API tools faq
paste
Advertisement
ulyssesric

radiusd -X log (ubuntu)

ulyssesric
Sep 19th, 2023 (edited)
343
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 45.67 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. FreeRADIUS Version 3.2.3
  2. Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
  3. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
  4. PARTICULAR PURPOSE
  5. You may redistribute copies of FreeRADIUS under the terms of the
  6. GNU General Public License
  7. For more information about these matters, see the file named COPYRIGHT
  8. Starting - reading configuration files ...
  9. including dictionary file /usr/share/freeradius/dictionary
  10. including dictionary file /usr/share/freeradius/dictionary.dhcp
  11. including dictionary file /usr/share/freeradius/dictionary.vqp
  12. including dictionary file /etc/raddb/dictionary
  13. including configuration file /etc/raddb/radiusd.conf
  14. including configuration file /etc/raddb/proxy.conf
  15. including configuration file /etc/raddb/clients.conf
  16. including files in directory /etc/raddb/mods-enabled/
  17. including configuration file /etc/raddb/mods-enabled/always
  18. including configuration file /etc/raddb/mods-enabled/attr_filter
  19. including configuration file /etc/raddb/mods-enabled/chap
  20. including configuration file /etc/raddb/mods-enabled/date
  21. including configuration file /etc/raddb/mods-enabled/detail
  22. including configuration file /etc/raddb/mods-enabled/detail.log
  23. including configuration file /etc/raddb/mods-enabled/digest
  24. including configuration file /etc/raddb/mods-enabled/dynamic_clients
  25. including configuration file /etc/raddb/mods-enabled/eap
  26. including configuration file /etc/raddb/mods-enabled/echo
  27. including configuration file /etc/raddb/mods-enabled/exec
  28. including configuration file /etc/raddb/mods-enabled/expiration
  29. including configuration file /etc/raddb/mods-enabled/expr
  30. including configuration file /etc/raddb/mods-enabled/files
  31. including configuration file /etc/raddb/mods-enabled/linelog
  32. including configuration file /etc/raddb/mods-enabled/logintime
  33. including configuration file /etc/raddb/mods-enabled/mschap
  34. including configuration file /etc/raddb/mods-enabled/ntlm_auth
  35. including configuration file /etc/raddb/mods-enabled/pap
  36. including configuration file /etc/raddb/mods-enabled/passwd
  37. including configuration file /etc/raddb/mods-enabled/preprocess
  38. including configuration file /etc/raddb/mods-enabled/radutmp
  39. including configuration file /etc/raddb/mods-enabled/realm
  40. including configuration file /etc/raddb/mods-enabled/replicate
  41. including configuration file /etc/raddb/mods-enabled/soh
  42. including configuration file /etc/raddb/mods-enabled/sradutmp
  43. including configuration file /etc/raddb/mods-enabled/unix
  44. including configuration file /etc/raddb/mods-enabled/unpack
  45. including configuration file /etc/raddb/mods-enabled/utf8
  46. including configuration file /etc/raddb/mods-enabled/totp
  47. including files in directory /etc/raddb/policy.d/
  48. including configuration file /etc/raddb/policy.d/accounting
  49. including configuration file /etc/raddb/policy.d/canonicalization
  50. including configuration file /etc/raddb/policy.d/control
  51. including configuration file /etc/raddb/policy.d/cui
  52. including configuration file /etc/raddb/policy.d/debug
  53. including configuration file /etc/raddb/policy.d/dhcp
  54. including configuration file /etc/raddb/policy.d/eap
  55. including configuration file /etc/raddb/policy.d/filter
  56. including configuration file /etc/raddb/policy.d/operator-name
  57. including configuration file /etc/raddb/policy.d/rfc7542
  58. including configuration file /etc/raddb/policy.d/abfab-tr
  59. including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
  60. including files in directory /etc/raddb/sites-enabled/
  61. including configuration file /etc/raddb/sites-enabled/default
  62. including configuration file /etc/raddb/sites-enabled/inner-tunnel
  63. main {
  64. security {
  65. user = "radiusd"
  66. group = "radiusd"
  67. allow_core_dumps = no
  68. }
  69. name = "radiusd"
  70. prefix = "/usr"
  71. localstatedir = "/var"
  72. logdir = "/var/log/radius"
  73. run_dir = "/var/run/radiusd"
  74. }
  75. main {
  76. name = "radiusd"
  77. prefix = "/usr"
  78. localstatedir = "/var"
  79. sbindir = "/usr/sbin"
  80. logdir = "/var/log/radius"
  81. run_dir = "/var/run/radiusd"
  82. libdir = "/usr/lib64/freeradius"
  83. radacctdir = "/var/log/radius/radacct"
  84. hostname_lookups = no
  85. max_request_time = 30
  86. cleanup_delay = 5
  87. max_requests = 16384
  88. postauth_client_lost = no
  89. pidfile = "/var/run/radiusd/radiusd.pid"
  90. checkrad = "/usr/sbin/checkrad"
  91. debug_level = 0
  92. proxy_requests = no
  93. log {
  94. stripped_names = no
  95. auth = yes
  96. auth_accept = yes
  97. auth_reject = yes
  98. auth_badpass = yes
  99. auth_goodpass = yes
  100. colourise = yes
  101. msg_denied = "You are already logged in - access denied"
  102. }
  103. resources {
  104. }
  105. security {
  106. max_attributes = 200
  107. reject_delay = 1.000000
  108. status_server = yes
  109. allow_vulnerable_openssl = "no"
  110. }
  111. }
  112. radiusd: #### Loading Realms and Home Servers ####
  113. proxy server {
  114. retry_delay = 5
  115. retry_count = 3
  116. default_fallback = no
  117. dead_time = 120
  118. wake_all_if_all_dead = no
  119. }
  120. home_server localhost {
  121. nonblock = no
  122. ipaddr = 127.0.0.1
  123. port = 1812
  124. type = "auth"
  125. secret = <<< secret >>>
  126. response_window = 20.000000
  127. response_timeouts = 1
  128. max_outstanding = 65536
  129. zombie_period = 40
  130. status_check = "status-server"
  131. ping_interval = 30
  132. check_interval = 30
  133. check_timeout = 4
  134. num_answers_to_alive = 3
  135. revive_interval = 120
  136. limit {
  137. max_connections = 16
  138. max_requests = 0
  139. lifetime = 0
  140. idle_timeout = 0
  141. }
  142. coa {
  143. irt = 2
  144. mrt = 16
  145. mrc = 5
  146. mrd = 30
  147. }
  148. recv_coa {
  149. }
  150. }
  151. realm LOCAL {
  152. }
  153. realm NULL {
  154. }
  155. home_server_pool my_auth_failover {
  156. type = fail-over
  157. home_server = localhost
  158. }
  159. radiusd: #### Loading Clients ####
  160. client localhost {
  161. ipaddr = 127.0.0.1
  162. require_message_authenticator = no
  163. secret = <<< secret >>>
  164. nas_type = "other"
  165. proto = "*"
  166. limit {
  167. max_connections = 16
  168. lifetime = 0
  169. idle_timeout = 30
  170. }
  171. }
  172. client localhost_ipv6 {
  173. ipv6addr = ::1
  174. require_message_authenticator = no
  175. secret = <<< secret >>>
  176. limit {
  177. max_connections = 16
  178. lifetime = 0
  179. idle_timeout = 30
  180. }
  181. }
  182. client private-network-2 {
  183. ipaddr = 192.168.0.0/16
  184. require_message_authenticator = no
  185. secret = <<< secret >>>
  186. limit {
  187. max_connections = 16
  188. lifetime = 0
  189. idle_timeout = 30
  190. }
  191. }
  192. Debugger not attached
  193. systemd watchdog is disabled
  194. # Creating Auth-Type = mschap
  195. # Creating Auth-Type = digest
  196. # Creating Auth-Type = eap
  197. # Creating Auth-Type = PAP
  198. # Creating Auth-Type = CHAP
  199. # Creating Auth-Type = MS-CHAP
  200. # Creating Autz-Type = New-TLS-Connection
  201. radiusd: #### Instantiating modules ####
  202. modules {
  203. # Loaded module rlm_always
  204. # Loading module "reject" from file /etc/raddb/mods-enabled/always
  205. always reject {
  206. rcode = "reject"
  207. simulcount = 0
  208. mpp = no
  209. }
  210. # Loading module "fail" from file /etc/raddb/mods-enabled/always
  211. always fail {
  212. rcode = "fail"
  213. simulcount = 0
  214. mpp = no
  215. }
  216. # Loading module "ok" from file /etc/raddb/mods-enabled/always
  217. always ok {
  218. rcode = "ok"
  219. simulcount = 0
  220. mpp = no
  221. }
  222. # Loading module "handled" from file /etc/raddb/mods-enabled/always
  223. always handled {
  224. rcode = "handled"
  225. simulcount = 0
  226. mpp = no
  227. }
  228. # Loading module "invalid" from file /etc/raddb/mods-enabled/always
  229. always invalid {
  230. rcode = "invalid"
  231. simulcount = 0
  232. mpp = no
  233. }
  234. # Loading module "userlock" from file /etc/raddb/mods-enabled/always
  235. always userlock {
  236. rcode = "userlock"
  237. simulcount = 0
  238. mpp = no
  239. }
  240. # Loading module "notfound" from file /etc/raddb/mods-enabled/always
  241. always notfound {
  242. rcode = "notfound"
  243. simulcount = 0
  244. mpp = no
  245. }
  246. # Loading module "noop" from file /etc/raddb/mods-enabled/always
  247. always noop {
  248. rcode = "noop"
  249. simulcount = 0
  250. mpp = no
  251. }
  252. # Loading module "updated" from file /etc/raddb/mods-enabled/always
  253. always updated {
  254. rcode = "updated"
  255. simulcount = 0
  256. mpp = no
  257. }
  258. # Loaded module rlm_attr_filter
  259. # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  260. attr_filter attr_filter.post-proxy {
  261. filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
  262. key = "%{Realm}"
  263. relaxed = no
  264. }
  265. # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  266. attr_filter attr_filter.pre-proxy {
  267. filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
  268. key = "%{Realm}"
  269. relaxed = no
  270. }
  271. # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  272. attr_filter attr_filter.access_reject {
  273. filename = "/etc/raddb/mods-config/attr_filter/access_reject"
  274. key = "%{User-Name}"
  275. relaxed = no
  276. }
  277. # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  278. attr_filter attr_filter.access_challenge {
  279. filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
  280. key = "%{User-Name}"
  281. relaxed = no
  282. }
  283. # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  284. attr_filter attr_filter.accounting_response {
  285. filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
  286. key = "%{User-Name}"
  287. relaxed = no
  288. }
  289. # Loading module "attr_filter.coa" from file /etc/raddb/mods-enabled/attr_filter
  290. attr_filter attr_filter.coa {
  291. filename = "/etc/raddb/mods-config/attr_filter/coa"
  292. key = "%{User-Name}"
  293. relaxed = no
  294. }
  295. # Loaded module rlm_chap
  296. # Loading module "chap" from file /etc/raddb/mods-enabled/chap
  297. # Loaded module rlm_date
  298. # Loading module "date" from file /etc/raddb/mods-enabled/date
  299. date {
  300. format = "%b %e %Y %H:%M:%S %Z"
  301. utc = no
  302. }
  303. # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
  304. date wispr2date {
  305. format = "%Y-%m-%dT%H:%M:%S"
  306. utc = no
  307. }
  308. # Loaded module rlm_detail
  309. # Loading module "detail" from file /etc/raddb/mods-enabled/detail
  310. detail {
  311. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  312. header = "%t"
  313. permissions = 384
  314. locking = no
  315. escape_filenames = no
  316. log_packet_header = no
  317. }
  318. # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  319. detail auth_log {
  320. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  321. header = "%t"
  322. permissions = 384
  323. locking = no
  324. escape_filenames = no
  325. log_packet_header = no
  326. }
  327. # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  328. detail reply_log {
  329. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  330. header = "%t"
  331. permissions = 384
  332. locking = no
  333. escape_filenames = no
  334. log_packet_header = no
  335. }
  336. # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  337. detail pre_proxy_log {
  338. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  339. header = "%t"
  340. permissions = 384
  341. locking = no
  342. escape_filenames = no
  343. log_packet_header = no
  344. }
  345. # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  346. detail post_proxy_log {
  347. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  348. header = "%t"
  349. permissions = 384
  350. locking = no
  351. escape_filenames = no
  352. log_packet_header = no
  353. }
  354. # Loaded module rlm_digest
  355. # Loading module "digest" from file /etc/raddb/mods-enabled/digest
  356. # Loaded module rlm_dynamic_clients
  357. # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
  358. # Loaded module rlm_eap
  359. # Loading module "eap" from file /etc/raddb/mods-enabled/eap
  360. eap {
  361. default_eap_type = "tls"
  362. timer_expire = 60
  363. max_eap_type = 52
  364. ignore_unknown_eap_types = no
  365. cisco_accounting_username_bug = no
  366. max_sessions = 16384
  367. }
  368. # Loaded module rlm_exec
  369. # Loading module "echo" from file /etc/raddb/mods-enabled/echo
  370. exec echo {
  371. wait = yes
  372. program = "/bin/echo %{User-Name}"
  373. input_pairs = "request"
  374. output_pairs = "reply"
  375. shell_escape = yes
  376. }
  377. # Loading module "exec" from file /etc/raddb/mods-enabled/exec
  378. exec {
  379. wait = no
  380. input_pairs = "request"
  381. shell_escape = yes
  382. timeout = 10
  383. }
  384. # Loaded module rlm_expiration
  385. # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
  386. # Loaded module rlm_expr
  387. # Loading module "expr" from file /etc/raddb/mods-enabled/expr
  388. expr {
  389. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  390. }
  391. # Loaded module rlm_files
  392. # Loading module "files" from file /etc/raddb/mods-enabled/files
  393. files {
  394. filename = "/etc/raddb/mods-config/files/authorize"
  395. acctusersfile = "/etc/raddb/mods-config/files/accounting"
  396. preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
  397. }
  398. # Loaded module rlm_linelog
  399. # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
  400. linelog {
  401. filename = "/var/log/radius/linelog"
  402. escape_filenames = no
  403. syslog_severity = "info"
  404. permissions = 384
  405. format = "This is a log message for %{User-Name}"
  406. reference = "messages.%{%{reply:Packet-Type}:-default}"
  407. }
  408. # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  409. linelog log_accounting {
  410. filename = "/var/log/radius/linelog-accounting"
  411. escape_filenames = no
  412. syslog_severity = "info"
  413. permissions = 384
  414. format = ""
  415. reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  416. }
  417. # Loaded module rlm_logintime
  418. # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
  419. logintime {
  420. minimum_timeout = 60
  421. }
  422. # Loaded module rlm_mschap
  423. # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
  424. mschap {
  425. use_mppe = yes
  426. require_encryption = no
  427. require_strong = no
  428. with_ntdomain_hack = yes
  429. passchange {
  430. }
  431. allow_retry = yes
  432. winbind_retry_with_normalised_username = no
  433. }
  434. # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
  435. exec ntlm_auth {
  436. wait = yes
  437. program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  438. shell_escape = yes
  439. }
  440. # Loaded module rlm_pap
  441. # Loading module "pap" from file /etc/raddb/mods-enabled/pap
  442. pap {
  443. normalise = yes
  444. }
  445. # Loaded module rlm_passwd
  446. # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  447. passwd etc_passwd {
  448. filename = "/etc/passwd"
  449. format = "*User-Name:Crypt-Password:"
  450. delimiter = ":"
  451. ignore_nislike = no
  452. ignore_empty = yes
  453. allow_multiple_keys = no
  454. hash_size = 100
  455. }
  456. # Loaded module rlm_preprocess
  457. # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  458. preprocess {
  459. huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
  460. hints = "/etc/raddb/mods-config/preprocess/hints"
  461. with_ascend_hack = no
  462. ascend_channels_per_line = 23
  463. with_ntdomain_hack = no
  464. with_specialix_jetstream_hack = no
  465. with_cisco_vsa_hack = no
  466. with_alvarion_vsa_hack = no
  467. }
  468. # Loaded module rlm_radutmp
  469. # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
  470. radutmp {
  471. filename = "/var/log/radius/radutmp"
  472. username = "%{User-Name}"
  473. case_sensitive = yes
  474. check_with_nas = yes
  475. permissions = 384
  476. caller_id = yes
  477. }
  478. # Loaded module rlm_realm
  479. # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
  480. realm IPASS {
  481. format = "prefix"
  482. delimiter = "/"
  483. ignore_default = no
  484. ignore_null = no
  485. }
  486. # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
  487. realm suffix {
  488. format = "suffix"
  489. delimiter = "@"
  490. ignore_default = no
  491. ignore_null = no
  492. }
  493. # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
  494. realm bangpath {
  495. format = "prefix"
  496. delimiter = "!"
  497. ignore_default = no
  498. ignore_null = no
  499. }
  500. # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
  501. realm realmpercent {
  502. format = "suffix"
  503. delimiter = "%"
  504. ignore_default = no
  505. ignore_null = no
  506. }
  507. # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
  508. realm ntdomain {
  509. format = "prefix"
  510. delimiter = "\\"
  511. ignore_default = no
  512. ignore_null = no
  513. }
  514. # Loaded module rlm_replicate
  515. # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
  516. # Loaded module rlm_soh
  517. # Loading module "soh" from file /etc/raddb/mods-enabled/soh
  518. soh {
  519. dhcp = yes
  520. }
  521. # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
  522. radutmp sradutmp {
  523. filename = "/var/log/radius/sradutmp"
  524. username = "%{User-Name}"
  525. case_sensitive = yes
  526. check_with_nas = yes
  527. permissions = 420
  528. caller_id = no
  529. }
  530. # Loaded module rlm_unix
  531. # Loading module "unix" from file /etc/raddb/mods-enabled/unix
  532. unix {
  533. radwtmp = "/var/log/radius/radwtmp"
  534. }
  535. Creating attribute Unix-Group
  536. # Loaded module rlm_unpack
  537. # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
  538. # Loaded module rlm_utf8
  539. # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
  540. # Loaded module rlm_totp
  541. # Loading module "totp" from file /etc/raddb/mods-enabled/totp
  542. instantiate {
  543. }
  544. # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  545. # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  546. # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  547. # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  548. # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  549. # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  550. # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  551. # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  552. # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  553. # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  554. reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
  555. # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  556. reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
  557. # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  558. reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
  559. # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  560. reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
  561. # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  562. reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
  563. # Instantiating module "attr_filter.coa" from file /etc/raddb/mods-enabled/attr_filter
  564. reading pairlist file /etc/raddb/mods-config/attr_filter/coa
  565. # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
  566. # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  567. rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  568. # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  569. # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  570. # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  571. # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
  572. # Linked to sub-module rlm_eap_md5
  573. # Linked to sub-module rlm_eap_gtc
  574. gtc {
  575. challenge = "Password: "
  576. auth_type = "PAP"
  577. }
  578. # Linked to sub-module rlm_eap_tls
  579. tls {
  580. tls = "tls-common"
  581. }
  582. tls-config tls-common {
  583. verify_depth = 0
  584. ca_path = "/etc/raddb/certs"
  585. pem_file_type = yes
  586. private_key_file = "/etc/raddb/certs/private-example-key.pem"
  587. certificate_file = "/etc/raddb/certs/private-example-cert.pem"
  588. ca_file = "/etc/raddb/certs/private-ca-cert.pem"
  589. private_key_password = <<< secret >>>
  590. fragment_size = 1024
  591. include_length = yes
  592. auto_chain = yes
  593. check_crl = no
  594. check_all_crl = no
  595. ca_path_reload_interval = 0
  596. cipher_list = "DEFAULT"
  597. cipher_server_preference = no
  598. reject_unknown_intermediate_ca = no
  599. ecdh_curve = "prime256v1"
  600. tls_max_version = "1.2"
  601. tls_min_version = "1.2"
  602. cache {
  603. enable = yes
  604. lifetime = 24
  605. name = "EAP-TLS"
  606. max_entries = 255
  607. }
  608. verify {
  609. skip_if_ocsp_ok = no
  610. }
  611. ocsp {
  612. enable = no
  613. override_cert_url = yes
  614. url = "http://127.0.0.1/ocsp/"
  615. use_nonce = yes
  616. timeout = 0
  617. softfail = no
  618. }
  619. }
  620. # Linked to sub-module rlm_eap_ttls
  621. ttls {
  622. tls = "tls-peap"
  623. default_eap_type = "md5"
  624. copy_request_to_tunnel = no
  625. use_tunneled_reply = no
  626. virtual_server = "inner-tunnel"
  627. include_length = yes
  628. require_client_cert = no
  629. }
  630. tls-config tls-peap {
  631. verify_depth = 0
  632. ca_path = "/etc/raddb/certs"
  633. pem_file_type = yes
  634. private_key_file = "/etc/raddb/certs/public-example-key.pem"
  635. certificate_file = "/etc/raddb/certs/public-example-cert.pem"
  636. ca_file = "/etc/raddb/certs/public-ca-cert.pem"
  637. private_key_password = <<< secret >>>
  638. fragment_size = 1024
  639. include_length = yes
  640. auto_chain = yes
  641. check_crl = no
  642. check_all_crl = no
  643. ca_path_reload_interval = 0
  644. cipher_list = "TLSv1.2"
  645. cipher_server_preference = no
  646. reject_unknown_intermediate_ca = no
  647. ecdh_curve = "prime256v1"
  648. tls_max_version = "1.2"
  649. tls_min_version = "1.2"
  650. cache {
  651. enable = yes
  652. lifetime = 24
  653. name = "EAP-PEAP"
  654. max_entries = 255
  655. }
  656. verify {
  657. skip_if_ocsp_ok = no
  658. }
  659. ocsp {
  660. enable = no
  661. override_cert_url = yes
  662. url = "http://127.0.0.1/ocsp/"
  663. use_nonce = yes
  664. timeout = 0
  665. softfail = no
  666. }
  667. }
  668. # Linked to sub-module rlm_eap_peap
  669. peap {
  670. tls = "tls-peap"
  671. default_eap_type = "mschapv2"
  672. copy_request_to_tunnel = no
  673. use_tunneled_reply = no
  674. proxy_tunneled_request_as_eap = yes
  675. virtual_server = "inner-tunnel"
  676. soh = no
  677. require_client_cert = no
  678. }
  679. tls: Using cached TLS configuration from previous invocation
  680. # Linked to sub-module rlm_eap_mschapv2
  681. mschapv2 {
  682. with_ntdomain_hack = no
  683. send_error = no
  684. }
  685. # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
  686. # Instantiating module "files" from file /etc/raddb/mods-enabled/files
  687. reading pairlist file /etc/raddb/mods-config/files/authorize
  688. reading pairlist file /etc/raddb/mods-config/files/accounting
  689. reading pairlist file /etc/raddb/mods-config/files/pre-proxy
  690. # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
  691. # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  692. # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
  693. # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
  694. rlm_mschap (mschap): using internal authentication
  695. # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
  696. # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  697. rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  698. # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  699. reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
  700. reading pairlist file /etc/raddb/mods-config/preprocess/hints
  701. # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  702. # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  703. # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
  704. # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
  705. # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
  706. } # modules
  707. radiusd: #### Loading Virtual Servers ####
  708. server { # from file /etc/raddb/radiusd.conf
  709. } # server
  710. server default { # from file /etc/raddb/sites-enabled/default
  711. # Loading authenticate {...}
  712. Compiling Auth-Type PAP for attr Auth-Type
  713. Compiling Auth-Type CHAP for attr Auth-Type
  714. Compiling Auth-Type MS-CHAP for attr Auth-Type
  715. # Loading authorize {...}
  716. Ignoring "sql" (see raddb/mods-available/README.rst)
  717. Ignoring "ldap" (see raddb/mods-available/README.rst)
  718. Compiling Autz-Type New-TLS-Connection for attr Autz-Type
  719. # Loading preacct {...}
  720. # Loading accounting {...}
  721. # Loading post-auth {...}
  722. Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
  723. Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
  724. Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
  725. } # server default
  726. server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
  727. # Loading authenticate {...}
  728. Compiling Auth-Type PAP for attr Auth-Type
  729. Compiling Auth-Type CHAP for attr Auth-Type
  730. Compiling Auth-Type MS-CHAP for attr Auth-Type
  731. # Loading authorize {...}
  732. # Loading session {...}
  733. # Loading post-auth {...}
  734. # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:366
  735. Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
  736. } # server inner-tunnel
  737. radiusd: #### Opening IP addresses and Ports ####
  738. listen {
  739. type = "auth"
  740. ipaddr = *
  741. port = 0
  742. limit {
  743. max_connections = 16
  744. lifetime = 0
  745. idle_timeout = 30
  746. }
  747. }
  748. listen {
  749. type = "acct"
  750. ipaddr = *
  751. port = 0
  752. limit {
  753. max_connections = 16
  754. lifetime = 0
  755. idle_timeout = 30
  756. }
  757. }
  758. listen {
  759. type = "auth"
  760. ipv6addr = ::
  761. port = 0
  762. limit {
  763. max_connections = 16
  764. lifetime = 0
  765. idle_timeout = 30
  766. }
  767. }
  768. listen {
  769. type = "acct"
  770. ipv6addr = ::
  771. port = 0
  772. limit {
  773. max_connections = 16
  774. lifetime = 0
  775. idle_timeout = 30
  776. }
  777. }
  778. listen {
  779. type = "auth"
  780. ipaddr = 127.0.0.1
  781. port = 18120
  782. }
  783. Listening on auth address * port 1812 bound to server default
  784. Listening on acct address * port 1813 bound to server default
  785. Listening on auth address :: port 1812 bound to server default
  786. Listening on acct address :: port 1813 bound to server default
  787. Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
  788. Ready to process requests
  789. (0) Received Access-Request Id 159 from 192.168.1.3:48663 to 192.168.1.2:1812 length 129
  790. (0) NAS-IP-Address = 192.168.1.3
  791. (0) NAS-Port = 1
  792. (0) User-Name = "johndoe"
  793. (0) Called-Station-Id = "14-49-BC-48-13-10"
  794. (0) Calling-Station-Id = "A8-5E-45-C5-38-4A"
  795. (0) Service-Type = Framed-User
  796. (0) Framed-MTU = 1300
  797. (0) NAS-Port-Type = Ethernet
  798. (0) Message-Authenticator = 0x41b721a635ba9fb371e93ada07887c81
  799. (0) EAP-Message = 0x0201000c016a6f686e646f65
  800. (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
  801. (0) authorize {
  802. (0) policy filter_username {
  803. (0) if (&User-Name) {
  804. (0) if (&User-Name) -> TRUE
  805. (0) if (&User-Name) {
  806. (0) if (&User-Name =~ / /) {
  807. (0) if (&User-Name =~ / /) -> FALSE
  808. (0) if (&User-Name =~ /@[^@]*@/ ) {
  809. (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  810. (0) if (&User-Name =~ /\.\./ ) {
  811. (0) if (&User-Name =~ /\.\./ ) -> FALSE
  812. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  813. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  814. (0) if (&User-Name =~ /\.$/) {
  815. (0) if (&User-Name =~ /\.$/) -> FALSE
  816. (0) if (&User-Name =~ /@\./) {
  817. (0) if (&User-Name =~ /@\./) -> FALSE
  818. (0) } # if (&User-Name) = notfound
  819. (0) } # policy filter_username = notfound
  820. (0) [preprocess] = ok
  821. (0) [chap] = noop
  822. (0) [mschap] = noop
  823. (0) [digest] = noop
  824. (0) suffix: Checking for suffix after "@"
  825. (0) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
  826. (0) suffix: Found realm "NULL"
  827. (0) suffix: Adding Stripped-User-Name = "johndoe"
  828. (0) suffix: Adding Realm = "NULL"
  829. (0) suffix: Authentication realm is LOCAL
  830. (0) [suffix] = ok
  831. (0) eap: Peer sent EAP Response (code 2) ID 1 length 12
  832. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  833. (0) [eap] = ok
  834. (0) } # authorize = ok
  835. (0) Found Auth-Type = eap
  836. (0) # Executing group from file /etc/raddb/sites-enabled/default
  837. (0) authenticate {
  838. (0) eap: Peer sent packet with method EAP Identity (1)
  839. (0) eap: Calling submodule eap_tls to process data
  840. (0) eap_tls: (TLS) Initiating new session
  841. (0) eap_tls: (TLS) Setting verify mode to require certificate from client
  842. (0) eap: Sending EAP Request (code 1) ID 2 length 6
  843. (0) eap: EAP session adding &reply:State = 0xbf9ecf57bf9cc239
  844. (0) [eap] = handled
  845. (0) } # authenticate = handled
  846. (0) Using Post-Auth-Type Challenge
  847. (0) # Executing group from file /etc/raddb/sites-enabled/default
  848. (0) Challenge { ... } # empty sub-section is ignored
  849. (0) session-state: Saving cached attributes
  850. (0) Framed-MTU = 1014
  851. (0) Sent Access-Challenge Id 159 from 192.168.1.2:1812 to 192.168.1.3:48663 length 64
  852. (0) EAP-Message = 0x010200060d20
  853. (0) Message-Authenticator = 0x00000000000000000000000000000000
  854. (0) State = 0xbf9ecf57bf9cc2396307944d4ca27895
  855. (0) Finished request
  856. Waking up in 4.9 seconds.
  857. (1) Received Access-Request Id 159 from 192.168.1.3:20127 to 192.168.1.2:1812 length 325
  858. (1) NAS-IP-Address = 192.168.1.3
  859. (1) NAS-Port = 1
  860. (1) User-Name = "johndoe"
  861. (1) Called-Station-Id = "14-49-BC-48-13-10"
  862. (1) Calling-Station-Id = "A8-5E-45-C5-38-4A"
  863. (1) Service-Type = Framed-User
  864. (1) Framed-MTU = 1300
  865. (1) NAS-Port-Type = Ethernet
  866. (1) Message-Authenticator = 0xb13e1e0f73ba45e397b651c73d68968a
  867. (1) EAP-Message = 0x020200be0d0016030100b3010000af0303a40a13201ef9df15bb2a6f7e43d562b3f5a13b6c37f8b49a57e9accb06504b81000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
  868. (1) State = 0xbf9ecf57bf9cc2396307944d4ca27895
  869. (1) Restoring &session-state
  870. (1) &session-state:Framed-MTU = 1014
  871. (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
  872. (1) authorize {
  873. (1) policy filter_username {
  874. (1) if (&User-Name) {
  875. (1) if (&User-Name) -> TRUE
  876. (1) if (&User-Name) {
  877. (1) if (&User-Name =~ / /) {
  878. (1) if (&User-Name =~ / /) -> FALSE
  879. (1) if (&User-Name =~ /@[^@]*@/ ) {
  880. (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  881. (1) if (&User-Name =~ /\.\./ ) {
  882. (1) if (&User-Name =~ /\.\./ ) -> FALSE
  883. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  884. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  885. (1) if (&User-Name =~ /\.$/) {
  886. (1) if (&User-Name =~ /\.$/) -> FALSE
  887. (1) if (&User-Name =~ /@\./) {
  888. (1) if (&User-Name =~ /@\./) -> FALSE
  889. (1) } # if (&User-Name) = notfound
  890. (1) } # policy filter_username = notfound
  891. (1) [preprocess] = ok
  892. (1) [chap] = noop
  893. (1) [mschap] = noop
  894. (1) [digest] = noop
  895. (1) suffix: Checking for suffix after "@"
  896. (1) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
  897. (1) suffix: Found realm "NULL"
  898. (1) suffix: Adding Stripped-User-Name = "johndoe"
  899. (1) suffix: Adding Realm = "NULL"
  900. (1) suffix: Authentication realm is LOCAL
  901. (1) [suffix] = ok
  902. (1) eap: Peer sent EAP Response (code 2) ID 2 length 190
  903. (1) eap: No EAP Start, assuming it's an on-going EAP conversation
  904. (1) [eap] = updated
  905. (1) [files] = noop
  906. (1) [expiration] = noop
  907. (1) [logintime] = noop
  908. (1) [pap] = noop
  909. (1) } # authorize = updated
  910. (1) Found Auth-Type = eap
  911. (1) # Executing group from file /etc/raddb/sites-enabled/default
  912. (1) authenticate {
  913. (1) eap: Expiring EAP session with state 0xbf9ecf57bf9cc239
  914. (1) eap: Finished EAP session with state 0xbf9ecf57bf9cc239
  915. (1) eap: Previous EAP request found for state 0xbf9ecf57bf9cc239, released from the list
  916. (1) eap: Peer sent packet with method EAP TLS (13)
  917. (1) eap: Calling submodule eap_tls to process data
  918. (1) eap_tls: (TLS) EAP Got final fragment (184 bytes)
  919. (1) eap_tls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
  920. (1) eap_tls: (TLS) EAP Done initial handshake
  921. (1) eap_tls: (TLS) Handshake state - before SSL initialization
  922. (1) eap_tls: (TLS) Handshake state - Server before SSL initialization
  923. (1) eap_tls: (TLS) Handshake state - Server before SSL initialization
  924. (1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
  925. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello
  926. (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello
  927. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello
  928. (1) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate
  929. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate
  930. (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
  931. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
  932. (1) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest
  933. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request
  934. (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
  935. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
  936. (1) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
  937. (1) eap_tls: (TLS) In Handshake Phase
  938. (1) eap: Sending EAP Request (code 1) ID 3 length 1024
  939. (1) eap: EAP session adding &reply:State = 0xbf9ecf57be9dc239
  940. (1) [eap] = handled
  941. (1) } # authenticate = handled
  942. (1) Using Post-Auth-Type Challenge
  943. (1) # Executing group from file /etc/raddb/sites-enabled/default
  944. (1) Challenge { ... } # empty sub-section is ignored
  945. (1) session-state: Saving cached attributes
  946. (1) Framed-MTU = 1014
  947. (1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
  948. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
  949. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
  950. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
  951. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
  952. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
  953. (1) Sent Access-Challenge Id 159 from 192.168.1.2:1812 to 192.168.1.3:20127 length 1090
  954. (1) EAP-Message = 0x010304000dc000000b7c160303005d020000590303b968150a807cd26a99c5ec031f273baa97a14d9799e09639431de195dd30999f20889291bb1db6fbffcdb7fb5c9d22d84a23a121836d3ce96a5e94edcef0a4c83ec030000011ff01000100000b0004030001020017000016030308cf0b0008cb0008c8000477308204733082035ba00302010202145b63ae1466ba178688b06c900076a0cb80a7dbf7300d06092a864886f70d01010b05003081b2310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c06546169706569312b3029060355040a0c22496e7374697475746520666f7220496e666f726d6174696f6e20496e647573747279311c301a060355040b0c13536f66747761726520546563686e6f6c6f67793113301106035504030c0a69696f746c61622e74773121301f06092a864886f70d0109011612756c7973736573406969692e6f72672e7477301e170d3233303732363036323935335a170d3238
  955. (1) Message-Authenticator = 0x00000000000000000000000000000000
  956. (1) State = 0xbf9ecf57be9dc2396307944d4ca27895
  957. (1) Finished request
  958. Waking up in 4.9 seconds.
  959. (2) Received Access-Request Id 159 from 192.168.1.3:47921 to 192.168.1.2:1812 length 141
  960. (2) NAS-IP-Address = 192.168.1.3
  961. (2) NAS-Port = 1
  962. (2) User-Name = "johndoe"
  963. (2) Called-Station-Id = "14-49-BC-48-13-10"
  964. (2) Calling-Station-Id = "A8-5E-45-C5-38-4A"
  965. (2) Service-Type = Framed-User
  966. (2) Framed-MTU = 1300
  967. (2) NAS-Port-Type = Ethernet
  968. (2) Message-Authenticator = 0x06b655420287a1588fa96f45a1c54ff6
  969. (2) EAP-Message = 0x020300060d00
  970. (2) State = 0xbf9ecf57be9dc2396307944d4ca27895
  971. (2) Restoring &session-state
  972. (2) &session-state:Framed-MTU = 1014
  973. (2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
  974. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
  975. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
  976. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
  977. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
  978. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
  979. (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
  980. (2) authorize {
  981. (2) policy filter_username {
  982. (2) if (&User-Name) {
  983. (2) if (&User-Name) -> TRUE
  984. (2) if (&User-Name) {
  985. (2) if (&User-Name =~ / /) {
  986. (2) if (&User-Name =~ / /) -> FALSE
  987. (2) if (&User-Name =~ /@[^@]*@/ ) {
  988. (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  989. (2) if (&User-Name =~ /\.\./ ) {
  990. (2) if (&User-Name =~ /\.\./ ) -> FALSE
  991. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  992. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  993. (2) if (&User-Name =~ /\.$/) {
  994. (2) if (&User-Name =~ /\.$/) -> FALSE
  995. (2) if (&User-Name =~ /@\./) {
  996. (2) if (&User-Name =~ /@\./) -> FALSE
  997. (2) } # if (&User-Name) = notfound
  998. (2) } # policy filter_username = notfound
  999. (2) [preprocess] = ok
  1000. (2) [chap] = noop
  1001. (2) [mschap] = noop
  1002. (2) [digest] = noop
  1003. (2) suffix: Checking for suffix after "@"
  1004. (2) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
  1005. (2) suffix: Found realm "NULL"
  1006. (2) suffix: Adding Stripped-User-Name = "johndoe"
  1007. (2) suffix: Adding Realm = "NULL"
  1008. (2) suffix: Authentication realm is LOCAL
  1009. (2) [suffix] = ok
  1010. (2) eap: Peer sent EAP Response (code 2) ID 3 length 6
  1011. (2) eap: No EAP Start, assuming it's an on-going EAP conversation
  1012. (2) [eap] = updated
  1013. (2) [files] = noop
  1014. (2) [expiration] = noop
  1015. (2) [logintime] = noop
  1016. (2) [pap] = noop
  1017. (2) } # authorize = updated
  1018. (2) Found Auth-Type = eap
  1019. (2) # Executing group from file /etc/raddb/sites-enabled/default
  1020. (2) authenticate {
  1021. (2) eap: Expiring EAP session with state 0xbf9ecf57be9dc239
  1022. (2) eap: Finished EAP session with state 0xbf9ecf57be9dc239
  1023. (2) eap: Previous EAP request found for state 0xbf9ecf57be9dc239, released from the list
  1024. (2) eap: Peer sent packet with method EAP TLS (13)
  1025. (2) eap: Calling submodule eap_tls to process data
  1026. (2) eap_tls: (TLS) Peer ACKed our handshake fragment
  1027. (2) eap: Sending EAP Request (code 1) ID 4 length 1024
  1028. (2) eap: EAP session adding &reply:State = 0xbf9ecf57bd9ac239
  1029. (2) [eap] = handled
  1030. (2) } # authenticate = handled
  1031. (2) Using Post-Auth-Type Challenge
  1032. (2) # Executing group from file /etc/raddb/sites-enabled/default
  1033. (2) Challenge { ... } # empty sub-section is ignored
  1034. (2) session-state: Saving cached attributes
  1035. (2) Framed-MTU = 1014
  1036. (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
  1037. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
  1038. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
  1039. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
  1040. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
  1041. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
  1042. (2) Sent Access-Challenge Id 159 from 192.168.1.2:1812 to 192.168.1.3:47921 length 1090
  1043. (2) EAP-Message = 0x010404000dc000000b7c49f627fd209860035c2159b7067c74578b2ac3b00965795c55880ac6bf0046f56f81ab64956c4a0e15c09b590366649e926e6d9cbc066d92df506d7b09f4acf603a221f8a4a456b206f91333b97d97a5e8fb9b7dd415a065087a3e928ee4c50b631dc22f031b6ba93e25f7dcc85466bfdd2b20d879a8821b547ae190d591fbd98d79ddb2651785853df3fc280ab799f33ce2066e79b34132ae8e1cd82f18d5dadfabfcac4bc84c5084d6c143e13280452dcfdb20fe5edf8b60469bac58265e9718a36bf610437344323cfa5b61b6cf97b41213b4840bc86533a2fda9296d978b4f5200dbab7e38d7bf063a84c64a96b8c06400044b308204473082032fa0030201020214010bd40c3282bd9d0cd4571bb51111c87f2a757a300d06092a864886f70d01010b05003081b2310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c06546169706569312b3029060355040a0c22496e73746974757465
  1044. (2) Message-Authenticator = 0x00000000000000000000000000000000
  1045. (2) State = 0xbf9ecf57bd9ac2396307944d4ca27895
  1046. (2) Finished request
  1047. Waking up in 4.9 seconds.
  1048. (3) Received Access-Request Id 159 from 192.168.1.3:21790 to 192.168.1.2:1812 length 141
  1049. (3) NAS-IP-Address = 192.168.1.3
  1050. (3) NAS-Port = 1
  1051. (3) User-Name = "johndoe"
  1052. (3) Called-Station-Id = "14-49-BC-48-13-10"
  1053. (3) Calling-Station-Id = "A8-5E-45-C5-38-4A"
  1054. (3) Service-Type = Framed-User
  1055. (3) Framed-MTU = 1300
  1056. (3) NAS-Port-Type = Ethernet
  1057. (3) Message-Authenticator = 0x64061962ae9135dcc218c7a246a9377d
  1058. (3) EAP-Message = 0x020400060d00
  1059. (3) State = 0xbf9ecf57bd9ac2396307944d4ca27895
  1060. (3) Restoring &session-state
  1061. (3) &session-state:Framed-MTU = 1014
  1062. (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
  1063. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
  1064. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
  1065. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
  1066. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
  1067. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
  1068. (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
  1069. (3) authorize {
  1070. (3) policy filter_username {
  1071. (3) if (&User-Name) {
  1072. (3) if (&User-Name) -> TRUE
  1073. (3) if (&User-Name) {
  1074. (3) if (&User-Name =~ / /) {
  1075. (3) if (&User-Name =~ / /) -> FALSE
  1076. (3) if (&User-Name =~ /@[^@]*@/ ) {
  1077. (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1078. (3) if (&User-Name =~ /\.\./ ) {
  1079. (3) if (&User-Name =~ /\.\./ ) -> FALSE
  1080. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1081. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1082. (3) if (&User-Name =~ /\.$/) {
  1083. (3) if (&User-Name =~ /\.$/) -> FALSE
  1084. (3) if (&User-Name =~ /@\./) {
  1085. (3) if (&User-Name =~ /@\./) -> FALSE
  1086. (3) } # if (&User-Name) = notfound
  1087. (3) } # policy filter_username = notfound
  1088. (3) [preprocess] = ok
  1089. (3) [chap] = noop
  1090. (3) [mschap] = noop
  1091. (3) [digest] = noop
  1092. (3) suffix: Checking for suffix after "@"
  1093. (3) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
  1094. (3) suffix: Found realm "NULL"
  1095. (3) suffix: Adding Stripped-User-Name = "johndoe"
  1096. (3) suffix: Adding Realm = "NULL"
  1097. (3) suffix: Authentication realm is LOCAL
  1098. (3) [suffix] = ok
  1099. (3) eap: Peer sent EAP Response (code 2) ID 4 length 6
  1100. (3) eap: No EAP Start, assuming it's an on-going EAP conversation
  1101. (3) [eap] = updated
  1102. (3) [files] = noop
  1103. (3) [expiration] = noop
  1104. (3) [logintime] = noop
  1105. (3) [pap] = noop
  1106. (3) } # authorize = updated
  1107. (3) Found Auth-Type = eap
  1108. (3) # Executing group from file /etc/raddb/sites-enabled/default
  1109. (3) authenticate {
  1110. (3) eap: Expiring EAP session with state 0xbf9ecf57bd9ac239
  1111. (3) eap: Finished EAP session with state 0xbf9ecf57bd9ac239
  1112. (3) eap: Previous EAP request found for state 0xbf9ecf57bd9ac239, released from the list
  1113. (3) eap: Peer sent packet with method EAP TLS (13)
  1114. (3) eap: Calling submodule eap_tls to process data
  1115. (3) eap_tls: (TLS) Peer ACKed our handshake fragment
  1116. (3) eap: Sending EAP Request (code 1) ID 5 length 922
  1117. (3) eap: EAP session adding &reply:State = 0xbf9ecf57bc9bc239
  1118. (3) [eap] = handled
  1119. (3) } # authenticate = handled
  1120. (3) Using Post-Auth-Type Challenge
  1121. (3) # Executing group from file /etc/raddb/sites-enabled/default
  1122. (3) Challenge { ... } # empty sub-section is ignored
  1123. (3) session-state: Saving cached attributes
  1124. (3) Framed-MTU = 1014
  1125. (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
  1126. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
  1127. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
  1128. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
  1129. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
  1130. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
  1131. (3) Sent Access-Challenge Id 159 from 192.168.1.2:1812 to 192.168.1.3:21790 length 986
  1132. (3) EAP-Message = 0x0105039a0d8000000b7c9626baad301f0603551d23041830168014f57f4877cfd8ae5499802a4670377aa29626baad300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101003f64b251d371e5417064df308d0f0b5b6808f9b90561e7c9c7c65f822b49aab8298c79556ac3ceae34726ef7f64e15aeb5d3e60922c375d447c70896bab8707de6463a3a56b94814d9eaff92cb1a24ca5eb97b16ef40c600dec8941be29a2800dc1b2e4871fd0ce1649822dfdc693045901e38253e25eaf979f701d1efcb1cd33447347aeda95650e42ce4d6fb5fa09caa80be23486dcff2017de80756b6d2db0459db54e19eb69d3648d2437c93d9a63daf45a6e6dfd6c66955cbb5726d44566f95624892dc9388d006c3b34a7212d1f7de5cb771759c51d012bdee4074a312d153bec489bd3efe38382842b295e79f2d8b5020efc7dcf9e670a95d9e32d917160303014d0c0001490300174104139451d8ccecc7c1f1ff2955541a966cf501a9e869
  1133. (3) Message-Authenticator = 0x00000000000000000000000000000000
  1134. (3) State = 0xbf9ecf57bc9bc2396307944d4ca27895
  1135. (3) Finished request
  1136. Waking up in 4.9 seconds.
  1137. (0) Cleaning up request packet ID 159 with timestamp +17 due to cleanup_delay was reached
  1138. (1) Cleaning up request packet ID 159 with timestamp +17 due to cleanup_delay was reached
  1139. (2) Cleaning up request packet ID 159 with timestamp +17 due to cleanup_delay was reached
  1140. (3) Cleaning up request packet ID 159 with timestamp +17 due to cleanup_delay was reached
  1141. Ready to process requests
  1142.  
Tags: 802.1X
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!