value_suspend = "suspended"
}
group {
filter = '(objectClass=posixGroup)'
scope = sub
name_attribute = "cn"
membership_attribute = 'memberOf'
cacheable_name = yes
cacheable_dn = no
group_attribute = "ldap-Group"
allow_dangling_group_ref = no
skip_on_suspend = yes
}
profile {
scope = base
}
pool {
start = 0
min = 1
max = 5
connecting = 2
uses = 0
lifetime = 0
open_delay = 0.2
close_delay = 10.0
manage_interval = 0.2
connection {
connect_timeout = 3.0
reconnect_delay = 1
}
request {
per_connection_max = 2000
per_connection_target = 1000
free_delay = 10.0
}
}
bind_pool {
start = 0
min = 1
max = 1000
connecting = 2
uses = 0
lifetime = 0
open_delay = 0.2
close_delay = 10.0
manage_interval = 0.2
connection {
connect_timeout = 3.0
reconnect_delay = 1
}
request {
per_connection_max = 2000
per_connection_target = 1000
free_delay = 10.0
}
}
}
Loaded module rlm_linelog
linelog {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
server = localhost
port = 514
timeout = 2.0
}
udp {
server = localhost
port = 514
timeout = 2.0
}
}
linelog log_accounting {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
linelog log_auth_access_accept {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
facility = daemon
severity = notice
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
linelog log_auth_access_reject {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
facility = daemon
severity = notice
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
linelog log_auth_authentication_pass {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
facility = daemon
severity = notice
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
linelog log_auth_authentication_fail {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
facility = daemon
severity = notice
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
Loaded module rlm_mschap
mschap {
normalise = yes
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind {
}
}
exec ntlm_auth {
wait = yes
shell_escape = yes
env_inherit = no
}
Loaded module rlm_pap
pap {
normalise = yes
}
Loaded module rlm_passwd
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
Loaded module rlm_radutmp
radutmp {
check_with_nas = yes
permissions = 0600
caller_id = no
}
radutmp sradutmp {
check_with_nas = yes
permissions = 0644
caller_id = no
}
Loaded module rlm_stats
stats {
}
Loaded module rlm_unix
unix {
}
Loaded module rlm_unpack
Loaded module rlm_utf8
#### Bootstrapping rlm modules ####
Bootstrapping rlm_cache "cache_eap"
Bootstrapping rlm_chap "chap"
Bootstrapping rlm_delay "delay"
Bootstrapping rlm_delay "delay_reject"
Bootstrapping rlm_always "disallow"
Bootstrapping rlm_eap "eap"
Bootstrapping rlm_exec "echo"
Bootstrapping rlm_escape "escape"
Bootstrapping rlm_exec "exec"
Bootstrapping rlm_always "fail"
Bootstrapping rlm_always "handled"
Bootstrapping rlm_eap "inner-eap"
Bootstrapping rlm_always "invalid"
Bootstrapping rlm_ldap "ldap"
Bootstrapping rlm_linelog "linelog"
Bootstrapping rlm_linelog "log_accounting"
Bootstrapping rlm_linelog "log_auth_access_accept"
Bootstrapping rlm_linelog "log_auth_access_reject"
Bootstrapping rlm_linelog "log_auth_authentication_fail"
Bootstrapping rlm_linelog "log_auth_authentication_pass"
Bootstrapping rlm_mschap "mschap"
Bootstrapping rlm_always "noop"
Bootstrapping rlm_always "notfound"
Bootstrapping rlm_exec "ntlm_auth"
Bootstrapping rlm_always "ok"
Bootstrapping rlm_always "reject"
Bootstrapping rlm_unix "unix"
Bootstrapping rlm_always "updated"
} # modules
#### Instantiating listeners ####
Compiling policies in server default { ... }
Instantiating proto_radius "default.radius"
Instantiating proto_radius "default.tcp_auth"
Instantiating proto_radius "default.udp_acct"
Instantiating process_radius "default"
Compiling policies in - recv Access-Request {...}
Reading file /etc/raddb/mods-config/files/authorize
/etc/raddb/sites-enabled/default[785]: Ignoring "-sql" as the "sql" module is not enabled.
/etc/raddb/policy.d/time[13]: Skipping remaining instructions due to 'return'
/etc/raddb/policy.d/time[18]: Please use the 'filter' keyword for attribute filtering
Compiling policies in - send Access-Accept {...}
/etc/raddb/sites-enabled/default[1104]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Access-Challenge {...}
Compiling policies in - send Access-Reject {...}
/etc/raddb/sites-enabled/default[1219]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - recv Accounting-Request {...}
Reading file /etc/raddb/mods-config/files/accounting
Compiling policies in - send Accounting-Response {...}
Compiling policies in - recv Status-Server {...}
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate digest {...}
Compiling policies in - authenticate ldap {...}
Compiling policies in - authenticate eap {...}
Compiling policies in - accounting Start {...}
/etc/raddb/sites-enabled/default[1340]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Stop {...}
/etc/raddb/sites-enabled/default[1359]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Interim-Update {...}
/etc/raddb/sites-enabled/default[1389]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Accounting-On {...}
/etc/raddb/sites-enabled/default[1404]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Accounting-Off {...}
/etc/raddb/sites-enabled/default[1419]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Failed {...}
/etc/raddb/sites-enabled/default[80]: radius { ... } section is unused
/etc/raddb/sites-enabled/default[150]: dictionary { ... } section is unused
Compiling policies in server inner-tunnel { ... }
Instantiating proto_radius "inner-tunnel.radius"
Instantiating process_radius "inner-tunnel"
Compiling policies in - recv Access-Request {...}
Reading file /etc/raddb/mods-config/files/authorize
/etc/raddb/sites-enabled/inner-tunnel[124]: Ignoring "-sql" as the "sql" module is not enabled.
/etc/raddb/policy.d/time[13]: Skipping remaining instructions due to 'return'
/etc/raddb/policy.d/time[18]: Please use the 'filter' keyword for attribute filtering
Compiling policies in - send Access-Accept {...}
/etc/raddb/sites-enabled/inner-tunnel[266]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Access-Reject {...}
/etc/raddb/sites-enabled/inner-tunnel[308]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate eap {...}
src/lib/server/virtual_servers.c[311]: radius { ... } section is unused
Compiling policies in server tacacs { ... }
Instantiating proto_tacacs "tacacs.tacacs"
Instantiating process_tacacs "tacacs"
Compiling policies in - recv Authentication-Start {...}
/etc/raddb/sites-enabled/tacacs[232]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Authentication-Pass {...}
Compiling policies in - send Authentication-Fail {...}
Compiling policies in - send Authentication-GetUser {...}
Compiling policies in - send Authentication-GetPass {...}
Compiling policies in - recv Authentication-Continue {...}
Compiling policies in - authenticate PAP {...}
Compiling policies in - authenticate CHAP {...}
Compiling policies in - authenticate ldap {...}
Compiling policies in - authenticate ASCII {...}
Compiling policies in - recv Authorization-Request {...}
Compiling policies in - send Authorization-Pass-Add {...}
Compiling policies in - recv Accounting-Request {...}
Compiling policies in - send Accounting-Success {...}
Compiling policies in - send Accounting-Error {...}
Compiling policies in - accounting Start {...}
Compiling policies in - accounting Watchdog-Update {...}
Compiling policies in - accounting Watchdog {...}
Compiling policies in - accounting Stop {...}
/etc/raddb/sites-enabled/tacacs[32]: tacacs { ... } section is unused
#### Instantiating rlm modules ####
Instantiating rlm_attr_filter "attr_filter.access_challenge"
Reading file /etc/raddb/mods-config/attr_filter/access_challenge
Instantiating rlm_attr_filter "attr_filter.access_reject"
Reading file /etc/raddb/mods-config/attr_filter/access_reject
Instantiating rlm_attr_filter "attr_filter.accounting_response"
Reading file /etc/raddb/mods-config/attr_filter/accounting_response
Instantiating rlm_attr_filter "attr_filter.post-proxy"
Reading file /etc/raddb/mods-config/attr_filter/post-proxy
Instantiating rlm_attr_filter "attr_filter.pre-proxy"
Reading file /etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating rlm_detail "auth_log"
Instantiating rlm_cache "cache_eap"
Instantiating rlm_chap "chap"
Instantiating rlm_detail "detail"
Instantiating rlm_digest "digest"
Instantiating rlm_always "disallow"
Instantiating rlm_eap "eap"
Instantiating rlm_passwd "etc_passwd"
Instantiating rlm_always "fail"
Instantiating rlm_always "handled"
Instantiating rlm_eap "inner-eap"
inner-eap - Failed to find 'authenticate inner-eap {...}' section. EAP authentication will likely not work
Instantiating rlm_always "invalid"
Instantiating rlm_ldap "ldap"
accounting {
reference = "%tolower(type.%{Acct-Status-Type})"
}
post-auth {
reference = "."
}
Instantiating rlm_linelog "linelog"
Instantiating rlm_linelog "log_accounting"
Instantiating rlm_linelog "log_auth_access_accept"
Instantiating rlm_linelog "log_auth_access_reject"
Instantiating rlm_linelog "log_auth_authentication_fail"
Instantiating rlm_linelog "log_auth_authentication_pass"
Instantiating rlm_mschap "mschap"
mschap - Using internal authentication
Instantiating rlm_always "noop"
Instantiating rlm_always "notfound"
Instantiating rlm_always "ok"
Instantiating rlm_pap "pap"
Instantiating rlm_detail "post_proxy_log"
Instantiating rlm_detail "pre_proxy_log"
Instantiating rlm_always "reject"
Instantiating rlm_detail "reply_log"
Instantiating rlm_stats "stats"
Instantiating rlm_always "updated"
Instantiating _cache_rbtree "cache_eap.rbtree"
Instantiating _eap_mschapv2 "eap.mschapv2"
Instantiating _eap_peap "eap.peap"
tls-config tls-common {
chain rsa {
format = pem
certificate_file = /etc/raddb/certs/rsa/server.pem
private_key_password = <<< secret >>>
private_key_file = /etc/raddb/certs/rsa/server.key
ca_file = /etc/raddb/certs/rsa/ca.pem
verify_mode = hard
include_root_ca = no
}
verify_depth = 0
ca_path = /etc/raddb/certs
ca_file = /etc/raddb/certs/rsa/ca.pem
dh_file = /etc/raddb/certs/dh
fragment_size = 1024
cipher_list = "DEFAULT"
cipher_server_preference = yes
allow_renegotiation = no
ecdh_curve = prime256v1
tls_min_version = 1.2
session {
mode = auto
tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless"
name = "%{EAP-Type}%interpreter(server)"
lifetime = 1d
require_extended_master_secret = yes
require_perfect_forward_secrecy = no
}
verify {
mode = all
attribute_mode = client-and-issuer
check_crl = no
}
}
Instantiating _eap_tls "eap.tls"
tls - Using cached TLS configuration from previous invocation
Instantiating _eap_ttls "eap.ttls"
tls - Using cached TLS configuration from previous invocation
Instantiating _eap_mschapv2 "inner-eap.mschapv2"
Instantiating _eap_tls "inner-eap.tls"
tls-config tls-peer {
chain {
format = pem
certificate_file = /etc/raddb/certs/rsa/server.pem
private_key_password = <<< secret >>>
private_key_file = /etc/raddb/certs/rsa/server.key
ca_file = /etc/raddb/certs/rsa/ca.pem
verify_mode = hard
include_root_ca = no
}
verify_depth = 0
ca_path = /etc/raddb/certs
ca_file = /etc/raddb/certs/rsa/ca.pem
dh_file = /etc/raddb/certs/dh
fragment_size = 16384
cipher_server_preference = yes
allow_renegotiation = no
ecdh_curve = "prime256v1"
tls_min_version = 1.2
session {
mode = auto
tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless"
name = "%{EAP-Type}%interpreter(server)"
lifetime = 1d
require_extended_master_secret = yes
require_perfect_forward_secrecy = no
}
verify {
mode = all
attribute_mode = client-and-issuer
check_crl = no
}
}
Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local"
No existing connection found - creating new one
Scheduler created in single-threaded mode
#### Opening listener interfaces ####
Listening on radius_udp server * port 1812 bound to virtual server default
Listening on radius_tcp server * port 1812 bound to virtual server default
Listening on radius_udp server * port 1813 bound to virtual server default
Listening on radius_udp server 127.0.0.1 port 18120 bound to virtual server inner-tunnel
Listening on tacacs_tcp server * port 49 bound to virtual server tacacs
Ready to process requests
rlm_ldap - [1] - Signalled to start from HALTED state
rlm_ldap - [1] - Connection changed state HALTED -> INIT
rlm_ldap - [1] Trunk connection changed state HALTED -> INIT
Starting bind operation
rlm_ldap - [1] - Connection changed state INIT -> CONNECTING
rlm_ldap - [1] Trunk connection changed state INIT -> CONNECTING
Bind as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" successful
rlm_ldap - [1] - Signalled connected from CONNECTING state
rlm_ldap - [1] - Connection changed state CONNECTING -> CONNECTED
rlm_ldap - [1] - Connection established
rlm_ldap - [1] Trunk connection changed state CONNECTING -> ACTIVE
rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
Got search entry response for message 2
rlm_ldap (ldap) - Directory type: Active Directory
rlm_ldap (ldap) - Directory supports LDAP_SERVER_NOTIFICATION_OID
proto_tacacs_tcp - starting connection tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
Listening on tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 bound to virtual server tacacs
proto_tacacs_tcp - Received Authentication seq_no 1 length 64 tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
(0) Received Authentication-Start ID 1 from 127.0.0.1:53534 to 127.0.0.1:49 length 64 via socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
(0) Packet {
(0) Version-Major = Plus
(0) Version-Minor = 1
(0) Packet-Type = Authentication
(0) Sequence-Number = 1
(0) Flags = None
(0) Session-Id = 1085304268
(0) Length = 52
(0) }
(0) Packet-Body-Type = Start
(0) Action = LOGIN
(0) Privilege-Level = Minimum
(0) Authentication-Type = PAP
(0) Authentication-Service = LOGIN
(0) User-Name = "test"
(0) Client-Port = "python_tty0"
(0) Remote-Address = "python_device"
(0) User-Password = "RUrMV9nmkQUSthyy"
Worker - Resetting cleanup timer to +30
(0) tacacs {
(0) Running 'recv Authentication-Start' from file /etc/raddb/sites-enabled/tacacs
(0) recv Authentication-Start {
(0) &control.Auth-Type := 658583602
(0) } # recv Authentication-Start (noop)
(0) Running 'authenticate ldap' from file /etc/raddb/sites-enabled/tacacs
(0) authenticate ldap {
(0) | %{&Stripped-User-Name || &User-Name}
(0) | ||
(0) | &Stripped-User-Name
(0) | %logical_or()
(0) | &Stripped-User-Name
(0) (null)
(0) | &User-Name
(0) | %logical_or(...)
(0) | &User-Name
(0) | --> test
(0) | %logical_or(...)
(0) | --> test
(0) ldap - Login attempt with password
(0) Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local"
(0) rlm_ldap - [1] Trunk connection assigned request 2
(0) ldap - Performing search in "dc=freeradius,dc=local" with filter "(sAMAccountName=test)", scope "sub"
(0) ldap - Got search entry response for message 3
(0) ldap - function - Resuming execution
(0) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local"
(0) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local"
(0) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local"
rlm_ldap bind auth - [2] - Signalled to start from HALTED state
rlm_ldap bind auth - [2] - Connection changed state HALTED -> INIT
rlm_ldap bind auth - [2] Trunk connection changed state HALTED -> INIT
Starting bind operation
rlm_ldap bind auth - [2] - Connection changed state INIT -> CONNECTING
rlm_ldap bind auth - [2] Trunk connection changed state INIT -> CONNECTING
Bind as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" successful
rlm_ldap bind auth - [2] - Signalled connected from CONNECTING state
rlm_ldap bind auth - [2] - Connection changed state CONNECTING -> CONNECTED
rlm_ldap bind auth - [2] - Connection established
rlm_ldap bind auth - [2] Trunk connection changed state CONNECTING -> ACTIVE
(0) ldap - rlm_ldap bind auth - [2] Trunk connection assigned request 3
rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL
(0) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local
(0) ldap - function - Resuming execution
(0) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful
rlm_ldap bind auth - [2] Trunk connection changed state FULL -> ACTIVE
(0) ldap - ldap (ok)
(0) } # authenticate ldap (ok)
(0) Running 'send Authentication-Pass' from file /etc/raddb/sites-enabled/tacacs
(0) send Authentication-Pass {
(0) | %{User-Name}
(0) | --> test
(0) &reply.Server-Message := Hello test
(0) } # send Authentication-Pass (noop)
(0) tacacs (ok)
(0) } # tacacs (ok)
(0) Done request
(0) Sending Authentication-Pass ID 2 from 127.0.0.1:49 to 127.0.0.1:53534 length 28 via socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
(0) Packet-Type = Authentication-Pass
(0) Server-Message = "Hello test"
(0) Finished request
proto_tacacs_tcp - cleaning up
TIMER - setting idle timeout for connection from client tacacs
Network - Socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 closed by peer
Closing connection tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
proto_tacacs_tcp - starting connection tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
Listening on tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 bound to virtual server tacacs
proto_tacacs_tcp - Received Authentication seq_no 1 length 48 tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
(1) Received Authentication-Start ID 1 from 127.0.0.1:53476 to 127.0.0.1:49 length 48 via socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
(1) Packet {
(1) Version-Major = Plus
(1) Version-Minor = 1
(1) Packet-Type = Authentication
(1) Sequence-Number = 1
(1) Flags = None
(1) Session-Id = 718923347
(1) Length = 36
(1) }
(1) Packet-Body-Type = Start
(1) Action = LOGIN
(1) Privilege-Level = Minimum
(1) Authentication-Type = PAP
(1) Authentication-Service = LOGIN
(1) User-Name = "test"
(1) Client-Port = "python_tty0"
(1) Remote-Address = "python_device"
(1) User-Password = ""
(1) tacacs {
(1) Running 'recv Authentication-Start' from file /etc/raddb/sites-enabled/tacacs
(1) recv Authentication-Start {
(1) &control.Auth-Type := 658583602
(1) } # recv Authentication-Start (noop)
(1) Running 'authenticate ldap' from file /etc/raddb/sites-enabled/tacacs
(1) authenticate ldap {
(1) | %{&Stripped-User-Name || &User-Name}
(1) | ||
(1) | &Stripped-User-Name
(1) | %logical_or()
(1) | &Stripped-User-Name
(1) (null)
(1) | &User-Name
(1) | %logical_or(...)
(1) | &User-Name
(1) | --> test
(1) | %logical_or(...)
(1) | --> test
(1) ldap - Login attempt with password
(1) Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local"
(1) rlm_ldap - [1] Trunk connection assigned request 4
(1) ldap - Performing search in "dc=freeradius,dc=local" with filter "(sAMAccountName=test)", scope "sub"
(1) ldap - Got search entry response for message 4
(1) ldap - function - Resuming execution
(1) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local"
(1) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local"
(1) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local"
(1) rlm_ldap bind auth - [2] Trunk connection assigned request 5
rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL
(1) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local
(1) ldap - function - Resuming execution
(1) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful
rlm_ldap bind auth - [2] Trunk connection changed state FULL -> ACTIVE
(1) ldap - ldap (ok)
(1) } # authenticate ldap (ok)
(1) Running 'send Authentication-Pass' from file /etc/raddb/sites-enabled/tacacs
(1) send Authentication-Pass {
(1) | %{User-Name}
(1) | --> test
(1) &reply.Server-Message := Hello test
(1) } # send Authentication-Pass (noop)
(1) tacacs (ok)
(1) } # tacacs (ok)
(1) Done request
(1) Sending Authentication-Pass ID 2 from 127.0.0.1:49 to 127.0.0.1:53476 length 28 via socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
(1) Packet-Type = Authentication-Pass
(1) Server-Message = "Hello test"
(1) Finished request
proto_tacacs_tcp - cleaning up
TIMER - setting idle timeout for connection from client tacacs
Network - Socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 closed by peer
Closing connection tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
^CSignalled to terminate
Exiting normally
rlm_ldap - [1] - Signalled to halt from CONNECTED state
rlm_ldap - [1] - Connection changed state CONNECTED -> CLOSED
rlm_ldap - [1] Trunk connection changed state ACTIVE -> CLOSED
rlm_ldap - [1] - Connection changed state CLOSED -> HALTED
rlm_ldap - [1] Trunk connection changed state CLOSED -> HALTED
rlm_ldap bind auth - [2] - Signalled to halt from CONNECTED state
rlm_ldap bind auth - [2] - Connection changed state CONNECTED -> CLOSED
rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> CLOSED
rlm_ldap bind auth - [2] - Connection changed state CLOSED -> HALTEDrlm_ldap bind auth - [2] Trunk connection changed state CLOSED -> HALTED

Thanks in advance for any help,

Simon