FreeRadius, Eduroam, and me...

classic Classic list List threaded Threaded
12 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius, Eduroam, and me...

Tim Young
This is using FreeRADIUS Version 3.0.16

I find myself in the middle of an odd situation.  I am not directly part
of any of this, but I have root permissions and everyone involved is
asking me to fix what they have deployed.  :(


The site that I have permissions for has recently deployed a free-radius
server to use as an eduroam endpoint, authenticating off their Active
Directory.  They managed to get it to work such that they can properly
authenticate using "radtest -t mschap ..."

The consultant setting that up smiled smugly at that success and then
left.  But the access from outside, using the same credentials, fails. 
A consultant working at the far end is telling my friends that it is
broken, and in asking that consultant if they can give us info from any
of their working sites, we find out that none of their client sites are
working with this configuration.  So, I do not know if it is my fault,
or theirs... Oh Joy.


Running "freeradius -xX" and looking at the failure and the success, and
I can see a dramatic difference:

The working connection:

Sat Jun 20 14:10:22 2020 : Info: Ready to process requests
Sat Jun 20 14:10:25 2020 : Debug: (1) Received Access-Request Id 180
from 127.0.0.1:59459 to 127.0.0.1:1812 length 166
Sat Jun 20 14:10:25 2020 : Debug: (1) User-Name = "[hidden email]"
Sat Jun 20 14:10:25 2020 : Debug: (1) NAS-IP-Address = 10.1.2.11
Sat Jun 20 14:10:25 2020 : Debug: (1) NAS-Port = 1812
Sat Jun 20 14:10:25 2020 : Debug: (1) Message-Authenticator =
0xc89e50f3f488393d2b4738522be27bcc
Sat Jun 20 14:10:25 2020 : Debug: (1) MS-CHAP-Challenge = 0x8860d7d61af05416
Sat Jun 20 14:10:25 2020 : Debug: (1) MS-CHAP-Response =
0x000SOMEBIGLONGNUMBER
Sat Jun 20 14:10:25 2020 : Debug: (1) session-state: No State attribute
Sat Jun 20 14:10:25 2020 : Debug: (1) # Executing section authorize from


The failed connection:

Sat Jun 20 12:26:22 2020 : Info: Ready to process requests
Sat Jun 20 12:27:05 2020 : Debug: (2) Received Access-Request Id 11 from
[outsideIP]:37127 to 10.1.2.11:1812 length 91
Sat Jun 20 12:27:05 2020 : Debug: (2) User-Name = "[hidden email]"
Sat Jun 20 12:27:05 2020 : Debug: (2) User-Password = "ActualTextPassword"
Sat Jun 20 12:27:05 2020 : Debug: (2) NAS-IP-Address = [secondIP]
Sat Jun 20 12:27:05 2020 : Debug: (2) Proxy-State = 0x313632
Sat Jun 20 12:27:05 2020 : Debug: (2) session-state: No State attribute
Sat Jun 20 12:27:05 2020 : Debug: (2) # Executing section authorize from
file /etc/freeradius/3.0/sitesenabled/eduroam


We are authenticating off of an internal MS Domain Controller, so we
need mschap configured, and on the failed connection we are getting:

Sat Jun 20 12:27:05 2020 : Debug: (2) modsingle[authorize]: calling
mschap (rlm_mschap)
Sat Jun 20 12:27:05 2020 : Debug: (2) modsingle[authorize]: returned
from mschap (rlm_mschap)
Sat Jun 20 12:27:05 2020 : Debug: (2) [mschap] = noop

And eventually:

Sat Jun 20 12:27:05 2020 : ERROR: (2) No Auth-Type found: rejecting the
user via Post-Auth-Type = Reject
Sat Jun 20 12:27:05 2020 : Debug: (2) Failed to authenticate the user
Sat Jun 20 12:27:05 2020 : Debug: (2) Using Post-Auth-Type Reject


Not knowing what I am stepping into, I am a bit unsure where to begin. 
In checking with the people involved, the incoming request may be
correct, or it may have issues.  The local configuration may have
issues, or it may be correct...  Any clues as to how I should begin to
figure out which are has the problem, and then any pointers for how to
fix it?

What do you need from your end to be able to ask good questions?

     - Tim

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Matthew Newton-3


On 20/06/2020 20:08, Tim Young wrote:
> The site that I have permissions for has recently deployed a free-radius
> server to use as an eduroam endpoint, authenticating off their Active
> Directory.  They managed to get it to work such that they can properly
> authenticate using "radtest -t mschap ..."

That's not a good indicator for a start. eduroam uses EAP. The only way
that radtest will work against an EAP configuration is by pointing it
directly at the inner-tunnel config, which won't test half of the
eduroam setup.
> Running "freeradius -xX" and looking at the failure and the success, and
> I can see a dramatic difference:

Use "freeradius -X" - the extra '-x's just add things you don't need and
confuse matters in 99% of situations.

> The working connection:
>
> Sat Jun 20 14:10:22 2020 : Info: Ready to process requests
> Sat Jun 20 14:10:25 2020 : Debug: (1) Received Access-Request Id 180
> from 127.0.0.1:59459 to 127.0.0.1:1812 length 166
> Sat Jun 20 14:10:25 2020 : Debug: (1) User-Name = "[hidden email]"
> Sat Jun 20 14:10:25 2020 : Debug: (1) NAS-IP-Address = 10.1.2.11
> Sat Jun 20 14:10:25 2020 : Debug: (1) NAS-Port = 1812
> Sat Jun 20 14:10:25 2020 : Debug: (1) Message-Authenticator =
> 0xc89e50f3f488393d2b4738522be27bcc
> Sat Jun 20 14:10:25 2020 : Debug: (1) MS-CHAP-Challenge =
> 0x8860d7d61af05416
> Sat Jun 20 14:10:25 2020 : Debug: (1) MS-CHAP-Response =
> 0x000SOMEBIGLONGNUMBER
> Sat Jun 20 14:10:25 2020 : Debug: (1) session-state: No State attribute
> Sat Jun 20 14:10:25 2020 : Debug: (1) # Executing section authorize from

Working in what sense? That's not EAP (there's no EAP-Message
attribute), so won't work with eduroam.

Have you tried it via a wireless AP/controller?

> The failed connection:
>
> Sat Jun 20 12:26:22 2020 : Info: Ready to process requests
> Sat Jun 20 12:27:05 2020 : Debug: (2) Received Access-Request Id 11 from
> [outsideIP]:37127 to 10.1.2.11:1812 length 91
> Sat Jun 20 12:27:05 2020 : Debug: (2) User-Name = "[hidden email]"
> Sat Jun 20 12:27:05 2020 : Debug: (2) User-Password = "ActualTextPassword"
> Sat Jun 20 12:27:05 2020 : Debug: (2) NAS-IP-Address = [secondIP]
> Sat Jun 20 12:27:05 2020 : Debug: (2) Proxy-State = 0x313632
> Sat Jun 20 12:27:05 2020 : Debug: (2) session-state: No State attribute
> Sat Jun 20 12:27:05 2020 : Debug: (2) # Executing section authorize from
> file /etc/freeradius/3.0/sitesenabled/eduroam

Sure, OK, so PAP isn't configured. But it shouldn't be for eduroam (at
least, not in the default outer server).

> Not knowing what I am stepping into, I am a bit unsure where to begin.
> In checking with the people involved, the incoming request may be
> correct, or it may have issues.  The local configuration may have
> issues, or it may be correct...  Any clues as to how I should begin to
> figure out which are has the problem, and then any pointers for how to
> fix it?
>
> What do you need from your end to be able to ask good questions?

The *full* FreeRADIUS debug output (just -X) for a start, not just
little bits. See

   https://wiki.freeradius.org/list-help

Have you got EAP working (in an eduroam setting or not)? It sounds like
you need an understanding of that for basics. What is the RADIUS client
you are using to test?

There's a basic guide to setting up FreeRADIUS for eduroam at

   https://wiki.freeradius.org/guide/eduroam

 From what you've posted it doesn't sound like the server is set up
correctly at all. At least any good consultants would actually test that
the system works in the environment it was designed for, not with an
inappropriate test utility.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Tim Young
This is the debug from my setup where we are trying to authenticate from
an external eduroam server, through a free-radius server, and to a local
MS Domain controller.

If we use radtest with mschap, it works fine.  But we seem to have
something wrong with our eap...

     - Tim



FreeRADIUS Version 3.0.16

Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file
/etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/inner-eap
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/cui
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/eduroam
including configuration file
/etc/freeradius/3.0/sites-enabled/eduroam-inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
  security {
      user = "freerad"
      group = "freerad"
      allow_core_dumps = no
  }
     name = "freeradius"
     prefix = "/usr"
     localstatedir = "/var"
     logdir = "/var/log/freeradius"
     run_dir = "/var/run/freeradius"
}
main {
     name = "freeradius"
     prefix = "/usr"
     localstatedir = "/var"
     sbindir = "/usr/sbin"
     logdir = "/var/log/freeradius"
     run_dir = "/var/run/freeradius"
     libdir = "/usr/lib/freeradius"
     radacctdir = "/var/log/freeradius/radacct"
     hostname_lookups = no
     max_request_time = 30
     cleanup_delay = 5
     max_requests = 16384
     pidfile = "/var/run/freeradius/freeradius.pid"
     checkrad = "/usr/sbin/checkrad"
     debug_level = 0
     proxy_requests = yes
  log {
      stripped_names = no
      auth = no
      auth_badpass = no
      auth_goodpass = no
      colourise = yes
      msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
      max_attributes = 200
      reject_delay = 1.000000
      status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
      retry_delay = 5
      retry_count = 3
      default_fallback = no
      dead_time = 120
      wake_all_if_all_dead = no
  }
  home_server localhost {
      ipaddr = 127.0.0.1
      port = 1812
      type = "auth"
      secret = <<< secret >>>
      response_window = 20.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server radius1-ktlr {
      ipaddr = 41.89.2.113
      port = 1812
      type = "auth+acct"
      secret = <<< secret >>>
      response_window = 20.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 300
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server_pool my_auth_failover {
     type = fail-over
     home_server = localhost
  }
  realm example.com {
     auth_pool = my_auth_failover
  }
  realm LOCAL {
  }
  realm domain.ac.ke {
     authhost = LOCAL
  }
  realm NULL {
     nostrip
  }
  home_server_pool EDUROAM-FTLR {
     type = fail-over
     home_server = radius1-ktlr
  }
  realm DEFAULT {
     pool = EDUROAM-FTLR
     nostrip
  }
radiusd: #### Loading Clients ####
  client localhost {
      ipaddr = 127.0.0.1
      require_message_authenticator = no
      secret = <<< secret >>>
      nas_type = "other"
      proto = "*"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client localhost_ipv6 {
      ipv6addr = ::1
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client pac {
      ipaddr = 41.89.50.0/24
      require_message_authenticator = no
      secret = <<< secret >>>
      virtual_server = "eduroam"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client all-access-points {
      ipaddr = 10.0.0.0/8
      require_message_authenticator = no
      secret = <<< secret >>>
      virtual_server = "eduroam"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client flr {
      ipaddr = 41.89.2.113
      require_message_authenticator = no
      secret = <<< secret >>>
      virtual_server = "eduroam"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client kenet-radius {
      ipaddr = 41.204.160.28
      require_message_authenticator = no
      secret = <<< secret >>>
      virtual_server = "eduroam"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
Debugger not attached
  # Creating Auth-Type = eap
  # Creating Auth-Type = mschap
  # Creating Auth-Type = ntlm_auth
/etc/freeradius/3.0/sites-enabled/eduroam[24]: Duplicate module 'mschap'
  # Creating Auth-Type = PAP
  # Creating Auth-Type = CHAP
  # Creating Auth-Type = MS-CHAP
/etc/freeradius/3.0/sites-enabled/eduroam-inner-tunnel[18]: Duplicate
module 'mschap'
  # Creating Auth-Type = inner-eap
radiusd: #### Instantiating modules ####
  modules {
   # Loaded module rlm_chap
   # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
   # Loaded module rlm_radutmp
   # Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
   radutmp sradutmp {
       filename = "/var/log/freeradius/sradutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 420
       caller_id = no
   }
   # Loaded module rlm_files
   # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
   files {
       filename = "/etc/freeradius/3.0/mods-config/files/authorize"
       acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
       preproxy_usersfile =
"/etc/freeradius/3.0/mods-config/files/pre-proxy"
   }
   # Loaded module rlm_exec
   # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
   exec echo {
       wait = yes
       program = "/bin/echo %{User-Name}"
       input_pairs = "request"
       output_pairs = "reply"
       shell_escape = yes
   }
   # Loaded module rlm_linelog
   # Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
   linelog {
       filename = "/var/log/freeradius/linelog"
       escape_filenames = no
       syslog_severity = "info"
       permissions = 384
       format = "This is a log message for %{User-Name}"
       reference = "messages.%{%{reply:Packet-Type}:-default}"
   }
   # Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
   linelog log_accounting {
       filename = "/var/log/freeradius/linelog-accounting"
       escape_filenames = no
       syslog_severity = "info"
       permissions = 384
       format = ""
       reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
   }
   # Loaded module rlm_replicate
   # Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
   # Loaded module rlm_sql
   # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
   sql {
       driver = "rlm_sql_mysql"
       server = "localhost"
       port = 3306
       login = "radius"
       password = <<< secret >>>
       radius_db = "radius"
       read_groups = yes
       read_profiles = yes
       read_clients = yes
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id, nasname, shortname, type, secret,
server FROM nas"
       authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
       authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
       authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
       authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
       group_membership_query = "SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
       simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username
= '%{SQL-User-Name}' AND acctstoptime IS NULL"
       simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}.query}"
     type {
      accounting-on {
          query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
      }
      accounting-off {
          query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
      }
      start {
          query = "INSERT INTO radacct (acctsessionid, acctuniqueid,   
     username, realm,            nasipaddress,     nasportid,
nasporttype,        acctstarttime, acctupdatetime, acctstoptime,       
acctsessiontime, acctauthentic, connectinfo_start,    connectinfo_stop,
acctinputoctets, acctoutputoctets,    calledstationid, callingstationid,
acctterminatecause,    servicetype, framedprotocol, framedipaddress)
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}',
FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}')"
      }
      interim-update {
          query = "UPDATE radacct SET acctupdatetime  =
(@acctupdatetime_old:=acctupdatetime), acctupdatetime  =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval    =
%{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old),
framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId =
'%{Acct-Unique-Session-Id}'"
      }
      stop {
          query = "UPDATE radacct SET acctstoptime    =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets    =
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
      }
     }
    }
    post-auth {
        reference = ".query"
        query = "INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
    }
   }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
   # Loaded module rlm_utf8
   # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
   # Loaded module rlm_detail
   # Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
   detail {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loaded module rlm_expiration
   # Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
   # Loaded module rlm_soh
   # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
   soh {
       dhcp = yes
   }
   # Loaded module rlm_cache
   # Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
   cache cache_eap {
       driver = "rlm_cache_rbtree"
       key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
       ttl = 15
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loaded module rlm_passwd
   # Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
   passwd etc_passwd {
       filename = "/etc/passwd"
       format = "*User-Name:Crypt-Password:"
       delimiter = ":"
       ignore_nislike = no
       ignore_empty = yes
       allow_multiple_keys = no
       hash_size = 100
   }
   # Loaded module rlm_attr_filter
   # Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
       filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
       filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loaded module rlm_unix
   # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
   unix {
       radwtmp = "/var/log/freeradius/radwtmp"
   }
Creating attribute Unix-Group
   # Loaded module rlm_expr
   # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
   expr {
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module rlm_always
   # Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
   always reject {
       rcode = "reject"
       simulcount = 0
       mpp = no
   }
   # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
   always fail {
       rcode = "fail"
       simulcount = 0
       mpp = no
   }
   # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
   always ok {
       rcode = "ok"
       simulcount = 0
       mpp = no
   }
   # Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
   always handled {
       rcode = "handled"
       simulcount = 0
       mpp = no
   }
   # Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
   always invalid {
       rcode = "invalid"
       simulcount = 0
       mpp = no
   }
   # Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
   always userlock {
       rcode = "userlock"
       simulcount = 0
       mpp = no
   }
   # Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
   always notfound {
       rcode = "notfound"
       simulcount = 0
       mpp = no
   }
   # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
   always noop {
       rcode = "noop"
       simulcount = 0
       mpp = no
   }
   # Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
   always updated {
       rcode = "updated"
       simulcount = 0
       mpp = no
   }
   # Loaded module rlm_realm
   # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
   realm IPASS {
       format = "prefix"
       delimiter = "/"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm suffix {
       format = "suffix"
       delimiter = "@"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm realmpercent {
       format = "suffix"
       delimiter = "%"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm ntdomain {
       format = "prefix"
       delimiter = "\\"
       ignore_default = no
       ignore_null = no
   }
   # Loaded module rlm_pap
   # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
   pap {
       normalise = yes
   }
   # Loaded module rlm_mschap
   # Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
   mschap {
       use_mppe = yes
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-pacuniversity}
--challenge=%{%{mschap:Challenge}:-01}
--nt-response=%{%{mschap:NT-Response}:-00}"
    passchange {
    }
       allow_retry = yes
       winbind_retry_with_normalised_username = no
   }
   # Loaded module rlm_unpack
   # Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
   # Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
   radutmp {
       filename = "/var/log/freeradius/radutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 384
       caller_id = yes
   }
   # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
   exec {
       wait = no
       input_pairs = "request"
       shell_escape = yes
       timeout = 10
   }
   # Loaded module rlm_eap
   # Loading module "inner-eap" from file
/etc/freeradius/3.0/mods-enabled/inner-eap
   eap inner-eap {
       default_eap_type = "mschapv2"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 2048
   }
   # Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail auth_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail reply_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail pre_proxy_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail post_proxy_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   eap {
       default_eap_type = "ttls"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 16384
   }
   # Loaded module rlm_preprocess
   # Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
   preprocess {
       huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
       hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
       with_ascend_hack = no
       ascend_channels_per_line = 23
       with_ntdomain_hack = no
       with_specialix_jetstream_hack = no
       with_cisco_vsa_hack = no
       with_alvarion_vsa_hack = no
   }
   # Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
   exec ntlm_auth {
       wait = yes
       program = "/usr/bin/ntlm_auth --request-nt-key
--domain=PACUNIVERSITY.AC.KE --username=%{mschap:User-Name}
--password=%{User-Password}"
       shell_escape = yes
   }
   # Loaded module rlm_logintime
   # Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
   logintime {
       minimum_timeout = 60
   }
   # Loaded module rlm_dynamic_clients
   # Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
   # Loaded module rlm_digest
   # Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
   instantiate {
   }
   # Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
   # Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
   # Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
   # Instantiating module "sql" from file
/etc/freeradius/3.0/mods-enabled/sql
rlm_sql_mysql: libmysql version: 5.7.30
    mysql {
     tls {
     }
        warnings = "auto"
    }
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
    pool {
        start = 5
        min = 3
        max = 32
        spare = 10
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
    }
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 5.5.5-10.3.23-MariaDB-1:10.3.23+maria~bionic-log,
protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 5.5.5-10.3.23-MariaDB-1:10.3.23+maria~bionic-log,
protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 5.5.5-10.3.23-MariaDB-1:10.3.23+maria~bionic-log,
protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 5.5.5-10.3.23-MariaDB-1:10.3.23+maria~bionic-log,
protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 5.5.5-10.3.23-MariaDB-1:10.3.23+maria~bionic-log,
protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname,
type, secret, server FROM nas
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 5.5.5-10.3.23-MariaDB-1:10.3.23+maria~bionic-log,
protocol version 10
   # Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
   # Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
   # Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
   # Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
   # Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay"     found in filter list for realm
"DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec"     found in filter list for realm
"DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
   # Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
   # Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
   # Instantiating module "inner-eap" from file
/etc/freeradius/3.0/mods-enabled/inner-eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_gtc
    gtc {
        challenge = "Password: "
        auth_type = "PAP"
    }
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = yes
    }
    # Linked to sub-module rlm_eap_tls
    tls {
    }
TLS section "tls" missing, trying to use legacy configuration
    tls {
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
        certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
        ca_file = "/etc/ssl/certs/ca-certificates.crt"
        private_key_password = <<< secret >>>
        dh_file = "/etc/freeradius/3.0/certs/dh"
        random_file = "/dev/urandom"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
        tls_max_version = ""
        tls_min_version = "1.0"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = no
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
   # Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
   # Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_leap
    # Linked to sub-module rlm_eap_gtc
    gtc {
        challenge = "Password: "
        auth_type = "PAP"
    }
    # Linked to sub-module rlm_eap_tls
    tls {
        tls = "tls-common"
    }
    tls-config tls-common {
        verify_depth = 0
        ca_path = "/etc/freeradius/3.0/certs"
        pem_file_type = yes
        private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
        certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
        ca_file = "/etc/ssl/certs/ca-certificates.crt"
        private_key_password = <<< secret >>>
        dh_file = "/etc/freeradius/3.0/certs/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        cipher_server_preference = no
        ecdh_curve = "prime256v1"
        tls_max_version = ""
        tls_min_version = "1.0"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1/ocsp/"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
    # Linked to sub-module rlm_eap_ttls
    ttls {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        virtual_server = "eduroam-inner-tunnel"
        include_length = yes
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_peap
    peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "eduroam-inner-tunnel"
        soh = no
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = no
    }
   # Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
   # Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
  } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server eduroam { # from file /etc/freeradius/3.0/sites-enabled/eduroam
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading preacct {...}
  # Loading accounting {...}
  # Loading pre-proxy {...}
  # Loading post-auth {...}
} # server eduroam
server eduroam-inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/eduroam-inner-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading post-auth {...}
} # server eduroam-inner-tunnel
server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
  # Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:339
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
       type = "auth"
       ipaddr = *
       port = 1812
}
listen {
       type = "acct"
       ipaddr = *
       port = 1813
}
Listening on auth address * port 1812 bound to server eduroam
Listening on acct address * port 1813 bound to server eduroam
Listening on proxy address * port 33261
Ready to process requests
(0) Received Status-Server Id 0 from 41.89.2.113:37127 to 10.1.2.11:1812
length 38
(0)   Message-Authenticator = 0x4b61939b8f94a4f1c352529c2a631705
(0) Sent Access-Accept Id 0 from 10.1.2.11:1812 to 41.89.2.113:37127
length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +23
Ready to process requests
(1) Received Status-Server Id 0 from 41.89.2.113:37127 to 10.1.2.11:1812
length 38
(1)   Message-Authenticator = 0x3cbe7629d97c2481759bf2955192faad
(1) Sent Access-Accept Id 0 from 10.1.2.11:1812 to 41.89.2.113:37127
length 0
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 0 with timestamp +52
Ready to process requests
(2) Received Status-Server Id 0 from 41.89.2.113:37127 to 10.1.2.11:1812
length 38
(2)   Message-Authenticator = 0x80dad6ca55088bed059c0bc535a41f08
(2) Sent Access-Accept Id 0 from 10.1.2.11:1812 to 41.89.2.113:37127
length 0
(2) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 0 with timestamp +80
Ready to process requests
(3) Received Status-Server Id 0 from 41.89.2.113:37127 to 10.1.2.11:1812
length 38
(3)   Message-Authenticator = 0x025e7d270cff66a9a3e1e3e77df749ed
(3) Sent Access-Accept Id 0 from 10.1.2.11:1812 to 41.89.2.113:37127
length 0
(3) Finished request
Waking up in 4.9 seconds.
(3) Cleaning up request packet ID 0 with timestamp +109
Ready to process requests
(4) Received Status-Server Id 0 from 41.89.2.113:37127 to 10.1.2.11:1812
length 38
(4)   Message-Authenticator = 0x2825bec59ac31944ad43f13a04b83895
(4) Sent Access-Accept Id 0 from 10.1.2.11:1812 to 41.89.2.113:37127
length 0
(4) Finished request
Waking up in 4.9 seconds.
(4) Cleaning up request packet ID 0 with timestamp +138
Ready to process requests
(5) Received Access-Request Id 16 from 41.89.2.113:37127 to
10.1.2.11:1812 length 90
(5)   User-Name = "[hidden email]"
(5)   User-Password = "MyFullPassword"
(5)   NAS-IP-Address = 197.137.71.11
(5)   Proxy-State = 0x3633
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/eduroam
(5)   authorize {
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "domain.ac.ke" for User-Name =
"[hidden email]"
(5) suffix: Found realm "domain.ac.ke"
(5) suffix: Adding Stripped-User-Name = "user"
(5) suffix: Adding Realm = "domain.ac.ke"
(5) suffix: Authentication realm is LOCAL
(5)     [suffix] = ok
(5) eap: No EAP-Message, not doing EAP
(5)     [eap] = noop
(5) pap: WARNING: No "known good" password found for the user.  Not
setting Auth-Type
(5) pap: WARNING: Authentication will fail unless a "known good"
password is available
(5)     [pap] = noop
(5) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log:    -->
/var/log/freeradius/radacct/41.89.2.113/auth-detail-20200620
(5) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/41.89.2.113/auth-detail-20200620
(5) auth_log: EXPAND %t
(5) auth_log:    --> Sat Jun 20 23:01:29 2020
(5)     [auth_log] = ok
(5)   } # authorize = ok
(5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
(5)   Post-Auth-Type REJECT {
(5) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(5) reply_log:    -->
/var/log/freeradius/radacct/41.89.2.113/reply-detail-20200620
(5) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/41.89.2.113/reply-detail-20200620
(5) reply_log: EXPAND %t
(5) reply_log:    --> Sat Jun 20 23:01:29 2020
(5)     [reply_log] = ok
(5)   } # Post-Auth-Type REJECT = ok
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 16 from 10.1.2.11:1812 to 41.89.2.113:37127
length 24
(5)   Proxy-State = 0x3633
Waking up in 3.9 seconds.
(5) Cleaning up request packet ID 16 with timestamp +160
Ready to process requests

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Alan DeKok-2
On Jun 20, 2020, at 4:16 PM, Tim Young <[hidden email]> wrote:
>
> This is the debug from my setup where we are trying to authenticate from an external eduroam server, through a free-radius server, and to a local MS Domain controller.

  No, it's not.

  Read the debug output.  The client isn't sending EAP.  Eduroam works with EAP, not with packets containing User-Password.

> If we use radtest with mschap, it works fine.  But we seem to have something wrong with our eap...

  Then post a debug message where it uses EAP.

  But to be honest, if the configuration is broken and you're unfamiliar with FreeRADIUS, don't bother trying to debug it.

  Throw away the entire configuration, and start with the default configuration.  It works.

  Then, follow my guides at http://deployingradius.com

  They tell you how to do EAP, and how to connect FreeRADIUS to talk to Active Directory.  You can look at your existing configuration to get IP addresses, domain names, certificates, etc.

  The guide also tells you what testing tools to use, and how those tools work.  And what to do if the tests fail.

  Follow the guide step by step.  It *will* work.

  Right now, you're trying to debug things you know nothing about, using tools you're unfamiliar with.  Even if it works, this process will be tedious and frustrating.

  Or, you can start with a known working configuration, and follow a step-by-step guide to get it to work.  It should take you less than a day to get things back up and running.

  The short summary is that someone butchered your local configuration for reasons unknown.  Instead of trying to fix a garbage configuration, just create a new one that works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Alan Buxey
In reply to this post by Tim Young
hi,

> The consultant setting that up smiled smugly at that success and then
> left.  But the access from outside, using the same credentials, fails.

well, I can understand the happiness at getting the first Access-Accept working
but its not a good approach to getting repeat customers.

it takes about a day to get eduroam up and running at an Organisation - if
relevant stakeholders and ops people are around. otherwise it can drag
out to 2 days.

from a quick glance at the logs you sent -  the requests from the FLR go to ther
own FreeRadius virtual server 'eduroam' - good. easy to define auth
policy there,
but it seems your internal eduroam things do too - thats not good. you
should have
your own internal virtual server for internal eduroam (if requests are
not your realm
and are valid realm format etc send them off to the FLR, for your own
users, auth and then
give relevant access VLANS etc.)

you appear to have duplicate module lying around for mschap -

you have require_message_authenticator = no for NAS clients
set that to yes, you should not be letting clients that dont have this
ability to use your resources
(I ran eduroam at a site that was in eduroam from the early days and
we had this enforcement)

and finally, as others have already said, the incoming request being
targetted at you
from the outside world is not an EAP request.  oh, regarding that, in
your eduroam
virtual server, reject non EAP requests as first line protection anyway.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Tim Young
In reply to this post by Matthew Newton-3
As per some help from some of you all, I nuked the previous config and
walked through configuring from scratch.  I am getting a bit farther,
but still have some issues.   I am now testing through an eduroam
web-sign-in, where the actual main requests will come from.  It appears
to successfully authenticate via ntlm_auth, but then rejects me.

The below is an entirely different config than I had originally posted. 
I have done a search/replace on the user/domain/password just because I
do not like dumping that info onto the internet.

     - Tim

FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/cui
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
  security {
      user = "freerad"
      group = "freerad"
      allow_core_dumps = no
  }
     name = "freeradius"
     prefix = "/usr"
     localstatedir = "/var"
     logdir = "/var/log/freeradius"
     run_dir = "/var/run/freeradius"
}
main {
     name = "freeradius"
     prefix = "/usr"
     localstatedir = "/var"
     sbindir = "/usr/sbin"
     logdir = "/var/log/freeradius"
     run_dir = "/var/run/freeradius"
     libdir = "/usr/lib/freeradius"
     radacctdir = "/var/log/freeradius/radacct"
     hostname_lookups = no
     max_request_time = 30
     cleanup_delay = 5
     max_requests = 16384
     pidfile = "/var/run/freeradius/freeradius.pid"
     checkrad = "/usr/sbin/checkrad"
     debug_level = 0
     proxy_requests = yes
  log {
      stripped_names = no
      auth = no
      auth_badpass = no
      auth_goodpass = no
      colourise = yes
      msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
      max_attributes = 200
      reject_delay = 1.000000
      status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
      retry_delay = 5
      retry_count = 3
      default_fallback = no
      dead_time = 120
      wake_all_if_all_dead = no
  }
  home_server localhost {
      ipaddr = 127.0.0.1
      port = 1812
      type = "auth"
      secret = <<< secret >>>
      response_window = 20.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server radius1-ktlr {
      ipaddr = 41.89.2.113
      port = 1812
      type = "auth+acct"
      secret = <<< secret >>>
      response_window = 20.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 300
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server_pool my_auth_failover {
     type = fail-over
     home_server = localhost
  }
  realm example.com {
     auth_pool = my_auth_failover
  }
  realm LOCAL {
  }
  realm my.domain.edu {
     authhost = LOCAL
  }
  realm NULL {
     nostrip
  }
  home_server_pool EDUROAM-FTLR {
     type = fail-over
     home_server = radius1-ktlr
  }
  realm DEFAULT {
     pool = EDUROAM-FTLR
     nostrip
  }
radiusd: #### Loading Clients ####
  client localhost {
      ipaddr = 127.0.0.1
      require_message_authenticator = no
      secret = <<< secret >>>
      nas_type = "other"
      proto = "*"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client localhost_ipv6 {
      ipv6addr = ::1
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client pac {
      ipaddr = 41.89.50.0/24
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client all-access-points {
      ipaddr = 10.0.0.0/8
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client flr {
      ipaddr = 41.89.2.113
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client kenet-radius {
      ipaddr = 41.204.160.28
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
Debugger not attached
  # Creating Auth-Type = ntlm_auth
  # Creating Auth-Type = mschap
  # Creating Auth-Type = digest
  # Creating Auth-Type = eap
  # Creating Auth-Type = PAP
  # Creating Auth-Type = CHAP
  # Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
  modules {
   # Loaded module rlm_chap
   # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
   # Loaded module rlm_radutmp
   # Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
   radutmp sradutmp {
       filename = "/var/log/freeradius/sradutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 420
       caller_id = no
   }
   # Loaded module rlm_files
   # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
   files {
       filename = "/etc/freeradius/3.0/mods-config/files/authorize"
       acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
       preproxy_usersfile =
"/etc/freeradius/3.0/mods-config/files/pre-proxy"
   }
   # Loaded module rlm_exec
   # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
   exec echo {
       wait = yes
       program = "/bin/echo %{User-Name}"
       input_pairs = "request"
       output_pairs = "reply"
       shell_escape = yes
   }
   # Loaded module rlm_linelog
   # Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
   linelog {
       filename = "/var/log/freeradius/linelog"
       escape_filenames = no
       syslog_severity = "info"
       permissions = 384
       format = "This is a log message for %{User-Name}"
       reference = "messages.%{%{reply:Packet-Type}:-default}"
   }
   # Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
   linelog log_accounting {
       filename = "/var/log/freeradius/linelog-accounting"
       escape_filenames = no
       syslog_severity = "info"
       permissions = 384
       format = ""
       reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
   }
   # Loaded module rlm_replicate
   # Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
   # Loaded module rlm_utf8
   # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
   # Loaded module rlm_detail
   # Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
   detail {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loaded module rlm_expiration
   # Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
   # Loaded module rlm_soh
   # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
   soh {
       dhcp = yes
   }
   # Loaded module rlm_cache
   # Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
   cache cache_eap {
       driver = "rlm_cache_rbtree"
       key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
       ttl = 15
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loaded module rlm_passwd
   # Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
   passwd etc_passwd {
       filename = "/etc/passwd"
       format = "*User-Name:Crypt-Password:"
       delimiter = ":"
       ignore_nislike = no
       ignore_empty = yes
       allow_multiple_keys = no
       hash_size = 100
   }
   # Loaded module rlm_attr_filter
   # Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
       filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
       filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loaded module rlm_unix
   # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
   unix {
       radwtmp = "/var/log/freeradius/radwtmp"
   }
Creating attribute Unix-Group
   # Loaded module rlm_expr
   # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
   expr {
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module rlm_always
   # Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
   always reject {
       rcode = "reject"
       simulcount = 0
       mpp = no
   }
   # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
   always fail {
       rcode = "fail"
       simulcount = 0
       mpp = no
   }
   # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
   always ok {
       rcode = "ok"
       simulcount = 0
       mpp = no
   }
   # Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
   always handled {
       rcode = "handled"
       simulcount = 0
       mpp = no
   }
   # Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
   always invalid {
       rcode = "invalid"
       simulcount = 0
       mpp = no
   }
   # Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
   always userlock {
       rcode = "userlock"
       simulcount = 0
       mpp = no
   }
   # Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
   always notfound {
       rcode = "notfound"
       simulcount = 0
       mpp = no
   }
   # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
   always noop {
       rcode = "noop"
       simulcount = 0
       mpp = no
   }
   # Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
   always updated {
       rcode = "updated"
       simulcount = 0
       mpp = no
   }
   # Loaded module rlm_realm
   # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
   realm IPASS {
       format = "prefix"
       delimiter = "/"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm suffix {
       format = "suffix"
       delimiter = "@"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm realmpercent {
       format = "suffix"
       delimiter = "%"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm ntdomain {
       format = "prefix"
       delimiter = "\\"
       ignore_default = no
       ignore_null = no
   }
   # Loaded module rlm_pap
   # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
   pap {
       normalise = yes
   }
   # Loaded module rlm_mschap
   # Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
   mschap {
       use_mppe = yes
       require_encryption = no
       require_strong = no
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
--domain=%{%{mschap:NT-Domain}:-my.domain.edu}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
    passchange {
    }
       allow_retry = yes
       winbind_retry_with_normalised_username = no
   }
   # Loaded module rlm_unpack
   # Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
   # Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
   radutmp {
       filename = "/var/log/freeradius/radutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 384
       caller_id = yes
   }
   # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
   exec {
       wait = no
       input_pairs = "request"
       shell_escape = yes
       timeout = 10
   }
   # Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail auth_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail reply_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail pre_proxy_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail post_proxy_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loaded module rlm_eap
   # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   eap {
       default_eap_type = "md5"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 16384
   }
   # Loaded module rlm_preprocess
   # Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
   preprocess {
       huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
       hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
       with_ascend_hack = no
       ascend_channels_per_line = 23
       with_ntdomain_hack = no
       with_specialix_jetstream_hack = no
       with_cisco_vsa_hack = no
       with_alvarion_vsa_hack = no
   }
   # Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
   exec ntlm_auth {
       wait = yes
       program = "/usr/bin/ntlm_auth --request-nt-key
--domain=my.domain.edu
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
--password=%{User-Password}"
       shell_escape = yes
   }
   # Loaded module rlm_logintime
   # Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
   logintime {
       minimum_timeout = 60
   }
   # Loaded module rlm_dynamic_clients
   # Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
   # Loaded module rlm_digest
   # Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
   instantiate {
   }
   # Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
   # Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
   # Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
   # Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
   # Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
   # Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
   # Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
   # Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay"     found in filter list for realm
"DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec"     found in filter list for realm
"DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
   # Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
   # Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
   # Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
   # Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_leap
    # Linked to sub-module rlm_eap_gtc
    gtc {
        challenge = "Password: "
        auth_type = "PAP"
    }
    # Linked to sub-module rlm_eap_tls
    tls {
        tls = "tls-common"
    }
    tls-config tls-common {
        verify_depth = 0
        ca_path = "/etc/freeradius/3.0/certs"
        pem_file_type = yes
        private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
        certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
        ca_file = "/etc/ssl/certs/ca-certificates.crt"
        private_key_password = <<< secret >>>
        dh_file = "/etc/freeradius/3.0/certs/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        cipher_server_preference = no
        ecdh_curve = "prime256v1"
        tls_max_version = ""
        tls_min_version = "1.0"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1/ocsp/"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
    # Linked to sub-module rlm_eap_ttls
    ttls {
        tls = "tls-common"
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_peap
    peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = no
    }
   # Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
   # Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
  } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
  # Loading authenticate {...}
  # Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
  # Loading preacct {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server default
server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
  # Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
       type = "auth"
       ipaddr = *
       port = 0
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
listen {
       type = "acct"
       ipaddr = *
       port = 0
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
listen {
       type = "auth"
       ipv6addr = ::
       port = 0
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
listen {
       type = "acct"
       ipv6addr = ::
       port = 0
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
listen {
       type = "auth"
       ipaddr = 127.0.0.1
       port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 38801
Listening on proxy address :: port 37631
Ready to process requests
(0) Received Status-Server Id 0 from 41.89.2.113:37127 to 10.1.2.11:1812
length 38
(0)   Message-Authenticator = 0x6e58e77f8e0a52c34adaf381623ab958
(0) Sent Access-Accept Id 0 from 10.1.2.11:1812 to 41.89.2.113:37127
length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +4
Ready to process requests
(1) Received Access-Request Id 93 from 41.89.2.113:37127 to
10.1.2.11:1812 length 91
(1)   User-Name = "[hidden email]"
(1)   User-Password = "mypassinplaintext"
(1)   NAS-IP-Address = 197.137.71.11
(1)   Proxy-State = 0x313836
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
-> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "my.domain.edu" for User-Name =
"[hidden email]"
(1) suffix: Found realm "my.domain.edu"
(1) suffix: Adding Stripped-User-Name = "mytextusername"
(1) suffix: Adding Realm = "my.domain.edu"
(1) suffix: Authentication realm is LOCAL
(1)     [suffix] = ok
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [files] = noop
(1) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
--domain=my.domain.edu
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
--password=%{User-Password}:
(1) ntlm_auth: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(1) ntlm_auth:    --> --username=mytextusername
(1) ntlm_auth: EXPAND --password=%{User-Password}
(1) ntlm_auth:    --> --password=mypassinplaintext
(1) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: The
operation completed successfully. (0x0)'
(1) ntlm_auth: Program executed successfully
(1)     [ntlm_auth] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good"
password is available
(1)     [pap] = noop
(1)   } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> [hidden email]
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 93 from 10.1.2.11:1812 to 41.89.2.113:37127
length 25
(1)   Proxy-State = 0x313836
Waking up in 3.9 seconds.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Alan DeKok-2
On Jun 22, 2020, at 12:33 PM, Tim Young <[hidden email]> wrote:
>
> As per some help from some of you all, I nuked the previous config and walked through configuring from scratch.  I am getting a bit farther, but still have some issues.   I am now testing through an eduroam web-sign-in, where the actual main requests will come from.  It appears to successfully authenticate via ntlm_auth, but then rejects me.

  OK.

> The below is an entirely different config than I had originally posted.  I have done a search/replace on the user/domain/password just because I do not like dumping that info onto the internet.

  Sure.

> ...
> (1) eap: No EAP-Message, not doing EAP
> (1)     [eap] = noop
> (1)     [files] = noop
> (1) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=my.domain.edu --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} --password=%{User-Password}:
> (1) ntlm_auth: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
> (1) ntlm_auth:    --> --username=mytextusername
> (1) ntlm_auth: EXPAND --password=%{User-Password}
> (1) ntlm_auth:    --> --password=mypassinplaintext
> (1) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: The operation completed successfully. (0x0)'
> (1) ntlm_auth: Program executed successfully
> (1)     [ntlm_auth] = ok

  Why is ntlm_auth listed in the "authorize" section?

  My guide is pretty clear on where it goes:

http://deployingradius.com/documents/configuration/active_directory.html

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Tim Young

 >   Why is ntlm_auth listed in the "authorize" section?
 >
 >   My guide is pretty clear on where it goes:
 >
 > http://deployingradius.com/documents/configuration/active_directory.html
 >

Sorry.  That was an artifact from an experiment I had done when I was
getting basically nothing at all.  Here is the log without that.

While I am hoping that I can get it working from my end, but I am
starting to think I need to get the other end to do something different.

     - Tim


FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/cui
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
  security {
      user = "freerad"
      group = "freerad"
      allow_core_dumps = no
  }
     name = "freeradius"
     prefix = "/usr"
     localstatedir = "/var"
     logdir = "/var/log/freeradius"
     run_dir = "/var/run/freeradius"
}
main {
     name = "freeradius"
     prefix = "/usr"
     localstatedir = "/var"
     sbindir = "/usr/sbin"
     logdir = "/var/log/freeradius"
     run_dir = "/var/run/freeradius"
     libdir = "/usr/lib/freeradius"
     radacctdir = "/var/log/freeradius/radacct"
     hostname_lookups = no
     max_request_time = 30
     cleanup_delay = 5
     max_requests = 16384
     pidfile = "/var/run/freeradius/freeradius.pid"
     checkrad = "/usr/sbin/checkrad"
     debug_level = 0
     proxy_requests = yes
  log {
      stripped_names = no
      auth = no
      auth_badpass = no
      auth_goodpass = no
      colourise = yes
      msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
      max_attributes = 200
      reject_delay = 1.000000
      status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
      retry_delay = 5
      retry_count = 3
      default_fallback = no
      dead_time = 120
      wake_all_if_all_dead = no
  }
  home_server localhost {
      ipaddr = 127.0.0.1
      port = 1812
      type = "auth"
      secret = <<< secret >>>
      response_window = 20.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server radius1-ktlr {
      ipaddr = 41.89.2.113
      port = 1812
      type = "auth+acct"
      secret = <<< secret >>>
      response_window = 20.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 300
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server_pool my_auth_failover {
     type = fail-over
     home_server = localhost
  }
  realm example.com {
     auth_pool = my_auth_failover
  }
  realm LOCAL {
  }
  realm my.domain.edu {
     authhost = LOCAL
  }
  realm NULL {
     nostrip
  }
  home_server_pool EDUROAM-FTLR {
     type = fail-over
     home_server = radius1-ktlr
  }
  realm DEFAULT {
     pool = EDUROAM-FTLR
     nostrip
  }
radiusd: #### Loading Clients ####
  client localhost {
      ipaddr = 127.0.0.1
      require_message_authenticator = no
      secret = <<< secret >>>
      nas_type = "other"
      proto = "*"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client localhost_ipv6 {
      ipv6addr = ::1
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client pac {
      ipaddr = 41.89.50.0/24
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client all-access-points {
      ipaddr = 10.0.0.0/8
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client flr {
      ipaddr = 41.89.2.113
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client kenet-radius {
      ipaddr = 41.204.160.28
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
Debugger not attached
  # Creating Auth-Type = ntlm_auth
  # Creating Auth-Type = mschap
  # Creating Auth-Type = digest
  # Creating Auth-Type = eap
  # Creating Auth-Type = PAP
  # Creating Auth-Type = CHAP
  # Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
  modules {
   # Loaded module rlm_chap
   # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
   # Loaded module rlm_radutmp
   # Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
   radutmp sradutmp {
       filename = "/var/log/freeradius/sradutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 420
       caller_id = no
   }
   # Loaded module rlm_files
   # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
   files {
       filename = "/etc/freeradius/3.0/mods-config/files/authorize"
       acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
       preproxy_usersfile =
"/etc/freeradius/3.0/mods-config/files/pre-proxy"
   }
   # Loaded module rlm_exec
   # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
   exec echo {
       wait = yes
       program = "/bin/echo %{User-Name}"
       input_pairs = "request"
       output_pairs = "reply"
       shell_escape = yes
   }
   # Loaded module rlm_linelog
   # Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
   linelog {
       filename = "/var/log/freeradius/linelog"
       escape_filenames = no
       syslog_severity = "info"
       permissions = 384
       format = "This is a log message for %{User-Name}"
       reference = "messages.%{%{reply:Packet-Type}:-default}"
   }
   # Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
   linelog log_accounting {
       filename = "/var/log/freeradius/linelog-accounting"
       escape_filenames = no
       syslog_severity = "info"
       permissions = 384
       format = ""
       reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
   }
   # Loaded module rlm_replicate
   # Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
   # Loaded module rlm_utf8
   # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
   # Loaded module rlm_detail
   # Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
   detail {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loaded module rlm_expiration
   # Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
   # Loaded module rlm_soh
   # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
   soh {
       dhcp = yes
   }
   # Loaded module rlm_cache
   # Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
   cache cache_eap {
       driver = "rlm_cache_rbtree"
       key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
       ttl = 15
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loaded module rlm_passwd
   # Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
   passwd etc_passwd {
       filename = "/etc/passwd"
       format = "*User-Name:Crypt-Password:"
       delimiter = ":"
       ignore_nislike = no
       ignore_empty = yes
       allow_multiple_keys = no
       hash_size = 100
   }
   # Loaded module rlm_attr_filter
   # Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
       filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
       filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
       filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loaded module rlm_unix
   # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
   unix {
       radwtmp = "/var/log/freeradius/radwtmp"
   }
Creating attribute Unix-Group
   # Loaded module rlm_expr
   # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
   expr {
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module rlm_always
   # Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
   always reject {
       rcode = "reject"
       simulcount = 0
       mpp = no
   }
   # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
   always fail {
       rcode = "fail"
       simulcount = 0
       mpp = no
   }
   # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
   always ok {
       rcode = "ok"
       simulcount = 0
       mpp = no
   }
   # Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
   always handled {
       rcode = "handled"
       simulcount = 0
       mpp = no
   }
   # Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
   always invalid {
       rcode = "invalid"
       simulcount = 0
       mpp = no
   }
   # Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
   always userlock {
       rcode = "userlock"
       simulcount = 0
       mpp = no
   }
   # Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
   always notfound {
       rcode = "notfound"
       simulcount = 0
       mpp = no
   }
   # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
   always noop {
       rcode = "noop"
       simulcount = 0
       mpp = no
   }
   # Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
   always updated {
       rcode = "updated"
       simulcount = 0
       mpp = no
   }
   # Loaded module rlm_realm
   # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
   realm IPASS {
       format = "prefix"
       delimiter = "/"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm suffix {
       format = "suffix"
       delimiter = "@"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm realmpercent {
       format = "suffix"
       delimiter = "%"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
   realm ntdomain {
       format = "prefix"
       delimiter = "\\"
       ignore_default = no
       ignore_null = no
   }
   # Loaded module rlm_pap
   # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
   pap {
       normalise = yes
   }
   # Loaded module rlm_mschap
   # Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
   mschap {
       use_mppe = yes
       require_encryption = no
       require_strong = no
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
--domain=%{%{mschap:NT-Domain}:-my.domain.edu}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
    passchange {
    }
       allow_retry = yes
       winbind_retry_with_normalised_username = no
   }
   # Loaded module rlm_unpack
   # Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
   # Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
   radutmp {
       filename = "/var/log/freeradius/radutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 384
       caller_id = yes
   }
   # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
   exec {
       wait = no
       input_pairs = "request"
       shell_escape = yes
       timeout = 10
   }
   # Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail auth_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail reply_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail pre_proxy_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   detail post_proxy_log {
       filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loaded module rlm_eap
   # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   eap {
       default_eap_type = "md5"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 16384
   }
   # Loaded module rlm_preprocess
   # Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
   preprocess {
       huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
       hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
       with_ascend_hack = no
       ascend_channels_per_line = 23
       with_ntdomain_hack = no
       with_specialix_jetstream_hack = no
       with_cisco_vsa_hack = no
       with_alvarion_vsa_hack = no
   }
   # Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
   exec ntlm_auth {
       wait = yes
       program = "/usr/bin/ntlm_auth --request-nt-key
--domain=my.domain.edu
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
--password=%{User-Password}"
       shell_escape = yes
   }
   # Loaded module rlm_logintime
   # Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
   logintime {
       minimum_timeout = 60
   }
   # Loaded module rlm_dynamic_clients
   # Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
   # Loaded module rlm_digest
   # Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
   instantiate {
   }
   # Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
   # Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
   # Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
   # Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
   # Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
   # Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
   # Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
   # Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay"     found in filter list for realm
"DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec"     found in filter list for realm
"DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
   # Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
   # Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
   # Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
   # Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_leap
    # Linked to sub-module rlm_eap_gtc
    gtc {
        challenge = "Password: "
        auth_type = "PAP"
    }
    # Linked to sub-module rlm_eap_tls
    tls {
        tls = "tls-common"
    }
    tls-config tls-common {
        verify_depth = 0
        ca_path = "/etc/freeradius/3.0/certs"
        pem_file_type = yes
        private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
        certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
        ca_file = "/etc/ssl/certs/ca-certificates.crt"
        private_key_password = <<< secret >>>
        dh_file = "/etc/freeradius/3.0/certs/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        cipher_server_preference = no
        ecdh_curve = "prime256v1"
        tls_max_version = ""
        tls_min_version = "1.0"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1/ocsp/"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
    # Linked to sub-module rlm_eap_ttls
    ttls {
        tls = "tls-common"
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_peap
    peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = no
    }
   # Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
   # Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
  } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
  # Loading authenticate {...}
  # Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
  # Loading preacct {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server default
server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
  # Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
       type = "auth"
       ipaddr = *
       port = 0
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
listen {
       type = "acct"
       ipaddr = *
       port = 0
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
listen {
       type = "auth"
       ipv6addr = ::
       port = 0
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
listen {
       type = "acct"
       ipv6addr = ::
       port = 0
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
listen {
       type = "auth"
       ipaddr = 127.0.0.1
       port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 34066
Listening on proxy address :: port 45125
Ready to process requests
(0) Received Status-Server Id 0 from 41.89.2.113:37127 to 10.1.2.11:1812
length 38
(0)   Message-Authenticator = 0x2f1137eb73f7129ed4be5a750dbb4d65
(0) Sent Access-Accept Id 0 from 10.1.2.11:1812 to 41.89.2.113:37127
length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +1
Ready to process requests
(1) Received Access-Request Id 98 from 41.89.2.113:37127 to
10.1.2.11:1812 length 91
(1)   User-Name = "[hidden email]"
(1)   User-Password = "mypassinplaintext"
(1)   NAS-IP-Address = 197.137.71.11
(1)   Proxy-State = 0x313039
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
-> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "my.domain.edu" for User-Name =
"[hidden email]"
(1) suffix: Found realm "my.domain.edu"
(1) suffix: Adding Stripped-User-Name = "mytextusername"
(1) suffix: Adding Realm = "my.domain.edu"
(1) suffix: Authentication realm is LOCAL
(1)     [suffix] = ok
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [files] = noop
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good"
password is available
(1)     [pap] = noop
(1)   } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> [hidden email]
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 98 from 10.1.2.11:1812 to 41.89.2.113:37127
length 25
(1)   Proxy-State = 0x313039
Waking up in 3.9 seconds.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Alan Buxey
In reply to this post by Tim Young
hi,

> but still have some issues.   I am now testing through an eduroam
> web-sign-in, where the actual main requests will come from.  It appears


there is no such thing as eduroam web sign-in. captive portal eduroam
was killed off back
in the early days - pre 2012

are you talking about a site you have access to that allows some sort
of testing functionality
in your NRO (is that SAFIRE per chance?) - if so, it should not be
using PAP , it should
be using at least a PEAP mechanism (ideally it would support any EAP
type supported
by the home organisation so ensure the home org can test its users
behaviour remotely).
(as said in previous reply, your RADIUS server should be configured to
drop incoming
requests if they are not EAP

>       require_message_authenticator = no

and set those to 'yes' in your clients.conf

> (1)   User-Name = "[hidden email]"
> (1)   User-Password = "mypassinplaintext"

not an EAP request - so it wont get to your inner-server config
(which , being from outside world should
be a rather plain inner-server that doesnt do things like VLAN
assignment based on groups etc etc)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Tim Young
Sorry for not giving all the details...

This comes from "eduvpn."  (app.eduvpn.org) Apparently it is an openvpn
based system.  When I start the VPN, and select "KNET" it takes me to a
sign-in webpage that "authenticates off of eduroam" creates some form of
token:

https://controller.eduroam.ke/vpn-user-portal/_form/auth/verify

When I type my credentials into the above webpage, I do get the
plaintext username / password.

I do not know what else they are doing, but I know they have other sites
that successfully authenticate against a mysql database.  They do not
have a config that successfully authenticates off of Active Directory
(which is what the school I am helping with is trying to set up).


We can probably assume it is not running "proper eduroam."  My question
is, then, can I get something that passes in the depressingly insecure
username/password combo to authenticate off Active Directory, or is it a
lost cause?  Do I need to complain loudly that they need to change the
auth type to something else? (but whatever they use will need to
authenticate off of a mysql back-end also)


     - Tim


On 6/22/2020 2:05 PM, Alan Buxey wrote:

> hi,
>
>> but still have some issues.   I am now testing through an eduroam
>> web-sign-in, where the actual main requests will come from.  It appears
>
> there is no such thing as eduroam web sign-in. captive portal eduroam
> was killed off back
> in the early days - pre 2012
>
> are you talking about a site you have access to that allows some sort
> of testing functionality
> in your NRO (is that SAFIRE per chance?) - if so, it should not be
> using PAP , it should
> be using at least a PEAP mechanism (ideally it would support any EAP
> type supported
> by the home organisation so ensure the home org can test its users
> behaviour remotely).
> (as said in previous reply, your RADIUS server should be configured to
> drop incoming
> requests if they are not EAP
>
>>        require_message_authenticator = no
> and set those to 'yes' in your clients.conf
>
>> (1)   User-Name = "[hidden email]"
>> (1)   User-Password = "mypassinplaintext"
> not an EAP request - so it wont get to your inner-server config
> (which , being from outside world should
> be a rather plain inner-server that doesnt do things like VLAN
> assignment based on groups etc etc)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Alan DeKok-2
In reply to this post by Tim Young
On Jun 22, 2020, at 1:55 PM, Tim Young <[hidden email]> wrote:
> >   Why is ntlm_auth listed in the "authorize" section?
> >
> >   My guide is pretty clear on where it goes:
> >
> > http://deployingradius.com/documents/configuration/active_directory.html
>
> Sorry.  That was an artifact from an experiment I had done when I was getting basically nothing at all.  Here is the log without that.

  Which shows you're still not following the guide.

* list "ntlm_auth" in the "authenticate" section
* set "Auth-Type := ntlm_auth" in the "users" file

  The guide should be followed step by step.  When you skip steps or ignore steps, it won't work.

> While I am hoping that I can get it working from my end, but I am starting to think I need to get the other end to do something different.

  My web page also describes how to use "eapol_test" to do EAP testing.  This is all documented in great detail.

  If follow the guide step by step, you will get EAP + AD working in less than a day.  Every time you skip a step, it will take longer.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius, Eduroam, and me...

Alan DeKok-2
In reply to this post by Tim Young
On Jun 22, 2020, at 3:37 PM, Tim Young <[hidden email]> wrote:
>
> Sorry for not giving all the details...
>
> This comes from "eduvpn."  (app.eduvpn.org) Apparently it is an openvpn based system.  When I start the VPN, and select "KNET" it takes me to a sign-in webpage that "authenticates off of eduroam" creates some form of token:
>
> https://controller.eduroam.ke/vpn-user-portal/_form/auth/verify
>
> When I type my credentials into the above webpage, I do get the plaintext username / password.

  I would suggest not trusting random portals on the internet.

> I do not know what else they are doing, but I know they have other sites that successfully authenticate against a mysql database.  They do not have a config that successfully authenticates off of Active Directory (which is what the school I am helping with is trying to set up).

  Ignore whatever broken configurations other people have.  The FreeRADIUS documentation and my web page is correct.

> We can probably assume it is not running "proper eduroam."  My question is, then, can I get something that passes in the depressingly insecure username/password combo to authenticate off Active Directory, or is it a lost cause?

  The guide on my web page goes through this in great detail.  Please... just read it.

>  Do I need to complain loudly that they need to change the auth type to something else? (but whatever they use will need to authenticate off of a mysql back-end also)

  As Alan Buxey said, you need to block all packets from Eduroam which don't contain EAP.  Tell them that their system is wrong and broken.

 Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html