Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

classic Classic list List threaded Threaded
23 messages Options
12
| Threaded
Open this post in threaded view
|

Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf, pages 12-16), authentication fails.

I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.

Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.

Thanks in advance.

-Eric



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Matthew Newton-3
On Sun, 2018-12-02 at 21:47 -0500, Eric Wittle wrote:
> I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR:
> (null): status = eServerError” in the radius.log file.

That error resulted from trying to connect to OpenDirectory.

Does OpenDirectory log anything useful?

> Following the instructions on the user list, I captured the attached
> debug file. Any help would be appreciated, because I’m a bit lost.

Debug was missing. Can you just paste it into the e-mail rather than
attaching it. Use just "-X", don't use "-Xx" or other variants.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
In reply to this post by Eric Wittle
Pasted this time…

FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
 security {
  allow_core_dumps = no
 }
        name = "radiusd"
        prefix = "/usr/local"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
}
main {
        name = "radiusd"
        prefix = "/usr/local"
        localstatedir = "/var"
        sbindir = "/usr/local/sbin"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/local/lib"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 16384
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/local/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
  stripped_names = no
  auth = no
  auth_badpass = no
  auth_goodpass = no
  colourise = yes
  msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
  max_attributes = 200
  reject_delay = 1.000000
  status_server = yes
  allow_vulnerable_openssl = "no"
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = no
  dead_time = 120
  wake_all_if_all_dead = no
 }
 home_server localhost {
  ipaddr = 127.0.0.1
  port = 1812
  type = "auth"
  secret = <<< secret >>>
  response_window = 20.000000
  response_timeouts = 1
  max_outstanding = 65536
  zombie_period = 40
  status_check = "status-server"
  ping_interval = 30
  check_interval = 30
  check_timeout = 4
  num_answers_to_alive = 3
  revive_interval = 120
  limit {
  max_connections = 16
  max_requests = 0
  lifetime = 0
  idle_timeout = 0
  }
  coa {
  irt = 2
  mrt = 16
  mrc = 5
  mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
  ipaddr = 127.0.0.1
  require_message_authenticator = no
  secret = <<< secret >>>
  nas_type = "other"
  proto = "*"
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
 client localhost_ipv6 {
  ipv6addr = ::1
  require_message_authenticator = no
  secret = <<< secret >>>
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
 # Creating Auth-Type = opendirectory
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_always
  # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
  always reject {
  rcode = "reject"
  simulcount = 0
  mpp = no
  }
  # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
  always fail {
  rcode = "fail"
  simulcount = 0
  mpp = no
  }
  # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
  always ok {
  rcode = "ok"
  simulcount = 0
  mpp = no
  }
  # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
  always handled {
  rcode = "handled"
  simulcount = 0
  mpp = no
  }
  # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
  always invalid {
  rcode = "invalid"
  simulcount = 0
  mpp = no
  }
  # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
  always userlock {
  rcode = "userlock"
  simulcount = 0
  mpp = no
  }
  # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
  always notfound {
  rcode = "notfound"
  simulcount = 0
  mpp = no
  }
  # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
  always noop {
  rcode = "noop"
  simulcount = 0
  mpp = no
  }
  # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
  always updated {
  rcode = "updated"
  simulcount = 0
  mpp = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
  cache cache_eap {
  driver = "rlm_cache_rbtree"
  key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  ttl = 15
  max_entries = 0
  epoch = 0
  add_stats = no
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
  # Loaded module rlm_date
  # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
  date {
  format = "%b %e %Y %H:%M:%S %Z"
  utc = no
  }
  # Loaded module rlm_detail
  # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
  detail {
  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  detail auth_log {
  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  detail reply_log {
  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  detail pre_proxy_log {
  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  detail post_proxy_log {
  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
  # Loaded module rlm_eap
  # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
  eap {
  default_eap_type = "ttls"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 16384
  }
  # Loaded module rlm_exec
  # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
  exec echo {
  wait = yes
  program = "/bin/echo %{User-Name}"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
  # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
  # Loaded module rlm_expr
  # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
  expr {
  safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_files
  # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
  files {
  filename = "/usr/local/etc/raddb/mods-config/files/authorize"
  acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
  preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
  linelog {
  filename = "/var/log/radius/linelog"
  escape_filenames = no
  syslog_severity = "info"
  permissions = 384
  format = "This is a log message for %{User-Name}"
  reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
  linelog log_accounting {
  filename = "/var/log/radius/linelog-accounting"
  escape_filenames = no
  syslog_severity = "info"
  permissions = 384
  format = ""
  reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
  logintime {
  minimum_timeout = 60
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = yes
   passchange {
   }
  allow_retry = yes
  winbind_retry_with_normalised_username = no
  use_open_directory = yes
  }
  # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
  exec ntlm_auth {
  wait = yes
  program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  shell_escape = yes
  }
  # Loaded module rlm_opendirectory
  # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
  # Loaded module rlm_pap
  # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
  pap {
  normalise = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
  passwd etc_passwd {
  filename = "/etc/passwd"
  format = "*User-Name:Crypt-Password:"
  delimiter = ":"
  ignore_nislike = no
  ignore_empty = yes
  allow_multiple_keys = no
  hash_size = 100
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
  preprocess {
  huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
  hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_radutmp
  # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
  radutmp {
  filename = "/var/log/radius/radutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 384
  caller_id = yes
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
  realm IPASS {
  format = "prefix"
  delimiter = "/"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
  realm realmpercent {
  format = "suffix"
  delimiter = "%"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
  realm ntdomain {
  format = "prefix"
  delimiter = "\\"
  ignore_default = no
  ignore_null = no
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
  # Loaded module rlm_soh
  # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
  soh {
  dhcp = yes
  }
  # Loaded module rlm_sql
  # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
  sql {
  driver = "rlm_sql_sqlite"
  server = ""
  port = 0
  login = ""
  password = <<< secret >>>
  radius_db = "radius"
  read_groups = yes
  read_profiles = yes
  read_clients = yes
  delete_stale_sessions = yes
  sql_user_name = "%{User-Name}"
  default_user_profile = ""
  client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
  authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
  authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
  authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
  authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
  group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
  simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
  simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
  safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
   accounting {
    reference = "%{tolower:type.%{Acct-Status-Type}.query}"
    type {
     accounting-on {
      query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
     }
     accounting-off {
      query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
     }
     start {
      query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
     }
     interim-update {
      query = "UPDATE radacct SET acctupdatetime  = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval    = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
     }
     stop {
      query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
     }
    }
   }
   post-auth {
    reference = ".query"
    query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
   }
  }
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
Creating attribute SQL-Group
  # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
  radutmp sradutmp {
  filename = "/var/log/radius/sradutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 420
  caller_id = no
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
  unix {
  radwtmp = "/var/log/radius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
  instantiate {
  }
  # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
  # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
  # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
  # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
  # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
    tls = "tls-common"
   }
   tls-config tls-common {
    verify_depth = 0
    ca_path = "/usr/local/etc/raddb/certs"
    pem_file_type = yes
    private_key_file = "/usr/local/etc/raddb/certs/server.key"
    certificate_file = "/usr/local/etc/raddb/certs/server.crt"
    ca_file = "/usr/local/etc/raddb/certs/ca.pem"
    dh_file = "/usr/local/etc/raddb/certs/dh"
    random_file = "/dev/urandom"
    fragment_size = 1024
    include_length = yes
    auto_chain = yes
    check_crl = no
    check_all_crl = no
    cipher_list = "DEFAULT"
    cipher_server_preference = no
    ecdh_curve = "prime256v1"
    tls_max_version = ""
    tls_min_version = "1.0"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
    verify {
    skip_if_ocsp_ok = no
    }
    ocsp {
    enable = no
    override_cert_url = yes
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
    tls = "tls-common"
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
    include_length = yes
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
    tls = "tls-common"
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
  # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
  # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
  # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
  # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
  # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
  # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
  # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
  # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
  # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
  # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
  # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_sqlite: libsqlite version: 3.19.3
   sqlite {
    filename = "/var/db/radius/freeradius.db"
    busy_timeout = 200
   }
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
   pool {
    start = 5
    min = 3
    max = 32
    spare = 10
    uses = 0
    lifetime = 0
    cleanup_interval = 30
    idle_timeout = 60
    retry_delay = 30
    spread = no
   }
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net) to global clients list
rlm_sql (192.168.1.1): Client "router.wittle.net" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
 # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "auth"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipaddr = 127.0.0.1
  port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 59453
Listening on proxy address :: port 59454
Ready to process requests
(0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   User-Name = "eric"
(0)   MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
(0)   MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "eric", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0)     [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0)     [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0)     [sql] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(0) mschap:   Stepbuf server challenge :
ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
(0) mschap:   Stepbuf peer challenge   :
ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
(0) mschap:   Stepbuf p24              :
5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
(0)     [mschap] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0)     [sql] = ok
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = ok
(0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
(0)   Framed-Protocol = PPP
(0)   Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +27
Ready to process requests


> On Dec 2, 2018, at 9:47 PM, Eric Wittle <[hidden email]> wrote:
>
> I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
>
> I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
>
> Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
>
> Thanks in advance.
>
> -Eric
>
> <debugfile>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.

The contents of ApplePasswordServer.Error.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
-- Start: Server rolled log on: Nov 13 2018 21:17:19 --
Dec  2 2018 14:52:47 819295us    Requested SASL mechanism not loaded: SMB-NT
Dec  2 2018 15:03:43 692394us    Requested SASL mechanism not loaded: SMB-NT
Dec  2 2018 15:07:34 139111us    Requested SASL mechanism not loaded: SMB-NT

The tail end of ApplePasswordServer.Server.Log

bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
Dec  2 2018 14:52:43 233320us    Stopping server processes ...
Dec  2 2018 14:52:43 234062us    Closing all incoming connections ...
Dec  2 2018 14:52:43 234097us    StopCentralThreads: Stopping Connection Listeners ...
Dec  2 2018 14:52:43 234645us    StopCentralThreads: Current Threads: 10
Dec  2 2018 14:52:43 234669us    Stopping Network Processes ...
Dec  2 2018 14:52:43 234682us    Deinitializing networking ...
Dec  2 2018 14:52:43 234701us    Server Processes Stopped ...
Dec  2 2018 14:52:43 234718us    RunAppThread Stopped
Dec  2 2018 14:52:43 234747us    RunAppThread Deleted
Dec  2 2018 14:52:47 755661us    Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec  2 14:52:47 2018
.
Dec  2 2018 14:52:47 755702us    RunAppThread Created
Dec  2 2018 14:52:47 755746us    RunAppThread Started
Dec  2 2018 14:52:47 755760us    Initializing Server Globals ...
Dec  2 2018 14:52:47 768754us    Initializing Networking ...
Dec  2 2018 14:52:47 768819us    Initializing TCP ...
Dec  2 2018 14:52:47 819245us    SASL is using realm "MAIL.WITTLE.NET"
Dec  2 2018 14:52:47 824367us    Starting Central Thread ...
Dec  2 2018 14:52:47 824401us    Starting other server processes ...
Dec  2 2018 14:52:47 824412us    StartCentralThreads: 1 threads to stop
Dec  2 2018 14:52:47 824451us    Initializing TCP ...
Dec  2 2018 14:52:47 824580us    Starting TCP/IP Listener on ethernet interface, port 106
Dec  2 2018 14:52:47 824630us    Starting TCP/IP Listener on ethernet interface, port 3659
Dec  2 2018 14:52:47 824723us    Starting TCP/IP Listener on interface lo0, port 106
Dec  2 2018 14:52:47 824762us    Starting TCP/IP Listener on interface lo0, port 3659
Dec  2 2018 14:52:47 824800us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec  2 2018 14:52:47 824820us    Starting UNIX domain socket listener /var/run/passwordserver
Dec  2 2018 14:52:47 825558us    Finished starting other server processes ...
Dec  2 2018 14:52:47 825582us    -- Password Server successfully started --
Dec  2 2018 14:52:47 825592us    -- Start time: 0 sec, 74 msec --
Dec  2 2018 15:03:32 701865us    Stopping server processes ...
Dec  2 2018 15:03:32 702676us    Closing all incoming connections ...
Dec  2 2018 15:03:32 702706us    StopCentralThreads: Stopping Connection Listeners ...
Dec  2 2018 15:03:32 703903us    StopCentralThreads: Current Threads: 3
Dec  2 2018 15:03:32 703930us    Stopping Network Processes ...
Dec  2 2018 15:03:32 703944us    Deinitializing networking ...
Dec  2 2018 15:03:32 703960us    Server Processes Stopped ...
Dec  2 2018 15:03:32 703977us    RunAppThread Stopped
Dec  2 2018 15:03:32 703989us    RunAppThread Deleted
Dec  2 2018 15:03:33 705899us    Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec  2 15:03:33 2018
.
Dec  2 2018 15:03:43 644217us    Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec  2 15:03:43 2018
.
Dec  2 2018 15:03:43 644253us    RunAppThread Created
Dec  2 2018 15:03:43 644295us    RunAppThread Started
Dec  2 2018 15:03:43 644316us    Initializing Server Globals ...
Dec  2 2018 15:03:43 677609us    Initializing Networking ...
Dec  2 2018 15:03:43 677736us    Initializing TCP ...
Dec  2 2018 15:03:43 692357us    SASL is using realm "MAIL.WITTLE.NET"
Dec  2 2018 15:03:43 692877us    Starting Central Thread ...
Dec  2 2018 15:03:43 692895us    Starting other server processes ...
Dec  2 2018 15:03:43 692905us    StartCentralThreads: 1 threads to stop
Dec  2 2018 15:03:43 692938us    Initializing TCP ...
Dec  2 2018 15:03:43 693040us    Starting TCP/IP Listener on ethernet interface, port 106
Dec  2 2018 15:03:43 693082us    Starting TCP/IP Listener on ethernet interface, port 3659
Dec  2 2018 15:03:43 693110us    Starting TCP/IP Listener on interface lo0, port 106
Dec  2 2018 15:03:43 693133us    Starting TCP/IP Listener on interface lo0, port 3659
Dec  2 2018 15:03:43 693156us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec  2 2018 15:03:43 693167us    Starting UNIX domain socket listener /var/run/passwordserver
Dec  2 2018 15:03:43 694190us    Finished starting other server processes ...
Dec  2 2018 15:03:43 694212us    -- Password Server successfully started --
Dec  2 2018 15:03:43 694222us    -- Start time: 0 sec, 54 msec --
Dec  2 2018 15:05:24 289083us    Stopping server processes ...
Dec  2 2018 15:05:24 289128us    Closing all incoming connections ...
Dec  2 2018 15:05:24 289150us    StopCentralThreads: Stopping Connection Listeners ...
Dec  2 2018 15:05:24 290059us    StopCentralThreads: Current Threads: 3
Dec  2 2018 15:05:24 290086us    Stopping Network Processes ...
Dec  2 2018 15:05:24 290098us    Deinitializing networking ...
Dec  2 2018 15:05:24 290113us    Server Processes Stopped ...
Dec  2 2018 15:05:24 290129us    RunAppThread Stopped
Dec  2 2018 15:05:24 290142us    RunAppThread Deleted
Dec  2 2018 15:05:26 221197us    Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec  2 15:05:26 2018
.
Dec  2 2018 15:07:34 103685us    Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec  2 15:07:34 2018
.
Dec  2 2018 15:07:34 103718us    RunAppThread Created
Dec  2 2018 15:07:34 103758us    RunAppThread Started
Dec  2 2018 15:07:34 103779us    Initializing Server Globals ...
Dec  2 2018 15:07:34 118899us    Initializing Networking ...
Dec  2 2018 15:07:34 118961us    Initializing TCP ...
Dec  2 2018 15:07:34 139076us    SASL is using realm "MAIL.WITTLE.NET"
Dec  2 2018 15:07:34 139134us    Starting Central Thread ...
Dec  2 2018 15:07:34 139141us    Starting other server processes ...
Dec  2 2018 15:07:34 139147us    StartCentralThreads: 1 threads to stop
Dec  2 2018 15:07:34 139174us    Initializing TCP ...
Dec  2 2018 15:07:34 139265us    Starting TCP/IP Listener on ethernet interface, port 106
Dec  2 2018 15:07:34 139302us    Starting TCP/IP Listener on ethernet interface, port 3659
Dec  2 2018 15:07:34 139322us    Starting TCP/IP Listener on interface lo0, port 106
Dec  2 2018 15:07:34 139350us    Starting TCP/IP Listener on interface lo0, port 3659
Dec  2 2018 15:07:34 139443us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec  2 2018 15:07:34 139462us    Starting UNIX domain socket listener /var/run/passwordserver
Dec  2 2018 15:07:34 140156us    Finished starting other server processes ...
Dec  2 2018 15:07:34 140178us    -- Password Server successfully started --
Dec  2 2018 15:07:34 140190us    -- Start time: 0 sec, 41 msec --
Dec  2 2018 20:01:57 945387us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec  2 2018 20:35:44 395239us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec  2 2018 20:37:17 158109us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec  2 2018 20:37:43 63472us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec  2 2018 21:17:05 402081us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec  2 2018 21:37:24 961075us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.

It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.

I’ll take a look and see if radiusconfig is a script…

-Eric

> On Dec 3, 2018, at 5:41 AM, Eric Wittle <[hidden email]> wrote:
>
> Pasted this time…
>
> FreeRADIUS Version 3.0.17
> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/local/share/freeradius/dictionary
> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
> including dictionary file /usr/local/share/freeradius/dictionary.vqp
> including dictionary file /usr/local/etc/raddb/dictionary
> including configuration file /usr/local/etc/raddb/radiusd.conf
> including configuration file /usr/local/etc/raddb/proxy.conf
> including configuration file /usr/local/etc/raddb/clients.conf
> including files in directory /usr/local/etc/raddb/mods-enabled/
> including configuration file /usr/local/etc/raddb/mods-enabled/always
> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
> including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
> including configuration file /usr/local/etc/raddb/mods-enabled/chap
> including configuration file /usr/local/etc/raddb/mods-enabled/date
> including configuration file /usr/local/etc/raddb/mods-enabled/detail
> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
> including configuration file /usr/local/etc/raddb/mods-enabled/digest
> including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
> including configuration file /usr/local/etc/raddb/mods-enabled/eap
> including configuration file /usr/local/etc/raddb/mods-enabled/echo
> including configuration file /usr/local/etc/raddb/mods-enabled/exec
> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
> including configuration file /usr/local/etc/raddb/mods-enabled/expr
> including configuration file /usr/local/etc/raddb/mods-enabled/files
> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
> including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
> including configuration file /usr/local/etc/raddb/mods-enabled/pap
> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
> including configuration file /usr/local/etc/raddb/mods-enabled/realm
> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
> including configuration file /usr/local/etc/raddb/mods-enabled/soh
> including configuration file /usr/local/etc/raddb/mods-enabled/sql
> including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
> including configuration file /usr/local/etc/raddb/mods-enabled/unix
> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
> including files in directory /usr/local/etc/raddb/policy.d/
> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
> including configuration file /usr/local/etc/raddb/policy.d/accounting
> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
> including configuration file /usr/local/etc/raddb/policy.d/control
> including configuration file /usr/local/etc/raddb/policy.d/cui
> including configuration file /usr/local/etc/raddb/policy.d/debug
> including configuration file /usr/local/etc/raddb/policy.d/dhcp
> including configuration file /usr/local/etc/raddb/policy.d/eap
> including configuration file /usr/local/etc/raddb/policy.d/filter
> including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
> including configuration file /usr/local/etc/raddb/policy.d/operator-name
> including files in directory /usr/local/etc/raddb/sites-enabled/
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
> main {
>  security {
>   allow_core_dumps = no
>  }
> name = "radiusd"
> prefix = "/usr/local"
> localstatedir = "/var"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> }
> main {
> name = "radiusd"
> prefix = "/usr/local"
> localstatedir = "/var"
> sbindir = "/usr/local/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/local/lib"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 16384
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/local/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
>  log {
>   stripped_names = no
>   auth = no
>   auth_badpass = no
>   auth_goodpass = no
>   colourise = yes
>   msg_denied = "You are already logged in - access denied"
>  }
>  resources {
>  }
>  security {
>   max_attributes = 200
>   reject_delay = 1.000000
>   status_server = yes
>   allow_vulnerable_openssl = "no"
>  }
> }
> radiusd: #### Loading Realms and Home Servers ####
>  proxy server {
>   retry_delay = 5
>   retry_count = 3
>   default_fallback = no
>   dead_time = 120
>   wake_all_if_all_dead = no
>  }
>  home_server localhost {
>   ipaddr = 127.0.0.1
>   port = 1812
>   type = "auth"
>   secret = <<< secret >>>
>   response_window = 20.000000
>   response_timeouts = 1
>   max_outstanding = 65536
>   zombie_period = 40
>   status_check = "status-server"
>   ping_interval = 30
>   check_interval = 30
>   check_timeout = 4
>   num_answers_to_alive = 3
>   revive_interval = 120
>   limit {
>   max_connections = 16
>   max_requests = 0
>   lifetime = 0
>   idle_timeout = 0
>   }
>   coa {
>   irt = 2
>   mrt = 16
>   mrc = 5
>   mrd = 30
>   }
>  }
>  home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
>  }
>  realm example.com <http://example.com/> {
> auth_pool = my_auth_failover
>  }
>  realm LOCAL {
>  }
> radiusd: #### Loading Clients ####
>  client localhost {
>   ipaddr = 127.0.0.1
>   require_message_authenticator = no
>   secret = <<< secret >>>
>   nas_type = "other"
>   proto = "*"
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>  }
>  client localhost_ipv6 {
>   ipv6addr = ::1
>   require_message_authenticator = no
>   secret = <<< secret >>>
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>  }
> Debugger not attached
>  # Creating Auth-Type = mschap
>  # Creating Auth-Type = digest
>  # Creating Auth-Type = eap
>  # Creating Auth-Type = PAP
>  # Creating Auth-Type = CHAP
>  # Creating Auth-Type = MS-CHAP
>  # Creating Auth-Type = opendirectory
> radiusd: #### Instantiating modules ####
>  modules {
>   # Loaded module rlm_always
>   # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>   always reject {
>   rcode = "reject"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>   always fail {
>   rcode = "fail"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>   always ok {
>   rcode = "ok"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>   always handled {
>   rcode = "handled"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>   always invalid {
>   rcode = "invalid"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>   always userlock {
>   rcode = "userlock"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>   always notfound {
>   rcode = "notfound"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>   always noop {
>   rcode = "noop"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>   always updated {
>   rcode = "updated"
>   simulcount = 0
>   mpp = no
>   }
>   # Loaded module rlm_attr_filter
>   # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>   attr_filter attr_filter.post-proxy {
>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
>   key = "%{Realm}"
>   relaxed = no
>   }
>   # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>   attr_filter attr_filter.pre-proxy {
>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
>   key = "%{Realm}"
>   relaxed = no
>   }
>   # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>   attr_filter attr_filter.access_reject {
>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
>   key = "%{User-Name}"
>   relaxed = no
>   }
>   # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>   attr_filter attr_filter.access_challenge {
>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
>   key = "%{User-Name}"
>   relaxed = no
>   }
>   # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>   attr_filter attr_filter.accounting_response {
>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
>   key = "%{User-Name}"
>   relaxed = no
>   }
>   # Loaded module rlm_cache
>   # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>   cache cache_eap {
>   driver = "rlm_cache_rbtree"
>   key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>   ttl = 15
>   max_entries = 0
>   epoch = 0
>   add_stats = no
>   }
>   # Loaded module rlm_chap
>   # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
>   # Loaded module rlm_date
>   # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
>   date {
>   format = "%b %e %Y %H:%M:%S %Z"
>   utc = no
>   }
>   # Loaded module rlm_detail
>   # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>   detail {
>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>   detail auth_log {
>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>   detail reply_log {
>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>   detail pre_proxy_log {
>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>   detail post_proxy_log {
>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loaded module rlm_digest
>   # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
>   # Loaded module rlm_dynamic_clients
>   # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>   # Loaded module rlm_eap
>   # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>   eap {
>   default_eap_type = "ttls"
>   timer_expire = 60
>   ignore_unknown_eap_types = no
>   cisco_accounting_username_bug = no
>   max_sessions = 16384
>   }
>   # Loaded module rlm_exec
>   # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
>   exec echo {
>   wait = yes
>   program = "/bin/echo %{User-Name}"
>   input_pairs = "request"
>   output_pairs = "reply"
>   shell_escape = yes
>   }
>   # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
>   exec {
>   wait = no
>   input_pairs = "request"
>   shell_escape = yes
>   timeout = 10
>   }
>   # Loaded module rlm_expiration
>   # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>   # Loaded module rlm_expr
>   # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
>   expr {
>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>   }
>   # Loaded module rlm_files
>   # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
>   files {
>   filename = "/usr/local/etc/raddb/mods-config/files/authorize"
>   acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
>   preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
>   }
>   # Loaded module rlm_linelog
>   # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>   linelog {
>   filename = "/var/log/radius/linelog"
>   escape_filenames = no
>   syslog_severity = "info"
>   permissions = 384
>   format = "This is a log message for %{User-Name}"
>   reference = "messages.%{%{reply:Packet-Type}:-default}"
>   }
>   # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>   linelog log_accounting {
>   filename = "/var/log/radius/linelog-accounting"
>   escape_filenames = no
>   syslog_severity = "info"
>   permissions = 384
>   format = ""
>   reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>   }
>   # Loaded module rlm_logintime
>   # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>   logintime {
>   minimum_timeout = 60
>   }
>   # Loaded module rlm_mschap
>   # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>   mschap {
>   use_mppe = yes
>   require_encryption = no
>   require_strong = no
>   with_ntdomain_hack = yes
>    passchange {
>    }
>   allow_retry = yes
>   winbind_retry_with_normalised_username = no
>   use_open_directory = yes
>   }
>   # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>   exec ntlm_auth {
>   wait = yes
>   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>   shell_escape = yes
>   }
>   # Loaded module rlm_opendirectory
>   # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
>   # Loaded module rlm_pap
>   # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>   pap {
>   normalise = yes
>   }
>   # Loaded module rlm_passwd
>   # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>   passwd etc_passwd {
>   filename = "/etc/passwd"
>   format = "*User-Name:Crypt-Password:"
>   delimiter = ":"
>   ignore_nislike = no
>   ignore_empty = yes
>   allow_multiple_keys = no
>   hash_size = 100
>   }
>   # Loaded module rlm_preprocess
>   # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>   preprocess {
>   huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
>   hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
>   with_ascend_hack = no
>   ascend_channels_per_line = 23
>   with_ntdomain_hack = no
>   with_specialix_jetstream_hack = no
>   with_cisco_vsa_hack = no
>   with_alvarion_vsa_hack = no
>   }
>   # Loaded module rlm_radutmp
>   # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
>   radutmp {
>   filename = "/var/log/radius/radutmp"
>   username = "%{User-Name}"
>   case_sensitive = yes
>   check_with_nas = yes
>   permissions = 384
>   caller_id = yes
>   }
>   # Loaded module rlm_realm
>   # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>   realm IPASS {
>   format = "prefix"
>   delimiter = "/"
>   ignore_default = no
>   ignore_null = no
>   }
>   # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>   realm suffix {
>   format = "suffix"
>   delimiter = "@"
>   ignore_default = no
>   ignore_null = no
>   }
>   # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>   realm realmpercent {
>   format = "suffix"
>   delimiter = "%"
>   ignore_default = no
>   ignore_null = no
>   }
>   # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>   realm ntdomain {
>   format = "prefix"
>   delimiter = "\\"
>   ignore_default = no
>   ignore_null = no
>   }
>   # Loaded module rlm_replicate
>   # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
>   # Loaded module rlm_soh
>   # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
>   soh {
>   dhcp = yes
>   }
>   # Loaded module rlm_sql
>   # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>   sql {
>   driver = "rlm_sql_sqlite"
>   server = ""
>   port = 0
>   login = ""
>   password = <<< secret >>>
>   radius_db = "radius"
>   read_groups = yes
>   read_profiles = yes
>   read_clients = yes
>   delete_stale_sessions = yes
>   sql_user_name = "%{User-Name}"
>   default_user_profile = ""
>   client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
>   authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
>   authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
>   authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
>   authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
>   group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
>   simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
>   simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>    accounting {
>     reference = "%{tolower:type.%{Acct-Status-Type}.query}"
>     type {
>      accounting-on {
>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>      }
>      accounting-off {
>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>      }
>      start {
>       query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
>      }
>      interim-update {
>       query = "UPDATE radacct SET acctupdatetime  = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval    = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>      }
>      stop {
>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>      }
>     }
>    }
>    post-auth {
>     reference = ".query"
>     query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
>    }
>   }
> rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
> Creating attribute SQL-Group
>   # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
>   radutmp sradutmp {
>   filename = "/var/log/radius/sradutmp"
>   username = "%{User-Name}"
>   case_sensitive = yes
>   check_with_nas = yes
>   permissions = 420
>   caller_id = no
>   }
>   # Loaded module rlm_unix
>   # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
>   unix {
>   radwtmp = "/var/log/radius/radwtmp"
>   }
> Creating attribute Unix-Group
>   # Loaded module rlm_unpack
>   # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
>   # Loaded module rlm_utf8
>   # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
>   instantiate {
>   }
>   # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>   # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
>   # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
>   # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
>   # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
>   # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
>   # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
>   # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>   # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
>   # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>   # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>   # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>   # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>    # Linked to sub-module rlm_eap_md5
>    # Linked to sub-module rlm_eap_leap
>    # Linked to sub-module rlm_eap_gtc
>    gtc {
>     challenge = "Password: "
>     auth_type = "PAP"
>    }
>    # Linked to sub-module rlm_eap_tls
>    tls {
>     tls = "tls-common"
>    }
>    tls-config tls-common {
>     verify_depth = 0
>     ca_path = "/usr/local/etc/raddb/certs"
>     pem_file_type = yes
>     private_key_file = "/usr/local/etc/raddb/certs/server.key"
>     certificate_file = "/usr/local/etc/raddb/certs/server.crt"
>     ca_file = "/usr/local/etc/raddb/certs/ca.pem"
>     dh_file = "/usr/local/etc/raddb/certs/dh"
>     random_file = "/dev/urandom"
>     fragment_size = 1024
>     include_length = yes
>     auto_chain = yes
>     check_crl = no
>     check_all_crl = no
>     cipher_list = "DEFAULT"
>     cipher_server_preference = no
>     ecdh_curve = "prime256v1"
>     tls_max_version = ""
>     tls_min_version = "1.0"
>     cache {
>     enable = no
>     lifetime = 24
>     max_entries = 255
>     }
>     verify {
>     skip_if_ocsp_ok = no
>     }
>     ocsp {
>     enable = no
>     override_cert_url = yes
>     url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
>     use_nonce = yes
>     timeout = 0
>     softfail = no
>     }
>    }
>    # Linked to sub-module rlm_eap_ttls
>    ttls {
>     tls = "tls-common"
>     default_eap_type = "mschapv2"
>     copy_request_to_tunnel = no
>     use_tunneled_reply = no
>     virtual_server = "inner-tunnel"
>     include_length = yes
>     require_client_cert = no
>    }
> tls: Using cached TLS configuration from previous invocation
>    # Linked to sub-module rlm_eap_peap
>    peap {
>     tls = "tls-common"
>     default_eap_type = "mschapv2"
>     copy_request_to_tunnel = no
>     use_tunneled_reply = no
>     proxy_tunneled_request_as_eap = yes
>     virtual_server = "inner-tunnel"
>     soh = no
>     require_client_cert = no
>    }
> tls: Using cached TLS configuration from previous invocation
>    # Linked to sub-module rlm_eap_mschapv2
>    mschapv2 {
>     with_ntdomain_hack = no
>     send_error = no
>    }
>   # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>   # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
> reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
> reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
> reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
>   # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>   # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>   # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>   # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
> rlm_mschap (mschap): using internal authentication
>   # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>   # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>   # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
>   # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>   # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>   # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>   # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>   # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
> rlm_sql_sqlite: libsqlite version: 3.19.3
>    sqlite {
>     filename = "/var/db/radius/freeradius.db"
>     busy_timeout = 200
>    }
> rlm_sql (sql): Attempting to connect to database "radius"
> rlm_sql (sql): Initialising connection pool
>    pool {
>     start = 5
>     min = 3
>     max = 32
>     spare = 10
>     uses = 0
>     lifetime = 0
>     cleanup_interval = 30
>     idle_timeout = 60
>     retry_delay = 30
>     spread = no
>    }
> rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
> rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
> rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
> rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
> rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
> rlm_sql (sql): Processing generate_sql_clients
> rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
> rlm_sql (sql): Reserved connection (0)
> rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
> rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
> rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
> rlm_sql (sql): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>  } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /usr/local/etc/raddb/radiusd.conf
> } # server
> server default { # from file /usr/local/etc/raddb/sites-enabled/default
>  # Loading authenticate {...}
>  # Loading authorize {...}
>  # Loading preacct {...}
>  # Loading accounting {...}
>  # Loading post-proxy {...}
>  # Loading post-auth {...}
> } # server default
> server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>  # Loading authenticate {...}
>  # Loading authorize {...}
> Ignoring "ldap" (see raddb/mods-available/README.rst)
>  # Loading session {...}
>  # Loading post-proxy {...}
>  # Loading post-auth {...}
>  # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
> } # server inner-tunnel
> radiusd: #### Opening IP addresses and Ports ####
> listen {
>   type = "auth"
>   ipaddr = *
>   port = 0
>    limit {
>     max_connections = 16
>     lifetime = 0
>     idle_timeout = 30
>    }
> }
> listen {
>   type = "acct"
>   ipaddr = *
>   port = 0
>    limit {
>     max_connections = 16
>     lifetime = 0
>     idle_timeout = 30
>    }
> }
> listen {
>   type = "auth"
>   ipv6addr = ::
>   port = 0
>    limit {
>     max_connections = 16
>     lifetime = 0
>     idle_timeout = 30
>    }
> }
> listen {
>   type = "acct"
>   ipv6addr = ::
>   port = 0
>    limit {
>     max_connections = 16
>     lifetime = 0
>     idle_timeout = 30
>    }
> }
> listen {
>   type = "auth"
>   ipaddr = 127.0.0.1
>   port = 18120
> }
> Listening on auth address * port 1812 bound to server default
> Listening on acct address * port 1813 bound to server default
> Listening on auth address :: port 1812 bound to server default
> Listening on acct address :: port 1813 bound to server default
> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
> Listening on proxy address * port 59453
> Listening on proxy address :: port 59454
> Ready to process requests
> (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
> (0)   Service-Type = Framed-User
> (0)   Framed-Protocol = PPP
> (0)   User-Name = "eric"
> (0)   MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
> (0)   MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
> (0)   NAS-IP-Address = 127.0.1.1
> (0)   NAS-Port = 0
> (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> (0)     [mschap] = ok
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "eric", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0)     [eap] = noop
> (0) files: users: Matched entry DEFAULT at line 181
> (0)     [files] = ok
> (0) opendirectory: The host 192.168.1.1 does not have an access group.
> (0)     [opendirectory] = ok
> (0) sql: EXPAND %{User-Name}
> (0) sql:    --> eric
> (0) sql: SQL-User-Name set to 'eric'
> rlm_sql (sql): Reserved connection (1)
> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
> (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
> (0) sql: User not found in any groups
> rlm_sql (sql): Released connection (1)
> Need 4 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
> (0)     [sql] = notfound
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
> (0)     [pap] = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = mschap
> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (0)   authenticate {
> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
> (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
> (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
> (0) mschap:   Stepbuf server challenge :
> ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
> (0) mschap:   Stepbuf peer challenge   :
> ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
> (0) mschap:   Stepbuf p24              :
> 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
> (0)     [mschap] = ok
> (0)   } # authenticate = ok
> (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
> (0)   post-auth {
> (0)     update {
> (0)       No attributes updated
> (0)     } # update = noop
> (0) sql: EXPAND .query
> (0) sql:    --> .query
> (0) sql: Using query template 'query'
> rlm_sql (sql): Reserved connection (2)
> (0) sql: EXPAND %{User-Name}
> (0) sql:    --> eric
> (0) sql: SQL-User-Name set to 'eric'
> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
> (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
> (0) sql: SQL query returned: success
> (0) sql: 1 record(s) updated
> rlm_sql (sql): Released connection (2)
> (0)     [sql] = ok
> (0)     [exec] = noop
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0)   } # post-auth = ok
> (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
> (0)   Framed-Protocol = PPP
> (0)   Framed-Compression = Van-Jacobson-TCP-IP
> (0) Finished request
> Waking up in 4.9 seconds.
> (0) Cleaning up request packet ID 0 with timestamp +27
> Ready to process requests
>
>
>> On Dec 2, 2018, at 9:47 PM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
>>
>> I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
>>
>> Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
>>
>> Thanks in advance.
>>
>> -Eric
>>
>> <debugfile>
>>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:

Dec  3 2018 06:21:55 123216us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.

So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.

-Eric

> On Dec 3, 2018, at 6:14 AM, Eric Wittle <[hidden email]> wrote:
>
> Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
>
> The contents of ApplePasswordServer.Error.Log
> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
> -- Start: Server rolled log on: Nov 13 2018 21:17:19 --
> Dec  2 2018 14:52:47 819295us    Requested SASL mechanism not loaded: SMB-NT
> Dec  2 2018 15:03:43 692394us    Requested SASL mechanism not loaded: SMB-NT
> Dec  2 2018 15:07:34 139111us    Requested SASL mechanism not loaded: SMB-NT
>
> The tail end of ApplePasswordServer.Server.Log
>
> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
> Dec  2 2018 14:52:43 233320us    Stopping server processes ...
> Dec  2 2018 14:52:43 234062us    Closing all incoming connections ...
> Dec  2 2018 14:52:43 234097us    StopCentralThreads: Stopping Connection Listeners ...
> Dec  2 2018 14:52:43 234645us    StopCentralThreads: Current Threads: 10
> Dec  2 2018 14:52:43 234669us    Stopping Network Processes ...
> Dec  2 2018 14:52:43 234682us    Deinitializing networking ...
> Dec  2 2018 14:52:43 234701us    Server Processes Stopped ...
> Dec  2 2018 14:52:43 234718us    RunAppThread Stopped
> Dec  2 2018 14:52:43 234747us    RunAppThread Deleted
> Dec  2 2018 14:52:47 755661us    Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec  2 14:52:47 2018
> .
> Dec  2 2018 14:52:47 755702us    RunAppThread Created
> Dec  2 2018 14:52:47 755746us    RunAppThread Started
> Dec  2 2018 14:52:47 755760us    Initializing Server Globals ...
> Dec  2 2018 14:52:47 768754us    Initializing Networking ...
> Dec  2 2018 14:52:47 768819us    Initializing TCP ...
> Dec  2 2018 14:52:47 819245us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
> Dec  2 2018 14:52:47 824367us    Starting Central Thread ...
> Dec  2 2018 14:52:47 824401us    Starting other server processes ...
> Dec  2 2018 14:52:47 824412us    StartCentralThreads: 1 threads to stop
> Dec  2 2018 14:52:47 824451us    Initializing TCP ...
> Dec  2 2018 14:52:47 824580us    Starting TCP/IP Listener on ethernet interface, port 106
> Dec  2 2018 14:52:47 824630us    Starting TCP/IP Listener on ethernet interface, port 3659
> Dec  2 2018 14:52:47 824723us    Starting TCP/IP Listener on interface lo0, port 106
> Dec  2 2018 14:52:47 824762us    Starting TCP/IP Listener on interface lo0, port 3659
> Dec  2 2018 14:52:47 824800us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
> Dec  2 2018 14:52:47 824820us    Starting UNIX domain socket listener /var/run/passwordserver
> Dec  2 2018 14:52:47 825558us    Finished starting other server processes ...
> Dec  2 2018 14:52:47 825582us    -- Password Server successfully started --
> Dec  2 2018 14:52:47 825592us    -- Start time: 0 sec, 74 msec --
> Dec  2 2018 15:03:32 701865us    Stopping server processes ...
> Dec  2 2018 15:03:32 702676us    Closing all incoming connections ...
> Dec  2 2018 15:03:32 702706us    StopCentralThreads: Stopping Connection Listeners ...
> Dec  2 2018 15:03:32 703903us    StopCentralThreads: Current Threads: 3
> Dec  2 2018 15:03:32 703930us    Stopping Network Processes ...
> Dec  2 2018 15:03:32 703944us    Deinitializing networking ...
> Dec  2 2018 15:03:32 703960us    Server Processes Stopped ...
> Dec  2 2018 15:03:32 703977us    RunAppThread Stopped
> Dec  2 2018 15:03:32 703989us    RunAppThread Deleted
> Dec  2 2018 15:03:33 705899us    Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec  2 15:03:33 2018
> .
> Dec  2 2018 15:03:43 644217us    Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec  2 15:03:43 2018
> .
> Dec  2 2018 15:03:43 644253us    RunAppThread Created
> Dec  2 2018 15:03:43 644295us    RunAppThread Started
> Dec  2 2018 15:03:43 644316us    Initializing Server Globals ...
> Dec  2 2018 15:03:43 677609us    Initializing Networking ...
> Dec  2 2018 15:03:43 677736us    Initializing TCP ...
> Dec  2 2018 15:03:43 692357us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
> Dec  2 2018 15:03:43 692877us    Starting Central Thread ...
> Dec  2 2018 15:03:43 692895us    Starting other server processes ...
> Dec  2 2018 15:03:43 692905us    StartCentralThreads: 1 threads to stop
> Dec  2 2018 15:03:43 692938us    Initializing TCP ...
> Dec  2 2018 15:03:43 693040us    Starting TCP/IP Listener on ethernet interface, port 106
> Dec  2 2018 15:03:43 693082us    Starting TCP/IP Listener on ethernet interface, port 3659
> Dec  2 2018 15:03:43 693110us    Starting TCP/IP Listener on interface lo0, port 106
> Dec  2 2018 15:03:43 693133us    Starting TCP/IP Listener on interface lo0, port 3659
> Dec  2 2018 15:03:43 693156us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
> Dec  2 2018 15:03:43 693167us    Starting UNIX domain socket listener /var/run/passwordserver
> Dec  2 2018 15:03:43 694190us    Finished starting other server processes ...
> Dec  2 2018 15:03:43 694212us    -- Password Server successfully started --
> Dec  2 2018 15:03:43 694222us    -- Start time: 0 sec, 54 msec --
> Dec  2 2018 15:05:24 289083us    Stopping server processes ...
> Dec  2 2018 15:05:24 289128us    Closing all incoming connections ...
> Dec  2 2018 15:05:24 289150us    StopCentralThreads: Stopping Connection Listeners ...
> Dec  2 2018 15:05:24 290059us    StopCentralThreads: Current Threads: 3
> Dec  2 2018 15:05:24 290086us    Stopping Network Processes ...
> Dec  2 2018 15:05:24 290098us    Deinitializing networking ...
> Dec  2 2018 15:05:24 290113us    Server Processes Stopped ...
> Dec  2 2018 15:05:24 290129us    RunAppThread Stopped
> Dec  2 2018 15:05:24 290142us    RunAppThread Deleted
> Dec  2 2018 15:05:26 221197us    Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec  2 15:05:26 2018
> .
> Dec  2 2018 15:07:34 103685us    Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec  2 15:07:34 2018
> .
> Dec  2 2018 15:07:34 103718us    RunAppThread Created
> Dec  2 2018 15:07:34 103758us    RunAppThread Started
> Dec  2 2018 15:07:34 103779us    Initializing Server Globals ...
> Dec  2 2018 15:07:34 118899us    Initializing Networking ...
> Dec  2 2018 15:07:34 118961us    Initializing TCP ...
> Dec  2 2018 15:07:34 139076us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
> Dec  2 2018 15:07:34 139134us    Starting Central Thread ...
> Dec  2 2018 15:07:34 139141us    Starting other server processes ...
> Dec  2 2018 15:07:34 139147us    StartCentralThreads: 1 threads to stop
> Dec  2 2018 15:07:34 139174us    Initializing TCP ...
> Dec  2 2018 15:07:34 139265us    Starting TCP/IP Listener on ethernet interface, port 106
> Dec  2 2018 15:07:34 139302us    Starting TCP/IP Listener on ethernet interface, port 3659
> Dec  2 2018 15:07:34 139322us    Starting TCP/IP Listener on interface lo0, port 106
> Dec  2 2018 15:07:34 139350us    Starting TCP/IP Listener on interface lo0, port 3659
> Dec  2 2018 15:07:34 139443us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
> Dec  2 2018 15:07:34 139462us    Starting UNIX domain socket listener /var/run/passwordserver
> Dec  2 2018 15:07:34 140156us    Finished starting other server processes ...
> Dec  2 2018 15:07:34 140178us    -- Password Server successfully started --
> Dec  2 2018 15:07:34 140190us    -- Start time: 0 sec, 41 msec --
> Dec  2 2018 20:01:57 945387us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
> Dec  2 2018 20:35:44 395239us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
> Dec  2 2018 20:37:17 158109us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
> Dec  2 2018 20:37:43 63472us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
> Dec  2 2018 21:17:05 402081us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
> Dec  2 2018 21:37:24 961075us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>
> It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
>
> I’ll take a look and see if radiusconfig is a script…
>
> -Eric
>
>> On Dec 3, 2018, at 5:41 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> Pasted this time…
>>
>> FreeRADIUS Version 3.0.17
>> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License
>> For more information about these matters, see the file named COPYRIGHT
>> Starting - reading configuration files ...
>> including dictionary file /usr/local/share/freeradius/dictionary
>> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
>> including dictionary file /usr/local/share/freeradius/dictionary.vqp
>> including dictionary file /usr/local/etc/raddb/dictionary
>> including configuration file /usr/local/etc/raddb/radiusd.conf
>> including configuration file /usr/local/etc/raddb/proxy.conf
>> including configuration file /usr/local/etc/raddb/clients.conf
>> including files in directory /usr/local/etc/raddb/mods-enabled/
>> including configuration file /usr/local/etc/raddb/mods-enabled/always
>> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
>> including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
>> including configuration file /usr/local/etc/raddb/mods-enabled/chap
>> including configuration file /usr/local/etc/raddb/mods-enabled/date
>> including configuration file /usr/local/etc/raddb/mods-enabled/detail
>> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
>> including configuration file /usr/local/etc/raddb/mods-enabled/digest
>> including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>> including configuration file /usr/local/etc/raddb/mods-enabled/eap
>> including configuration file /usr/local/etc/raddb/mods-enabled/echo
>> including configuration file /usr/local/etc/raddb/mods-enabled/exec
>> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
>> including configuration file /usr/local/etc/raddb/mods-enabled/expr
>> including configuration file /usr/local/etc/raddb/mods-enabled/files
>> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
>> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
>> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
>> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>> including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
>> including configuration file /usr/local/etc/raddb/mods-enabled/pap
>> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
>> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
>> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
>> including configuration file /usr/local/etc/raddb/mods-enabled/realm
>> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
>> including configuration file /usr/local/etc/raddb/mods-enabled/soh
>> including configuration file /usr/local/etc/raddb/mods-enabled/sql
>> including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
>> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
>> including configuration file /usr/local/etc/raddb/mods-enabled/unix
>> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
>> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
>> including files in directory /usr/local/etc/raddb/policy.d/
>> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
>> including configuration file /usr/local/etc/raddb/policy.d/accounting
>> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
>> including configuration file /usr/local/etc/raddb/policy.d/control
>> including configuration file /usr/local/etc/raddb/policy.d/cui
>> including configuration file /usr/local/etc/raddb/policy.d/debug
>> including configuration file /usr/local/etc/raddb/policy.d/dhcp
>> including configuration file /usr/local/etc/raddb/policy.d/eap
>> including configuration file /usr/local/etc/raddb/policy.d/filter
>> including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
>> including configuration file /usr/local/etc/raddb/policy.d/operator-name
>> including files in directory /usr/local/etc/raddb/sites-enabled/
>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>> main {
>>  security {
>>   allow_core_dumps = no
>>  }
>> name = "radiusd"
>> prefix = "/usr/local"
>> localstatedir = "/var"
>> logdir = "/var/log/radius"
>> run_dir = "/var/run/radiusd"
>> }
>> main {
>> name = "radiusd"
>> prefix = "/usr/local"
>> localstatedir = "/var"
>> sbindir = "/usr/local/sbin"
>> logdir = "/var/log/radius"
>> run_dir = "/var/run/radiusd"
>> libdir = "/usr/local/lib"
>> radacctdir = "/var/log/radius/radacct"
>> hostname_lookups = no
>> max_request_time = 30
>> cleanup_delay = 5
>> max_requests = 16384
>> pidfile = "/var/run/radiusd/radiusd.pid"
>> checkrad = "/usr/local/sbin/checkrad"
>> debug_level = 0
>> proxy_requests = yes
>>  log {
>>   stripped_names = no
>>   auth = no
>>   auth_badpass = no
>>   auth_goodpass = no
>>   colourise = yes
>>   msg_denied = "You are already logged in - access denied"
>>  }
>>  resources {
>>  }
>>  security {
>>   max_attributes = 200
>>   reject_delay = 1.000000
>>   status_server = yes
>>   allow_vulnerable_openssl = "no"
>>  }
>> }
>> radiusd: #### Loading Realms and Home Servers ####
>>  proxy server {
>>   retry_delay = 5
>>   retry_count = 3
>>   default_fallback = no
>>   dead_time = 120
>>   wake_all_if_all_dead = no
>>  }
>>  home_server localhost {
>>   ipaddr = 127.0.0.1
>>   port = 1812
>>   type = "auth"
>>   secret = <<< secret >>>
>>   response_window = 20.000000
>>   response_timeouts = 1
>>   max_outstanding = 65536
>>   zombie_period = 40
>>   status_check = "status-server"
>>   ping_interval = 30
>>   check_interval = 30
>>   check_timeout = 4
>>   num_answers_to_alive = 3
>>   revive_interval = 120
>>   limit {
>>   max_connections = 16
>>   max_requests = 0
>>   lifetime = 0
>>   idle_timeout = 0
>>   }
>>   coa {
>>   irt = 2
>>   mrt = 16
>>   mrc = 5
>>   mrd = 30
>>   }
>>  }
>>  home_server_pool my_auth_failover {
>> type = fail-over
>> home_server = localhost
>>  }
>>  realm example.com <http://example.com/> {
>> auth_pool = my_auth_failover
>>  }
>>  realm LOCAL {
>>  }
>> radiusd: #### Loading Clients ####
>>  client localhost {
>>   ipaddr = 127.0.0.1
>>   require_message_authenticator = no
>>   secret = <<< secret >>>
>>   nas_type = "other"
>>   proto = "*"
>>   limit {
>>   max_connections = 16
>>   lifetime = 0
>>   idle_timeout = 30
>>   }
>>  }
>>  client localhost_ipv6 {
>>   ipv6addr = ::1
>>   require_message_authenticator = no
>>   secret = <<< secret >>>
>>   limit {
>>   max_connections = 16
>>   lifetime = 0
>>   idle_timeout = 30
>>   }
>>  }
>> Debugger not attached
>>  # Creating Auth-Type = mschap
>>  # Creating Auth-Type = digest
>>  # Creating Auth-Type = eap
>>  # Creating Auth-Type = PAP
>>  # Creating Auth-Type = CHAP
>>  # Creating Auth-Type = MS-CHAP
>>  # Creating Auth-Type = opendirectory
>> radiusd: #### Instantiating modules ####
>>  modules {
>>   # Loaded module rlm_always
>>   # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>   always reject {
>>   rcode = "reject"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>   always fail {
>>   rcode = "fail"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>   always ok {
>>   rcode = "ok"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>   always handled {
>>   rcode = "handled"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>   always invalid {
>>   rcode = "invalid"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>   always userlock {
>>   rcode = "userlock"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>   always notfound {
>>   rcode = "notfound"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>   always noop {
>>   rcode = "noop"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>   always updated {
>>   rcode = "updated"
>>   simulcount = 0
>>   mpp = no
>>   }
>>   # Loaded module rlm_attr_filter
>>   # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>   attr_filter attr_filter.post-proxy {
>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
>>   key = "%{Realm}"
>>   relaxed = no
>>   }
>>   # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>   attr_filter attr_filter.pre-proxy {
>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
>>   key = "%{Realm}"
>>   relaxed = no
>>   }
>>   # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>   attr_filter attr_filter.access_reject {
>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
>>   key = "%{User-Name}"
>>   relaxed = no
>>   }
>>   # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>   attr_filter attr_filter.access_challenge {
>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
>>   key = "%{User-Name}"
>>   relaxed = no
>>   }
>>   # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>   attr_filter attr_filter.accounting_response {
>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
>>   key = "%{User-Name}"
>>   relaxed = no
>>   }
>>   # Loaded module rlm_cache
>>   # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>   cache cache_eap {
>>   driver = "rlm_cache_rbtree"
>>   key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>>   ttl = 15
>>   max_entries = 0
>>   epoch = 0
>>   add_stats = no
>>   }
>>   # Loaded module rlm_chap
>>   # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
>>   # Loaded module rlm_date
>>   # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
>>   date {
>>   format = "%b %e %Y %H:%M:%S %Z"
>>   utc = no
>>   }
>>   # Loaded module rlm_detail
>>   # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>   detail {
>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>>   header = "%t"
>>   permissions = 384
>>   locking = no
>>   escape_filenames = no
>>   log_packet_header = no
>>   }
>>   # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>   detail auth_log {
>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>>   header = "%t"
>>   permissions = 384
>>   locking = no
>>   escape_filenames = no
>>   log_packet_header = no
>>   }
>>   # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>   detail reply_log {
>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>>   header = "%t"
>>   permissions = 384
>>   locking = no
>>   escape_filenames = no
>>   log_packet_header = no
>>   }
>>   # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>   detail pre_proxy_log {
>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>>   header = "%t"
>>   permissions = 384
>>   locking = no
>>   escape_filenames = no
>>   log_packet_header = no
>>   }
>>   # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>   detail post_proxy_log {
>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>>   header = "%t"
>>   permissions = 384
>>   locking = no
>>   escape_filenames = no
>>   log_packet_header = no
>>   }
>>   # Loaded module rlm_digest
>>   # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
>>   # Loaded module rlm_dynamic_clients
>>   # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>   # Loaded module rlm_eap
>>   # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>   eap {
>>   default_eap_type = "ttls"
>>   timer_expire = 60
>>   ignore_unknown_eap_types = no
>>   cisco_accounting_username_bug = no
>>   max_sessions = 16384
>>   }
>>   # Loaded module rlm_exec
>>   # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
>>   exec echo {
>>   wait = yes
>>   program = "/bin/echo %{User-Name}"
>>   input_pairs = "request"
>>   output_pairs = "reply"
>>   shell_escape = yes
>>   }
>>   # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
>>   exec {
>>   wait = no
>>   input_pairs = "request"
>>   shell_escape = yes
>>   timeout = 10
>>   }
>>   # Loaded module rlm_expiration
>>   # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>   # Loaded module rlm_expr
>>   # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
>>   expr {
>>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>>   }
>>   # Loaded module rlm_files
>>   # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>   files {
>>   filename = "/usr/local/etc/raddb/mods-config/files/authorize"
>>   acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
>>   preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
>>   }
>>   # Loaded module rlm_linelog
>>   # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>   linelog {
>>   filename = "/var/log/radius/linelog"
>>   escape_filenames = no
>>   syslog_severity = "info"
>>   permissions = 384
>>   format = "This is a log message for %{User-Name}"
>>   reference = "messages.%{%{reply:Packet-Type}:-default}"
>>   }
>>   # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>   linelog log_accounting {
>>   filename = "/var/log/radius/linelog-accounting"
>>   escape_filenames = no
>>   syslog_severity = "info"
>>   permissions = 384
>>   format = ""
>>   reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>>   }
>>   # Loaded module rlm_logintime
>>   # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>   logintime {
>>   minimum_timeout = 60
>>   }
>>   # Loaded module rlm_mschap
>>   # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>   mschap {
>>   use_mppe = yes
>>   require_encryption = no
>>   require_strong = no
>>   with_ntdomain_hack = yes
>>    passchange {
>>    }
>>   allow_retry = yes
>>   winbind_retry_with_normalised_username = no
>>   use_open_directory = yes
>>   }
>>   # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>   exec ntlm_auth {
>>   wait = yes
>>   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>>   shell_escape = yes
>>   }
>>   # Loaded module rlm_opendirectory
>>   # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
>>   # Loaded module rlm_pap
>>   # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>   pap {
>>   normalise = yes
>>   }
>>   # Loaded module rlm_passwd
>>   # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>   passwd etc_passwd {
>>   filename = "/etc/passwd"
>>   format = "*User-Name:Crypt-Password:"
>>   delimiter = ":"
>>   ignore_nislike = no
>>   ignore_empty = yes
>>   allow_multiple_keys = no
>>   hash_size = 100
>>   }
>>   # Loaded module rlm_preprocess
>>   # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>   preprocess {
>>   huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
>>   hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
>>   with_ascend_hack = no
>>   ascend_channels_per_line = 23
>>   with_ntdomain_hack = no
>>   with_specialix_jetstream_hack = no
>>   with_cisco_vsa_hack = no
>>   with_alvarion_vsa_hack = no
>>   }
>>   # Loaded module rlm_radutmp
>>   # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
>>   radutmp {
>>   filename = "/var/log/radius/radutmp"
>>   username = "%{User-Name}"
>>   case_sensitive = yes
>>   check_with_nas = yes
>>   permissions = 384
>>   caller_id = yes
>>   }
>>   # Loaded module rlm_realm
>>   # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>   realm IPASS {
>>   format = "prefix"
>>   delimiter = "/"
>>   ignore_default = no
>>   ignore_null = no
>>   }
>>   # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>   realm suffix {
>>   format = "suffix"
>>   delimiter = "@"
>>   ignore_default = no
>>   ignore_null = no
>>   }
>>   # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>   realm realmpercent {
>>   format = "suffix"
>>   delimiter = "%"
>>   ignore_default = no
>>   ignore_null = no
>>   }
>>   # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>   realm ntdomain {
>>   format = "prefix"
>>   delimiter = "\\"
>>   ignore_default = no
>>   ignore_null = no
>>   }
>>   # Loaded module rlm_replicate
>>   # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
>>   # Loaded module rlm_soh
>>   # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
>>   soh {
>>   dhcp = yes
>>   }
>>   # Loaded module rlm_sql
>>   # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>   sql {
>>   driver = "rlm_sql_sqlite"
>>   server = ""
>>   port = 0
>>   login = ""
>>   password = <<< secret >>>
>>   radius_db = "radius"
>>   read_groups = yes
>>   read_profiles = yes
>>   read_clients = yes
>>   delete_stale_sessions = yes
>>   sql_user_name = "%{User-Name}"
>>   default_user_profile = ""
>>   client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
>>   authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>   authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>   authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>   authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>   group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
>>   simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
>>   simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
>>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>>    accounting {
>>     reference = "%{tolower:type.%{Acct-Status-Type}.query}"
>>     type {
>>      accounting-on {
>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>      }
>>      accounting-off {
>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>      }
>>      start {
>>       query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
>>      }
>>      interim-update {
>>       query = "UPDATE radacct SET acctupdatetime  = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval    = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>      }
>>      stop {
>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>      }
>>     }
>>    }
>>    post-auth {
>>     reference = ".query"
>>     query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
>>    }
>>   }
>> rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
>> Creating attribute SQL-Group
>>   # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
>>   radutmp sradutmp {
>>   filename = "/var/log/radius/sradutmp"
>>   username = "%{User-Name}"
>>   case_sensitive = yes
>>   check_with_nas = yes
>>   permissions = 420
>>   caller_id = no
>>   }
>>   # Loaded module rlm_unix
>>   # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
>>   unix {
>>   radwtmp = "/var/log/radius/radwtmp"
>>   }
>> Creating attribute Unix-Group
>>   # Loaded module rlm_unpack
>>   # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
>>   # Loaded module rlm_utf8
>>   # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
>>   instantiate {
>>   }
>>   # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>   # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
>>   # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
>>   # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
>>   # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
>>   # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
>>   # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
>>   # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>   # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
>>   # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>   # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>   # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>   # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>    # Linked to sub-module rlm_eap_md5
>>    # Linked to sub-module rlm_eap_leap
>>    # Linked to sub-module rlm_eap_gtc
>>    gtc {
>>     challenge = "Password: "
>>     auth_type = "PAP"
>>    }
>>    # Linked to sub-module rlm_eap_tls
>>    tls {
>>     tls = "tls-common"
>>    }
>>    tls-config tls-common {
>>     verify_depth = 0
>>     ca_path = "/usr/local/etc/raddb/certs"
>>     pem_file_type = yes
>>     private_key_file = "/usr/local/etc/raddb/certs/server.key"
>>     certificate_file = "/usr/local/etc/raddb/certs/server.crt"
>>     ca_file = "/usr/local/etc/raddb/certs/ca.pem"
>>     dh_file = "/usr/local/etc/raddb/certs/dh"
>>     random_file = "/dev/urandom"
>>     fragment_size = 1024
>>     include_length = yes
>>     auto_chain = yes
>>     check_crl = no
>>     check_all_crl = no
>>     cipher_list = "DEFAULT"
>>     cipher_server_preference = no
>>     ecdh_curve = "prime256v1"
>>     tls_max_version = ""
>>     tls_min_version = "1.0"
>>     cache {
>>     enable = no
>>     lifetime = 24
>>     max_entries = 255
>>     }
>>     verify {
>>     skip_if_ocsp_ok = no
>>     }
>>     ocsp {
>>     enable = no
>>     override_cert_url = yes
>>     url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
>>     use_nonce = yes
>>     timeout = 0
>>     softfail = no
>>     }
>>    }
>>    # Linked to sub-module rlm_eap_ttls
>>    ttls {
>>     tls = "tls-common"
>>     default_eap_type = "mschapv2"
>>     copy_request_to_tunnel = no
>>     use_tunneled_reply = no
>>     virtual_server = "inner-tunnel"
>>     include_length = yes
>>     require_client_cert = no
>>    }
>> tls: Using cached TLS configuration from previous invocation
>>    # Linked to sub-module rlm_eap_peap
>>    peap {
>>     tls = "tls-common"
>>     default_eap_type = "mschapv2"
>>     copy_request_to_tunnel = no
>>     use_tunneled_reply = no
>>     proxy_tunneled_request_as_eap = yes
>>     virtual_server = "inner-tunnel"
>>     soh = no
>>     require_client_cert = no
>>    }
>> tls: Using cached TLS configuration from previous invocation
>>    # Linked to sub-module rlm_eap_mschapv2
>>    mschapv2 {
>>     with_ntdomain_hack = no
>>     send_error = no
>>    }
>>   # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>   # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
>> reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
>> reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
>> reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
>>   # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>   # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>   # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>   # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>> rlm_mschap (mschap): using internal authentication
>>   # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>   # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>>   # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
>>   # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>   # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>   # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>   # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>   # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>> rlm_sql_sqlite: libsqlite version: 3.19.3
>>    sqlite {
>>     filename = "/var/db/radius/freeradius.db"
>>     busy_timeout = 200
>>    }
>> rlm_sql (sql): Attempting to connect to database "radius"
>> rlm_sql (sql): Initialising connection pool
>>    pool {
>>     start = 5
>>     min = 3
>>     max = 32
>>     spare = 10
>>     uses = 0
>>     lifetime = 0
>>     cleanup_interval = 30
>>     idle_timeout = 60
>>     retry_delay = 30
>>     spread = no
>>    }
>> rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>> rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>> rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>> rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>> rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>> rlm_sql (sql): Processing generate_sql_clients
>> rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
>> rlm_sql (sql): Reserved connection (0)
>> rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
>> rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
>> rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
>> rlm_sql (sql): Released connection (0)
>> Need 5 more connections to reach 10 spares
>> rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>  } # modules
>> radiusd: #### Loading Virtual Servers ####
>> server { # from file /usr/local/etc/raddb/radiusd.conf
>> } # server
>> server default { # from file /usr/local/etc/raddb/sites-enabled/default
>>  # Loading authenticate {...}
>>  # Loading authorize {...}
>>  # Loading preacct {...}
>>  # Loading accounting {...}
>>  # Loading post-proxy {...}
>>  # Loading post-auth {...}
>> } # server default
>> server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>  # Loading authenticate {...}
>>  # Loading authorize {...}
>> Ignoring "ldap" (see raddb/mods-available/README.rst)
>>  # Loading session {...}
>>  # Loading post-proxy {...}
>>  # Loading post-auth {...}
>>  # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
>> } # server inner-tunnel
>> radiusd: #### Opening IP addresses and Ports ####
>> listen {
>>   type = "auth"
>>   ipaddr = *
>>   port = 0
>>    limit {
>>     max_connections = 16
>>     lifetime = 0
>>     idle_timeout = 30
>>    }
>> }
>> listen {
>>   type = "acct"
>>   ipaddr = *
>>   port = 0
>>    limit {
>>     max_connections = 16
>>     lifetime = 0
>>     idle_timeout = 30
>>    }
>> }
>> listen {
>>   type = "auth"
>>   ipv6addr = ::
>>   port = 0
>>    limit {
>>     max_connections = 16
>>     lifetime = 0
>>     idle_timeout = 30
>>    }
>> }
>> listen {
>>   type = "acct"
>>   ipv6addr = ::
>>   port = 0
>>    limit {
>>     max_connections = 16
>>     lifetime = 0
>>     idle_timeout = 30
>>    }
>> }
>> listen {
>>   type = "auth"
>>   ipaddr = 127.0.0.1
>>   port = 18120
>> }
>> Listening on auth address * port 1812 bound to server default
>> Listening on acct address * port 1813 bound to server default
>> Listening on auth address :: port 1812 bound to server default
>> Listening on acct address :: port 1813 bound to server default
>> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
>> Listening on proxy address * port 59453
>> Listening on proxy address :: port 59454
>> Ready to process requests
>> (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
>> (0)   Service-Type = Framed-User
>> (0)   Framed-Protocol = PPP
>> (0)   User-Name = "eric"
>> (0)   MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
>> (0)   MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
>> (0)   NAS-IP-Address = 127.0.1.1
>> (0)   NAS-Port = 0
>> (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
>> (0)   authorize {
>> (0)     policy filter_username {
>> (0)       if (&User-Name) {
>> (0)       if (&User-Name)  -> TRUE
>> (0)       if (&User-Name)  {
>> (0)         if (&User-Name =~ / /) {
>> (0)         if (&User-Name =~ / /)  -> FALSE
>> (0)         if (&User-Name =~ /@[^@]*@/ ) {
>> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> (0)         if (&User-Name =~ /\.\./ ) {
>> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>> (0)         if (&User-Name =~ /\.$/)  {
>> (0)         if (&User-Name =~ /\.$/)   -> FALSE
>> (0)         if (&User-Name =~ /@\./)  {
>> (0)         if (&User-Name =~ /@\./)   -> FALSE
>> (0)       } # if (&User-Name)  = notfound
>> (0)     } # policy filter_username = notfound
>> (0)     [preprocess] = ok
>> (0)     [chap] = noop
>> (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>> (0)     [mschap] = ok
>> (0)     [digest] = noop
>> (0) suffix: Checking for suffix after "@"
>> (0) suffix: No '@' in User-Name = "eric", looking up realm NULL
>> (0) suffix: No such realm "NULL"
>> (0)     [suffix] = noop
>> (0) eap: No EAP-Message, not doing EAP
>> (0)     [eap] = noop
>> (0) files: users: Matched entry DEFAULT at line 181
>> (0)     [files] = ok
>> (0) opendirectory: The host 192.168.1.1 does not have an access group.
>> (0)     [opendirectory] = ok
>> (0) sql: EXPAND %{User-Name}
>> (0) sql:    --> eric
>> (0) sql: SQL-User-Name set to 'eric'
>> rlm_sql (sql): Reserved connection (1)
>> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
>> (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
>> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>> (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>> (0) sql: User not found in any groups
>> rlm_sql (sql): Released connection (1)
>> Need 4 more connections to reach 10 spares
>> rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>> (0)     [sql] = notfound
>> (0)     [expiration] = noop
>> (0)     [logintime] = noop
>> (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
>> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
>> (0)     [pap] = noop
>> (0)   } # authorize = ok
>> (0) Found Auth-Type = mschap
>> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>> (0)   authenticate {
>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
>> (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
>> (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
>> (0) mschap:   Stepbuf server challenge :
>> ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
>> (0) mschap:   Stepbuf peer challenge   :
>> ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
>> (0) mschap:   Stepbuf p24              :
>> 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
>> (0)     [mschap] = ok
>> (0)   } # authenticate = ok
>> (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
>> (0)   post-auth {
>> (0)     update {
>> (0)       No attributes updated
>> (0)     } # update = noop
>> (0) sql: EXPAND .query
>> (0) sql:    --> .query
>> (0) sql: Using query template 'query'
>> rlm_sql (sql): Reserved connection (2)
>> (0) sql: EXPAND %{User-Name}
>> (0) sql:    --> eric
>> (0) sql: SQL-User-Name set to 'eric'
>> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
>> (0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>> (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>> (0) sql: SQL query returned: success
>> (0) sql: 1 record(s) updated
>> rlm_sql (sql): Released connection (2)
>> (0)     [sql] = ok
>> (0)     [exec] = noop
>> (0)     policy remove_reply_message_if_eap {
>> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
>> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>> (0)       else {
>> (0)         [noop] = noop
>> (0)       } # else = noop
>> (0)     } # policy remove_reply_message_if_eap = noop
>> (0)   } # post-auth = ok
>> (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
>> (0)   Framed-Protocol = PPP
>> (0)   Framed-Compression = Van-Jacobson-TCP-IP
>> (0) Finished request
>> Waking up in 4.9 seconds.
>> (0) Cleaning up request packet ID 0 with timestamp +27
>> Ready to process requests
>>
>>
>>> On Dec 2, 2018, at 9:47 PM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>> I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
>>>
>>> I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
>>>
>>> Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
>>>
>>> Thanks in advance.
>>>
>>> -Eric
>>>
>>> <debugfile>
>>>
>>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.

-Eric

rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "eric"
        MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc
        MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "eric", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 178
++[files] = ok
[opendirectory] The host 192.168.1.1 does not have an access group.
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group MS-CHAP {
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: eric
[mschap] Client is using MS-CHAPv2 for eric, we need NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Doing OD MSCHAPv2 auth
[mschap] Successful authentication for eric
++[mschap] = ok
+} # group MS-CHAP = ok
Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net port 0)
# Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 2 to 192.168.1.1 port 60795
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP
        MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96
        Acct-Session-Id = "5C0514303B2A00"
        User-Name = "eric"
        Acct-Status-Type = Start
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Acct-Authentic = RADIUS
        NAS-Port-Type = Async
        Framed-IP-Address = 192.168.6.100
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Acct-Delay-Time = 0
# Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"'
[acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184".
++[acct_unique] = ok
[suffix] No '@' in User-Name = "eric", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default
+group accounting {
[detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1
[detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203
[detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203
[detail] expand: %t -> Mon Dec  3 06:32:00 2018
++[detail] = ok
++[exec] = noop
[attr_filter.accounting_response] expand: %{User-Name} -> eric
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Response of id 3 to 192.168.1.1 port 40029
Finished request 1.
Cleaning up request 1 ID 3 with timestamp +23
Going to the next request
Waking up in 4.3 seconds.
Cleaning up request 0 ID 2 with timestamp +22
Ready to process requests.

> On Dec 3, 2018, at 6:26 AM, Eric Wittle <[hidden email]> wrote:
>
> OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
>
> Dec  3 2018 06:21:55 123216us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>
> So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
>
> -Eric
>
>> On Dec 3, 2018, at 6:14 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
>>
>> The contents of ApplePasswordServer.Error.Log
>> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
>> -- Start: Server rolled log on: Nov 13 2018 21:17:19 --
>> Dec  2 2018 14:52:47 819295us    Requested SASL mechanism not loaded: SMB-NT
>> Dec  2 2018 15:03:43 692394us    Requested SASL mechanism not loaded: SMB-NT
>> Dec  2 2018 15:07:34 139111us    Requested SASL mechanism not loaded: SMB-NT
>>
>> The tail end of ApplePasswordServer.Server.Log
>>
>> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
>> Dec  2 2018 14:52:43 233320us    Stopping server processes ...
>> Dec  2 2018 14:52:43 234062us    Closing all incoming connections ...
>> Dec  2 2018 14:52:43 234097us    StopCentralThreads: Stopping Connection Listeners ...
>> Dec  2 2018 14:52:43 234645us    StopCentralThreads: Current Threads: 10
>> Dec  2 2018 14:52:43 234669us    Stopping Network Processes ...
>> Dec  2 2018 14:52:43 234682us    Deinitializing networking ...
>> Dec  2 2018 14:52:43 234701us    Server Processes Stopped ...
>> Dec  2 2018 14:52:43 234718us    RunAppThread Stopped
>> Dec  2 2018 14:52:43 234747us    RunAppThread Deleted
>> Dec  2 2018 14:52:47 755661us    Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec  2 14:52:47 2018
>> .
>> Dec  2 2018 14:52:47 755702us    RunAppThread Created
>> Dec  2 2018 14:52:47 755746us    RunAppThread Started
>> Dec  2 2018 14:52:47 755760us    Initializing Server Globals ...
>> Dec  2 2018 14:52:47 768754us    Initializing Networking ...
>> Dec  2 2018 14:52:47 768819us    Initializing TCP ...
>> Dec  2 2018 14:52:47 819245us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>> Dec  2 2018 14:52:47 824367us    Starting Central Thread ...
>> Dec  2 2018 14:52:47 824401us    Starting other server processes ...
>> Dec  2 2018 14:52:47 824412us    StartCentralThreads: 1 threads to stop
>> Dec  2 2018 14:52:47 824451us    Initializing TCP ...
>> Dec  2 2018 14:52:47 824580us    Starting TCP/IP Listener on ethernet interface, port 106
>> Dec  2 2018 14:52:47 824630us    Starting TCP/IP Listener on ethernet interface, port 3659
>> Dec  2 2018 14:52:47 824723us    Starting TCP/IP Listener on interface lo0, port 106
>> Dec  2 2018 14:52:47 824762us    Starting TCP/IP Listener on interface lo0, port 3659
>> Dec  2 2018 14:52:47 824800us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>> Dec  2 2018 14:52:47 824820us    Starting UNIX domain socket listener /var/run/passwordserver
>> Dec  2 2018 14:52:47 825558us    Finished starting other server processes ...
>> Dec  2 2018 14:52:47 825582us    -- Password Server successfully started --
>> Dec  2 2018 14:52:47 825592us    -- Start time: 0 sec, 74 msec --
>> Dec  2 2018 15:03:32 701865us    Stopping server processes ...
>> Dec  2 2018 15:03:32 702676us    Closing all incoming connections ...
>> Dec  2 2018 15:03:32 702706us    StopCentralThreads: Stopping Connection Listeners ...
>> Dec  2 2018 15:03:32 703903us    StopCentralThreads: Current Threads: 3
>> Dec  2 2018 15:03:32 703930us    Stopping Network Processes ...
>> Dec  2 2018 15:03:32 703944us    Deinitializing networking ...
>> Dec  2 2018 15:03:32 703960us    Server Processes Stopped ...
>> Dec  2 2018 15:03:32 703977us    RunAppThread Stopped
>> Dec  2 2018 15:03:32 703989us    RunAppThread Deleted
>> Dec  2 2018 15:03:33 705899us    Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec  2 15:03:33 2018
>> .
>> Dec  2 2018 15:03:43 644217us    Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec  2 15:03:43 2018
>> .
>> Dec  2 2018 15:03:43 644253us    RunAppThread Created
>> Dec  2 2018 15:03:43 644295us    RunAppThread Started
>> Dec  2 2018 15:03:43 644316us    Initializing Server Globals ...
>> Dec  2 2018 15:03:43 677609us    Initializing Networking ...
>> Dec  2 2018 15:03:43 677736us    Initializing TCP ...
>> Dec  2 2018 15:03:43 692357us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>> Dec  2 2018 15:03:43 692877us    Starting Central Thread ...
>> Dec  2 2018 15:03:43 692895us    Starting other server processes ...
>> Dec  2 2018 15:03:43 692905us    StartCentralThreads: 1 threads to stop
>> Dec  2 2018 15:03:43 692938us    Initializing TCP ...
>> Dec  2 2018 15:03:43 693040us    Starting TCP/IP Listener on ethernet interface, port 106
>> Dec  2 2018 15:03:43 693082us    Starting TCP/IP Listener on ethernet interface, port 3659
>> Dec  2 2018 15:03:43 693110us    Starting TCP/IP Listener on interface lo0, port 106
>> Dec  2 2018 15:03:43 693133us    Starting TCP/IP Listener on interface lo0, port 3659
>> Dec  2 2018 15:03:43 693156us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>> Dec  2 2018 15:03:43 693167us    Starting UNIX domain socket listener /var/run/passwordserver
>> Dec  2 2018 15:03:43 694190us    Finished starting other server processes ...
>> Dec  2 2018 15:03:43 694212us    -- Password Server successfully started --
>> Dec  2 2018 15:03:43 694222us    -- Start time: 0 sec, 54 msec --
>> Dec  2 2018 15:05:24 289083us    Stopping server processes ...
>> Dec  2 2018 15:05:24 289128us    Closing all incoming connections ...
>> Dec  2 2018 15:05:24 289150us    StopCentralThreads: Stopping Connection Listeners ...
>> Dec  2 2018 15:05:24 290059us    StopCentralThreads: Current Threads: 3
>> Dec  2 2018 15:05:24 290086us    Stopping Network Processes ...
>> Dec  2 2018 15:05:24 290098us    Deinitializing networking ...
>> Dec  2 2018 15:05:24 290113us    Server Processes Stopped ...
>> Dec  2 2018 15:05:24 290129us    RunAppThread Stopped
>> Dec  2 2018 15:05:24 290142us    RunAppThread Deleted
>> Dec  2 2018 15:05:26 221197us    Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec  2 15:05:26 2018
>> .
>> Dec  2 2018 15:07:34 103685us    Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec  2 15:07:34 2018
>> .
>> Dec  2 2018 15:07:34 103718us    RunAppThread Created
>> Dec  2 2018 15:07:34 103758us    RunAppThread Started
>> Dec  2 2018 15:07:34 103779us    Initializing Server Globals ...
>> Dec  2 2018 15:07:34 118899us    Initializing Networking ...
>> Dec  2 2018 15:07:34 118961us    Initializing TCP ...
>> Dec  2 2018 15:07:34 139076us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>> Dec  2 2018 15:07:34 139134us    Starting Central Thread ...
>> Dec  2 2018 15:07:34 139141us    Starting other server processes ...
>> Dec  2 2018 15:07:34 139147us    StartCentralThreads: 1 threads to stop
>> Dec  2 2018 15:07:34 139174us    Initializing TCP ...
>> Dec  2 2018 15:07:34 139265us    Starting TCP/IP Listener on ethernet interface, port 106
>> Dec  2 2018 15:07:34 139302us    Starting TCP/IP Listener on ethernet interface, port 3659
>> Dec  2 2018 15:07:34 139322us    Starting TCP/IP Listener on interface lo0, port 106
>> Dec  2 2018 15:07:34 139350us    Starting TCP/IP Listener on interface lo0, port 3659
>> Dec  2 2018 15:07:34 139443us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>> Dec  2 2018 15:07:34 139462us    Starting UNIX domain socket listener /var/run/passwordserver
>> Dec  2 2018 15:07:34 140156us    Finished starting other server processes ...
>> Dec  2 2018 15:07:34 140178us    -- Password Server successfully started --
>> Dec  2 2018 15:07:34 140190us    -- Start time: 0 sec, 41 msec --
>> Dec  2 2018 20:01:57 945387us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>> Dec  2 2018 20:35:44 395239us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>> Dec  2 2018 20:37:17 158109us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>> Dec  2 2018 20:37:43 63472us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>> Dec  2 2018 21:17:05 402081us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>> Dec  2 2018 21:37:24 961075us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>
>> It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
>>
>> I’ll take a look and see if radiusconfig is a script…
>>
>> -Eric
>>
>>> On Dec 3, 2018, at 5:41 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>> Pasted this time…
>>>
>>> FreeRADIUS Version 3.0.17
>>> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
>>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>>> PARTICULAR PURPOSE
>>> You may redistribute copies of FreeRADIUS under the terms of the
>>> GNU General Public License
>>> For more information about these matters, see the file named COPYRIGHT
>>> Starting - reading configuration files ...
>>> including dictionary file /usr/local/share/freeradius/dictionary
>>> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
>>> including dictionary file /usr/local/share/freeradius/dictionary.vqp
>>> including dictionary file /usr/local/etc/raddb/dictionary
>>> including configuration file /usr/local/etc/raddb/radiusd.conf
>>> including configuration file /usr/local/etc/raddb/proxy.conf
>>> including configuration file /usr/local/etc/raddb/clients.conf
>>> including files in directory /usr/local/etc/raddb/mods-enabled/
>>> including configuration file /usr/local/etc/raddb/mods-enabled/always
>>> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
>>> including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
>>> including configuration file /usr/local/etc/raddb/mods-enabled/chap
>>> including configuration file /usr/local/etc/raddb/mods-enabled/date
>>> including configuration file /usr/local/etc/raddb/mods-enabled/detail
>>> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
>>> including configuration file /usr/local/etc/raddb/mods-enabled/digest
>>> including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>> including configuration file /usr/local/etc/raddb/mods-enabled/eap
>>> including configuration file /usr/local/etc/raddb/mods-enabled/echo
>>> including configuration file /usr/local/etc/raddb/mods-enabled/exec
>>> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
>>> including configuration file /usr/local/etc/raddb/mods-enabled/expr
>>> including configuration file /usr/local/etc/raddb/mods-enabled/files
>>> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
>>> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
>>> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
>>> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>> including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
>>> including configuration file /usr/local/etc/raddb/mods-enabled/pap
>>> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
>>> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
>>> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
>>> including configuration file /usr/local/etc/raddb/mods-enabled/realm
>>> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
>>> including configuration file /usr/local/etc/raddb/mods-enabled/soh
>>> including configuration file /usr/local/etc/raddb/mods-enabled/sql
>>> including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
>>> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
>>> including configuration file /usr/local/etc/raddb/mods-enabled/unix
>>> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
>>> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
>>> including files in directory /usr/local/etc/raddb/policy.d/
>>> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
>>> including configuration file /usr/local/etc/raddb/policy.d/accounting
>>> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
>>> including configuration file /usr/local/etc/raddb/policy.d/control
>>> including configuration file /usr/local/etc/raddb/policy.d/cui
>>> including configuration file /usr/local/etc/raddb/policy.d/debug
>>> including configuration file /usr/local/etc/raddb/policy.d/dhcp
>>> including configuration file /usr/local/etc/raddb/policy.d/eap
>>> including configuration file /usr/local/etc/raddb/policy.d/filter
>>> including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
>>> including configuration file /usr/local/etc/raddb/policy.d/operator-name
>>> including files in directory /usr/local/etc/raddb/sites-enabled/
>>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>>> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>> main {
>>>  security {
>>>   allow_core_dumps = no
>>>  }
>>> name = "radiusd"
>>> prefix = "/usr/local"
>>> localstatedir = "/var"
>>> logdir = "/var/log/radius"
>>> run_dir = "/var/run/radiusd"
>>> }
>>> main {
>>> name = "radiusd"
>>> prefix = "/usr/local"
>>> localstatedir = "/var"
>>> sbindir = "/usr/local/sbin"
>>> logdir = "/var/log/radius"
>>> run_dir = "/var/run/radiusd"
>>> libdir = "/usr/local/lib"
>>> radacctdir = "/var/log/radius/radacct"
>>> hostname_lookups = no
>>> max_request_time = 30
>>> cleanup_delay = 5
>>> max_requests = 16384
>>> pidfile = "/var/run/radiusd/radiusd.pid"
>>> checkrad = "/usr/local/sbin/checkrad"
>>> debug_level = 0
>>> proxy_requests = yes
>>>  log {
>>>   stripped_names = no
>>>   auth = no
>>>   auth_badpass = no
>>>   auth_goodpass = no
>>>   colourise = yes
>>>   msg_denied = "You are already logged in - access denied"
>>>  }
>>>  resources {
>>>  }
>>>  security {
>>>   max_attributes = 200
>>>   reject_delay = 1.000000
>>>   status_server = yes
>>>   allow_vulnerable_openssl = "no"
>>>  }
>>> }
>>> radiusd: #### Loading Realms and Home Servers ####
>>>  proxy server {
>>>   retry_delay = 5
>>>   retry_count = 3
>>>   default_fallback = no
>>>   dead_time = 120
>>>   wake_all_if_all_dead = no
>>>  }
>>>  home_server localhost {
>>>   ipaddr = 127.0.0.1
>>>   port = 1812
>>>   type = "auth"
>>>   secret = <<< secret >>>
>>>   response_window = 20.000000
>>>   response_timeouts = 1
>>>   max_outstanding = 65536
>>>   zombie_period = 40
>>>   status_check = "status-server"
>>>   ping_interval = 30
>>>   check_interval = 30
>>>   check_timeout = 4
>>>   num_answers_to_alive = 3
>>>   revive_interval = 120
>>>   limit {
>>>   max_connections = 16
>>>   max_requests = 0
>>>   lifetime = 0
>>>   idle_timeout = 0
>>>   }
>>>   coa {
>>>   irt = 2
>>>   mrt = 16
>>>   mrc = 5
>>>   mrd = 30
>>>   }
>>>  }
>>>  home_server_pool my_auth_failover {
>>> type = fail-over
>>> home_server = localhost
>>>  }
>>>  realm example.com <http://example.com/> {
>>> auth_pool = my_auth_failover
>>>  }
>>>  realm LOCAL {
>>>  }
>>> radiusd: #### Loading Clients ####
>>>  client localhost {
>>>   ipaddr = 127.0.0.1
>>>   require_message_authenticator = no
>>>   secret = <<< secret >>>
>>>   nas_type = "other"
>>>   proto = "*"
>>>   limit {
>>>   max_connections = 16
>>>   lifetime = 0
>>>   idle_timeout = 30
>>>   }
>>>  }
>>>  client localhost_ipv6 {
>>>   ipv6addr = ::1
>>>   require_message_authenticator = no
>>>   secret = <<< secret >>>
>>>   limit {
>>>   max_connections = 16
>>>   lifetime = 0
>>>   idle_timeout = 30
>>>   }
>>>  }
>>> Debugger not attached
>>>  # Creating Auth-Type = mschap
>>>  # Creating Auth-Type = digest
>>>  # Creating Auth-Type = eap
>>>  # Creating Auth-Type = PAP
>>>  # Creating Auth-Type = CHAP
>>>  # Creating Auth-Type = MS-CHAP
>>>  # Creating Auth-Type = opendirectory
>>> radiusd: #### Instantiating modules ####
>>>  modules {
>>>   # Loaded module rlm_always
>>>   # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always reject {
>>>   rcode = "reject"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always fail {
>>>   rcode = "fail"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always ok {
>>>   rcode = "ok"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always handled {
>>>   rcode = "handled"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always invalid {
>>>   rcode = "invalid"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always userlock {
>>>   rcode = "userlock"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always notfound {
>>>   rcode = "notfound"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always noop {
>>>   rcode = "noop"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>>   always updated {
>>>   rcode = "updated"
>>>   simulcount = 0
>>>   mpp = no
>>>   }
>>>   # Loaded module rlm_attr_filter
>>>   # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>   attr_filter attr_filter.post-proxy {
>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
>>>   key = "%{Realm}"
>>>   relaxed = no
>>>   }
>>>   # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>   attr_filter attr_filter.pre-proxy {
>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
>>>   key = "%{Realm}"
>>>   relaxed = no
>>>   }
>>>   # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>   attr_filter attr_filter.access_reject {
>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
>>>   key = "%{User-Name}"
>>>   relaxed = no
>>>   }
>>>   # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>   attr_filter attr_filter.access_challenge {
>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
>>>   key = "%{User-Name}"
>>>   relaxed = no
>>>   }
>>>   # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>   attr_filter attr_filter.accounting_response {
>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
>>>   key = "%{User-Name}"
>>>   relaxed = no
>>>   }
>>>   # Loaded module rlm_cache
>>>   # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>   cache cache_eap {
>>>   driver = "rlm_cache_rbtree"
>>>   key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>>>   ttl = 15
>>>   max_entries = 0
>>>   epoch = 0
>>>   add_stats = no
>>>   }
>>>   # Loaded module rlm_chap
>>>   # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
>>>   # Loaded module rlm_date
>>>   # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
>>>   date {
>>>   format = "%b %e %Y %H:%M:%S %Z"
>>>   utc = no
>>>   }
>>>   # Loaded module rlm_detail
>>>   # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>>   detail {
>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>>>   header = "%t"
>>>   permissions = 384
>>>   locking = no
>>>   escape_filenames = no
>>>   log_packet_header = no
>>>   }
>>>   # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>   detail auth_log {
>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>>>   header = "%t"
>>>   permissions = 384
>>>   locking = no
>>>   escape_filenames = no
>>>   log_packet_header = no
>>>   }
>>>   # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>   detail reply_log {
>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>>>   header = "%t"
>>>   permissions = 384
>>>   locking = no
>>>   escape_filenames = no
>>>   log_packet_header = no
>>>   }
>>>   # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>   detail pre_proxy_log {
>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>>>   header = "%t"
>>>   permissions = 384
>>>   locking = no
>>>   escape_filenames = no
>>>   log_packet_header = no
>>>   }
>>>   # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>   detail post_proxy_log {
>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>>>   header = "%t"
>>>   permissions = 384
>>>   locking = no
>>>   escape_filenames = no
>>>   log_packet_header = no
>>>   }
>>>   # Loaded module rlm_digest
>>>   # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
>>>   # Loaded module rlm_dynamic_clients
>>>   # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>>   # Loaded module rlm_eap
>>>   # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>>   eap {
>>>   default_eap_type = "ttls"
>>>   timer_expire = 60
>>>   ignore_unknown_eap_types = no
>>>   cisco_accounting_username_bug = no
>>>   max_sessions = 16384
>>>   }
>>>   # Loaded module rlm_exec
>>>   # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
>>>   exec echo {
>>>   wait = yes
>>>   program = "/bin/echo %{User-Name}"
>>>   input_pairs = "request"
>>>   output_pairs = "reply"
>>>   shell_escape = yes
>>>   }
>>>   # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
>>>   exec {
>>>   wait = no
>>>   input_pairs = "request"
>>>   shell_escape = yes
>>>   timeout = 10
>>>   }
>>>   # Loaded module rlm_expiration
>>>   # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>>   # Loaded module rlm_expr
>>>   # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
>>>   expr {
>>>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>>>   }
>>>   # Loaded module rlm_files
>>>   # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>>   files {
>>>   filename = "/usr/local/etc/raddb/mods-config/files/authorize"
>>>   acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
>>>   preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
>>>   }
>>>   # Loaded module rlm_linelog
>>>   # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>   linelog {
>>>   filename = "/var/log/radius/linelog"
>>>   escape_filenames = no
>>>   syslog_severity = "info"
>>>   permissions = 384
>>>   format = "This is a log message for %{User-Name}"
>>>   reference = "messages.%{%{reply:Packet-Type}:-default}"
>>>   }
>>>   # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>   linelog log_accounting {
>>>   filename = "/var/log/radius/linelog-accounting"
>>>   escape_filenames = no
>>>   syslog_severity = "info"
>>>   permissions = 384
>>>   format = ""
>>>   reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>>>   }
>>>   # Loaded module rlm_logintime
>>>   # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>>   logintime {
>>>   minimum_timeout = 60
>>>   }
>>>   # Loaded module rlm_mschap
>>>   # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>>   mschap {
>>>   use_mppe = yes
>>>   require_encryption = no
>>>   require_strong = no
>>>   with_ntdomain_hack = yes
>>>    passchange {
>>>    }
>>>   allow_retry = yes
>>>   winbind_retry_with_normalised_username = no
>>>   use_open_directory = yes
>>>   }
>>>   # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>>   exec ntlm_auth {
>>>   wait = yes
>>>   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>>>   shell_escape = yes
>>>   }
>>>   # Loaded module rlm_opendirectory
>>>   # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
>>>   # Loaded module rlm_pap
>>>   # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>>   pap {
>>>   normalise = yes
>>>   }
>>>   # Loaded module rlm_passwd
>>>   # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>>   passwd etc_passwd {
>>>   filename = "/etc/passwd"
>>>   format = "*User-Name:Crypt-Password:"
>>>   delimiter = ":"
>>>   ignore_nislike = no
>>>   ignore_empty = yes
>>>   allow_multiple_keys = no
>>>   hash_size = 100
>>>   }
>>>   # Loaded module rlm_preprocess
>>>   # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>>   preprocess {
>>>   huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
>>>   hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
>>>   with_ascend_hack = no
>>>   ascend_channels_per_line = 23
>>>   with_ntdomain_hack = no
>>>   with_specialix_jetstream_hack = no
>>>   with_cisco_vsa_hack = no
>>>   with_alvarion_vsa_hack = no
>>>   }
>>>   # Loaded module rlm_radutmp
>>>   # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
>>>   radutmp {
>>>   filename = "/var/log/radius/radutmp"
>>>   username = "%{User-Name}"
>>>   case_sensitive = yes
>>>   check_with_nas = yes
>>>   permissions = 384
>>>   caller_id = yes
>>>   }
>>>   # Loaded module rlm_realm
>>>   # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>>   realm IPASS {
>>>   format = "prefix"
>>>   delimiter = "/"
>>>   ignore_default = no
>>>   ignore_null = no
>>>   }
>>>   # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>>   realm suffix {
>>>   format = "suffix"
>>>   delimiter = "@"
>>>   ignore_default = no
>>>   ignore_null = no
>>>   }
>>>   # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>>   realm realmpercent {
>>>   format = "suffix"
>>>   delimiter = "%"
>>>   ignore_default = no
>>>   ignore_null = no
>>>   }
>>>   # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>>   realm ntdomain {
>>>   format = "prefix"
>>>   delimiter = "\\"
>>>   ignore_default = no
>>>   ignore_null = no
>>>   }
>>>   # Loaded module rlm_replicate
>>>   # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
>>>   # Loaded module rlm_soh
>>>   # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
>>>   soh {
>>>   dhcp = yes
>>>   }
>>>   # Loaded module rlm_sql
>>>   # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>>   sql {
>>>   driver = "rlm_sql_sqlite"
>>>   server = ""
>>>   port = 0
>>>   login = ""
>>>   password = <<< secret >>>
>>>   radius_db = "radius"
>>>   read_groups = yes
>>>   read_profiles = yes
>>>   read_clients = yes
>>>   delete_stale_sessions = yes
>>>   sql_user_name = "%{User-Name}"
>>>   default_user_profile = ""
>>>   client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
>>>   authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>>   authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>>   authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>>   authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>>   group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
>>>   simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
>>>   simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
>>>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>>>    accounting {
>>>     reference = "%{tolower:type.%{Acct-Status-Type}.query}"
>>>     type {
>>>      accounting-on {
>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>>      }
>>>      accounting-off {
>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>>      }
>>>      start {
>>>       query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
>>>      }
>>>      interim-update {
>>>       query = "UPDATE radacct SET acctupdatetime  = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval    = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>>      }
>>>      stop {
>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>>      }
>>>     }
>>>    }
>>>    post-auth {
>>>     reference = ".query"
>>>     query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
>>>    }
>>>   }
>>> rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
>>> Creating attribute SQL-Group
>>>   # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
>>>   radutmp sradutmp {
>>>   filename = "/var/log/radius/sradutmp"
>>>   username = "%{User-Name}"
>>>   case_sensitive = yes
>>>   check_with_nas = yes
>>>   permissions = 420
>>>   caller_id = no
>>>   }
>>>   # Loaded module rlm_unix
>>>   # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
>>>   unix {
>>>   radwtmp = "/var/log/radius/radwtmp"
>>>   }
>>> Creating attribute Unix-Group
>>>   # Loaded module rlm_unpack
>>>   # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
>>>   # Loaded module rlm_utf8
>>>   # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
>>>   instantiate {
>>>   }
>>>   # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>>   # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
>>>   # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
>>>   # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
>>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
>>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
>>>   # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
>>>   # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
>>>   # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
>>>   # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>>   # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
>>>   # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>   # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>   # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>   # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>>    # Linked to sub-module rlm_eap_md5
>>>    # Linked to sub-module rlm_eap_leap
>>>    # Linked to sub-module rlm_eap_gtc
>>>    gtc {
>>>     challenge = "Password: "
>>>     auth_type = "PAP"
>>>    }
>>>    # Linked to sub-module rlm_eap_tls
>>>    tls {
>>>     tls = "tls-common"
>>>    }
>>>    tls-config tls-common {
>>>     verify_depth = 0
>>>     ca_path = "/usr/local/etc/raddb/certs"
>>>     pem_file_type = yes
>>>     private_key_file = "/usr/local/etc/raddb/certs/server.key"
>>>     certificate_file = "/usr/local/etc/raddb/certs/server.crt"
>>>     ca_file = "/usr/local/etc/raddb/certs/ca.pem"
>>>     dh_file = "/usr/local/etc/raddb/certs/dh"
>>>     random_file = "/dev/urandom"
>>>     fragment_size = 1024
>>>     include_length = yes
>>>     auto_chain = yes
>>>     check_crl = no
>>>     check_all_crl = no
>>>     cipher_list = "DEFAULT"
>>>     cipher_server_preference = no
>>>     ecdh_curve = "prime256v1"
>>>     tls_max_version = ""
>>>     tls_min_version = "1.0"
>>>     cache {
>>>     enable = no
>>>     lifetime = 24
>>>     max_entries = 255
>>>     }
>>>     verify {
>>>     skip_if_ocsp_ok = no
>>>     }
>>>     ocsp {
>>>     enable = no
>>>     override_cert_url = yes
>>>     url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
>>>     use_nonce = yes
>>>     timeout = 0
>>>     softfail = no
>>>     }
>>>    }
>>>    # Linked to sub-module rlm_eap_ttls
>>>    ttls {
>>>     tls = "tls-common"
>>>     default_eap_type = "mschapv2"
>>>     copy_request_to_tunnel = no
>>>     use_tunneled_reply = no
>>>     virtual_server = "inner-tunnel"
>>>     include_length = yes
>>>     require_client_cert = no
>>>    }
>>> tls: Using cached TLS configuration from previous invocation
>>>    # Linked to sub-module rlm_eap_peap
>>>    peap {
>>>     tls = "tls-common"
>>>     default_eap_type = "mschapv2"
>>>     copy_request_to_tunnel = no
>>>     use_tunneled_reply = no
>>>     proxy_tunneled_request_as_eap = yes
>>>     virtual_server = "inner-tunnel"
>>>     soh = no
>>>     require_client_cert = no
>>>    }
>>> tls: Using cached TLS configuration from previous invocation
>>>    # Linked to sub-module rlm_eap_mschapv2
>>>    mschapv2 {
>>>     with_ntdomain_hack = no
>>>     send_error = no
>>>    }
>>>   # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>>   # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
>>>   # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>   # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>   # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>>   # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>> rlm_mschap (mschap): using internal authentication
>>>   # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>>   # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>>>   # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
>>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
>>>   # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>>   # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>>   # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>>   # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>>   # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>> rlm_sql_sqlite: libsqlite version: 3.19.3
>>>    sqlite {
>>>     filename = "/var/db/radius/freeradius.db"
>>>     busy_timeout = 200
>>>    }
>>> rlm_sql (sql): Attempting to connect to database "radius"
>>> rlm_sql (sql): Initialising connection pool
>>>    pool {
>>>     start = 5
>>>     min = 3
>>>     max = 32
>>>     spare = 10
>>>     uses = 0
>>>     lifetime = 0
>>>     cleanup_interval = 30
>>>     idle_timeout = 60
>>>     retry_delay = 30
>>>     spread = no
>>>    }
>>> rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>> rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>> rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>> rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>> rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>> rlm_sql (sql): Processing generate_sql_clients
>>> rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
>>> rlm_sql (sql): Reserved connection (0)
>>> rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
>>> rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
>>> rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
>>> rlm_sql (sql): Released connection (0)
>>> Need 5 more connections to reach 10 spares
>>> rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>  } # modules
>>> radiusd: #### Loading Virtual Servers ####
>>> server { # from file /usr/local/etc/raddb/radiusd.conf
>>> } # server
>>> server default { # from file /usr/local/etc/raddb/sites-enabled/default
>>>  # Loading authenticate {...}
>>>  # Loading authorize {...}
>>>  # Loading preacct {...}
>>>  # Loading accounting {...}
>>>  # Loading post-proxy {...}
>>>  # Loading post-auth {...}
>>> } # server default
>>> server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>>  # Loading authenticate {...}
>>>  # Loading authorize {...}
>>> Ignoring "ldap" (see raddb/mods-available/README.rst)
>>>  # Loading session {...}
>>>  # Loading post-proxy {...}
>>>  # Loading post-auth {...}
>>>  # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
>>> } # server inner-tunnel
>>> radiusd: #### Opening IP addresses and Ports ####
>>> listen {
>>>   type = "auth"
>>>   ipaddr = *
>>>   port = 0
>>>    limit {
>>>     max_connections = 16
>>>     lifetime = 0
>>>     idle_timeout = 30
>>>    }
>>> }
>>> listen {
>>>   type = "acct"
>>>   ipaddr = *
>>>   port = 0
>>>    limit {
>>>     max_connections = 16
>>>     lifetime = 0
>>>     idle_timeout = 30
>>>    }
>>> }
>>> listen {
>>>   type = "auth"
>>>   ipv6addr = ::
>>>   port = 0
>>>    limit {
>>>     max_connections = 16
>>>     lifetime = 0
>>>     idle_timeout = 30
>>>    }
>>> }
>>> listen {
>>>   type = "acct"
>>>   ipv6addr = ::
>>>   port = 0
>>>    limit {
>>>     max_connections = 16
>>>     lifetime = 0
>>>     idle_timeout = 30
>>>    }
>>> }
>>> listen {
>>>   type = "auth"
>>>   ipaddr = 127.0.0.1
>>>   port = 18120
>>> }
>>> Listening on auth address * port 1812 bound to server default
>>> Listening on acct address * port 1813 bound to server default
>>> Listening on auth address :: port 1812 bound to server default
>>> Listening on acct address :: port 1813 bound to server default
>>> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
>>> Listening on proxy address * port 59453
>>> Listening on proxy address :: port 59454
>>> Ready to process requests
>>> (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
>>> (0)   Service-Type = Framed-User
>>> (0)   Framed-Protocol = PPP
>>> (0)   User-Name = "eric"
>>> (0)   MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
>>> (0)   MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
>>> (0)   NAS-IP-Address = 127.0.1.1
>>> (0)   NAS-Port = 0
>>> (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
>>> (0)   authorize {
>>> (0)     policy filter_username {
>>> (0)       if (&User-Name) {
>>> (0)       if (&User-Name)  -> TRUE
>>> (0)       if (&User-Name)  {
>>> (0)         if (&User-Name =~ / /) {
>>> (0)         if (&User-Name =~ / /)  -> FALSE
>>> (0)         if (&User-Name =~ /@[^@]*@/ ) {
>>> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>> (0)         if (&User-Name =~ /\.\./ ) {
>>> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>>> (0)         if (&User-Name =~ /\.$/)  {
>>> (0)         if (&User-Name =~ /\.$/)   -> FALSE
>>> (0)         if (&User-Name =~ /@\./)  {
>>> (0)         if (&User-Name =~ /@\./)   -> FALSE
>>> (0)       } # if (&User-Name)  = notfound
>>> (0)     } # policy filter_username = notfound
>>> (0)     [preprocess] = ok
>>> (0)     [chap] = noop
>>> (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>>> (0)     [mschap] = ok
>>> (0)     [digest] = noop
>>> (0) suffix: Checking for suffix after "@"
>>> (0) suffix: No '@' in User-Name = "eric", looking up realm NULL
>>> (0) suffix: No such realm "NULL"
>>> (0)     [suffix] = noop
>>> (0) eap: No EAP-Message, not doing EAP
>>> (0)     [eap] = noop
>>> (0) files: users: Matched entry DEFAULT at line 181
>>> (0)     [files] = ok
>>> (0) opendirectory: The host 192.168.1.1 does not have an access group.
>>> (0)     [opendirectory] = ok
>>> (0) sql: EXPAND %{User-Name}
>>> (0) sql:    --> eric
>>> (0) sql: SQL-User-Name set to 'eric'
>>> rlm_sql (sql): Reserved connection (1)
>>> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
>>> (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>>> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>>> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
>>> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>>> (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>>> (0) sql: User not found in any groups
>>> rlm_sql (sql): Released connection (1)
>>> Need 4 more connections to reach 10 spares
>>> rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>> (0)     [sql] = notfound
>>> (0)     [expiration] = noop
>>> (0)     [logintime] = noop
>>> (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
>>> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
>>> (0)     [pap] = noop
>>> (0)   } # authorize = ok
>>> (0) Found Auth-Type = mschap
>>> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>>> (0)   authenticate {
>>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
>>> (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
>>> (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
>>> (0) mschap:   Stepbuf server challenge :
>>> ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
>>> (0) mschap:   Stepbuf peer challenge   :
>>> ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
>>> (0) mschap:   Stepbuf p24              :
>>> 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
>>> (0)     [mschap] = ok
>>> (0)   } # authenticate = ok
>>> (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
>>> (0)   post-auth {
>>> (0)     update {
>>> (0)       No attributes updated
>>> (0)     } # update = noop
>>> (0) sql: EXPAND .query
>>> (0) sql:    --> .query
>>> (0) sql: Using query template 'query'
>>> rlm_sql (sql): Reserved connection (2)
>>> (0) sql: EXPAND %{User-Name}
>>> (0) sql:    --> eric
>>> (0) sql: SQL-User-Name set to 'eric'
>>> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
>>> (0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>>> (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>>> (0) sql: SQL query returned: success
>>> (0) sql: 1 record(s) updated
>>> rlm_sql (sql): Released connection (2)
>>> (0)     [sql] = ok
>>> (0)     [exec] = noop
>>> (0)     policy remove_reply_message_if_eap {
>>> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
>>> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>>> (0)       else {
>>> (0)         [noop] = noop
>>> (0)       } # else = noop
>>> (0)     } # policy remove_reply_message_if_eap = noop
>>> (0)   } # post-auth = ok
>>> (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
>>> (0)   Framed-Protocol = PPP
>>> (0)   Framed-Compression = Van-Jacobson-TCP-IP
>>> (0) Finished request
>>> Waking up in 4.9 seconds.
>>> (0) Cleaning up request packet ID 0 with timestamp +27
>>> Ready to process requests
>>>
>>>
>>>> On Dec 2, 2018, at 9:47 PM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>>
>>>> I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
>>>>
>>>> I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
>>>>
>>>> Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
>>>>
>>>> Thanks in advance.
>>>>
>>>> -Eric
>>>>
>>>> <debugfile>
>>>>
>>>
>>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Alan DeKok-2
In reply to this post by Eric Wittle
On Dec 3, 2018, at 6:26 AM, Eric Wittle <[hidden email]> wrote:
>
> OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
>
> Dec  3 2018 06:21:55 123216us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>
> So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.

  The debug log you posted shows that the user was authenticated.  And there was no error.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
In reply to this post by Eric Wittle
And finally what success and failure look like from the router’s messages log:

Successful authentication with OS X Server’s FreeRADIUS 2.10:

Dec  3 12:11:39 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 60074.  Local: 33742, Remote: 28 (ref=0/0).  LNS session is 'default'
Dec  3 12:11:39 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17357, Local: 45819, Remote: 7746, Serial: 1
Dec  3 12:11:39 ubnt pppd[17357]: pppd 2.4.4 started by root, uid 0
Dec  3 12:11:39 ubnt pppd[17357]: Connect: ppp0 <-->
Dec  3 12:11:42 ubnt pppd[17357]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received
Dec  3 12:11:43 ubnt pppd[17357]: Cannot determine ethernet address for proxy ARP
Dec  3 12:11:43 ubnt pppd[17357]: local  IP address 10.255.255.0
Dec  3 12:11:43 ubnt pppd[17357]: remote IP address 192.168.6.100
Dec  3 12:12:23 ubnt pppd[17357]: Connection terminated: no multilink.
Dec  3 12:12:23 ubnt pppd[17357]: Modem hangup

Failed authentication with manually installed FreeRadius 3

Dec  3 12:13:03 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 49849.  Local: 23776, Remote: 29 (ref=0/0).  LNS session is 'default'
Dec  3 12:13:03 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17610, Local: 11728, Remote: 7750, Serial: 1
Dec  3 12:13:03 ubnt pppd[17610]: pppd 2.4.4 started by root, uid 0
Dec  3 12:13:03 ubnt pppd[17610]: Connect: ppp0 <-->
Dec  3 12:13:06 ubnt pppd[17610]:
Dec  3 12:13:06 ubnt pppd[17610]: Peer eric failed CHAP authentication
Dec  3 12:13:12 ubnt pppd[17610]: Connection terminated: no multilink.
Dec  3 12:13:12 ubnt pppd[17610]: Modem hangup

-Eric

> On Dec 3, 2018, at 6:48 AM, Eric Wittle <[hidden email]> wrote:
>
> In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.
>
> -Eric
>
> rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "eric"
> MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc
> MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 0
> # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] = ok
> ++[digest] = noop
> [suffix] No '@' in User-Name = "eric", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> [files] users: Matched entry DEFAULT at line 178
> ++[files] = ok
> [opendirectory] The host 192.168.1.1 does not have an access group.
> ++[opendirectory] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
> ++[pap] = noop
> +} # group authorize = ok
> Found Auth-Type = MSCHAP
> # Executing group from file /Library/Server/radius/raddb/sites-enabled/default
> +group MS-CHAP {
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Creating challenge hash with username: eric
> [mschap] Client is using MS-CHAPv2 for eric, we need NT-Password
> [mschap] Using OpenDirectory to authenticate
> [mschap] Doing OD MSCHAPv2 auth
> [mschap] Successful authentication for eric
> ++[mschap] = ok
> +} # group MS-CHAP = ok
> Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net <http://router.wittle.net/> port 0)
> # Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default
> +group post-auth {
> ++[exec] = noop
> +} # group post-auth = noop
> Sending Access-Accept of id 2 to 192.168.1.1 port 60795
> Framed-Protocol = PPP
> Framed-Compression = Van-Jacobson-TCP-IP
> MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96
> Acct-Session-Id = "5C0514303B2A00"
> User-Name = "eric"
> Acct-Status-Type = Start
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Acct-Authentic = RADIUS
> NAS-Port-Type = Async
> Framed-IP-Address = 192.168.6.100
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 0
> Acct-Delay-Time = 0
> # Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default
> +group preacct {
> ++[preprocess] = ok
> [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent
> [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"'
> [acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184".
> ++[acct_unique] = ok
> [suffix] No '@' in User-Name = "eric", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> ++[files] = noop
> +} # group preacct = ok
> # Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default
> +group accounting {
> [detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1
> [detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203
> [detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203
> [detail] expand: %t -> Mon Dec  3 06:32:00 2018
> ++[detail] = ok
> ++[exec] = noop
> [attr_filter.accounting_response] expand: %{User-Name} -> eric
> attr_filter: Matched entry DEFAULT at line 12
> ++[attr_filter.accounting_response] = updated
> +} # group accounting = updated
> Sending Accounting-Response of id 3 to 192.168.1.1 port 40029
> Finished request 1.
> Cleaning up request 1 ID 3 with timestamp +23
> Going to the next request
> Waking up in 4.3 seconds.
> Cleaning up request 0 ID 2 with timestamp +22
> Ready to process requests.
>
>> On Dec 3, 2018, at 6:26 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
>>
>> Dec  3 2018 06:21:55 123216us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>
>> So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
>>
>> -Eric
>>
>>> On Dec 3, 2018, at 6:14 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>> Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
>>>
>>> The contents of ApplePasswordServer.Error.Log
>>> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
>>> -- Start: Server rolled log on: Nov 13 2018 21:17:19 --
>>> Dec  2 2018 14:52:47 819295us    Requested SASL mechanism not loaded: SMB-NT
>>> Dec  2 2018 15:03:43 692394us    Requested SASL mechanism not loaded: SMB-NT
>>> Dec  2 2018 15:07:34 139111us    Requested SASL mechanism not loaded: SMB-NT
>>>
>>> The tail end of ApplePasswordServer.Server.Log
>>>
>>> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
>>> Dec  2 2018 14:52:43 233320us    Stopping server processes ...
>>> Dec  2 2018 14:52:43 234062us    Closing all incoming connections ...
>>> Dec  2 2018 14:52:43 234097us    StopCentralThreads: Stopping Connection Listeners ...
>>> Dec  2 2018 14:52:43 234645us    StopCentralThreads: Current Threads: 10
>>> Dec  2 2018 14:52:43 234669us    Stopping Network Processes ...
>>> Dec  2 2018 14:52:43 234682us    Deinitializing networking ...
>>> Dec  2 2018 14:52:43 234701us    Server Processes Stopped ...
>>> Dec  2 2018 14:52:43 234718us    RunAppThread Stopped
>>> Dec  2 2018 14:52:43 234747us    RunAppThread Deleted
>>> Dec  2 2018 14:52:47 755661us    Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec  2 14:52:47 2018
>>> .
>>> Dec  2 2018 14:52:47 755702us    RunAppThread Created
>>> Dec  2 2018 14:52:47 755746us    RunAppThread Started
>>> Dec  2 2018 14:52:47 755760us    Initializing Server Globals ...
>>> Dec  2 2018 14:52:47 768754us    Initializing Networking ...
>>> Dec  2 2018 14:52:47 768819us    Initializing TCP ...
>>> Dec  2 2018 14:52:47 819245us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>> Dec  2 2018 14:52:47 824367us    Starting Central Thread ...
>>> Dec  2 2018 14:52:47 824401us    Starting other server processes ...
>>> Dec  2 2018 14:52:47 824412us    StartCentralThreads: 1 threads to stop
>>> Dec  2 2018 14:52:47 824451us    Initializing TCP ...
>>> Dec  2 2018 14:52:47 824580us    Starting TCP/IP Listener on ethernet interface, port 106
>>> Dec  2 2018 14:52:47 824630us    Starting TCP/IP Listener on ethernet interface, port 3659
>>> Dec  2 2018 14:52:47 824723us    Starting TCP/IP Listener on interface lo0, port 106
>>> Dec  2 2018 14:52:47 824762us    Starting TCP/IP Listener on interface lo0, port 3659
>>> Dec  2 2018 14:52:47 824800us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>> Dec  2 2018 14:52:47 824820us    Starting UNIX domain socket listener /var/run/passwordserver
>>> Dec  2 2018 14:52:47 825558us    Finished starting other server processes ...
>>> Dec  2 2018 14:52:47 825582us    -- Password Server successfully started --
>>> Dec  2 2018 14:52:47 825592us    -- Start time: 0 sec, 74 msec --
>>> Dec  2 2018 15:03:32 701865us    Stopping server processes ...
>>> Dec  2 2018 15:03:32 702676us    Closing all incoming connections ...
>>> Dec  2 2018 15:03:32 702706us    StopCentralThreads: Stopping Connection Listeners ...
>>> Dec  2 2018 15:03:32 703903us    StopCentralThreads: Current Threads: 3
>>> Dec  2 2018 15:03:32 703930us    Stopping Network Processes ...
>>> Dec  2 2018 15:03:32 703944us    Deinitializing networking ...
>>> Dec  2 2018 15:03:32 703960us    Server Processes Stopped ...
>>> Dec  2 2018 15:03:32 703977us    RunAppThread Stopped
>>> Dec  2 2018 15:03:32 703989us    RunAppThread Deleted
>>> Dec  2 2018 15:03:33 705899us    Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec  2 15:03:33 2018
>>> .
>>> Dec  2 2018 15:03:43 644217us    Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec  2 15:03:43 2018
>>> .
>>> Dec  2 2018 15:03:43 644253us    RunAppThread Created
>>> Dec  2 2018 15:03:43 644295us    RunAppThread Started
>>> Dec  2 2018 15:03:43 644316us    Initializing Server Globals ...
>>> Dec  2 2018 15:03:43 677609us    Initializing Networking ...
>>> Dec  2 2018 15:03:43 677736us    Initializing TCP ...
>>> Dec  2 2018 15:03:43 692357us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>> Dec  2 2018 15:03:43 692877us    Starting Central Thread ...
>>> Dec  2 2018 15:03:43 692895us    Starting other server processes ...
>>> Dec  2 2018 15:03:43 692905us    StartCentralThreads: 1 threads to stop
>>> Dec  2 2018 15:03:43 692938us    Initializing TCP ...
>>> Dec  2 2018 15:03:43 693040us    Starting TCP/IP Listener on ethernet interface, port 106
>>> Dec  2 2018 15:03:43 693082us    Starting TCP/IP Listener on ethernet interface, port 3659
>>> Dec  2 2018 15:03:43 693110us    Starting TCP/IP Listener on interface lo0, port 106
>>> Dec  2 2018 15:03:43 693133us    Starting TCP/IP Listener on interface lo0, port 3659
>>> Dec  2 2018 15:03:43 693156us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>> Dec  2 2018 15:03:43 693167us    Starting UNIX domain socket listener /var/run/passwordserver
>>> Dec  2 2018 15:03:43 694190us    Finished starting other server processes ...
>>> Dec  2 2018 15:03:43 694212us    -- Password Server successfully started --
>>> Dec  2 2018 15:03:43 694222us    -- Start time: 0 sec, 54 msec --
>>> Dec  2 2018 15:05:24 289083us    Stopping server processes ...
>>> Dec  2 2018 15:05:24 289128us    Closing all incoming connections ...
>>> Dec  2 2018 15:05:24 289150us    StopCentralThreads: Stopping Connection Listeners ...
>>> Dec  2 2018 15:05:24 290059us    StopCentralThreads: Current Threads: 3
>>> Dec  2 2018 15:05:24 290086us    Stopping Network Processes ...
>>> Dec  2 2018 15:05:24 290098us    Deinitializing networking ...
>>> Dec  2 2018 15:05:24 290113us    Server Processes Stopped ...
>>> Dec  2 2018 15:05:24 290129us    RunAppThread Stopped
>>> Dec  2 2018 15:05:24 290142us    RunAppThread Deleted
>>> Dec  2 2018 15:05:26 221197us    Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec  2 15:05:26 2018
>>> .
>>> Dec  2 2018 15:07:34 103685us    Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec  2 15:07:34 2018
>>> .
>>> Dec  2 2018 15:07:34 103718us    RunAppThread Created
>>> Dec  2 2018 15:07:34 103758us    RunAppThread Started
>>> Dec  2 2018 15:07:34 103779us    Initializing Server Globals ...
>>> Dec  2 2018 15:07:34 118899us    Initializing Networking ...
>>> Dec  2 2018 15:07:34 118961us    Initializing TCP ...
>>> Dec  2 2018 15:07:34 139076us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>> Dec  2 2018 15:07:34 139134us    Starting Central Thread ...
>>> Dec  2 2018 15:07:34 139141us    Starting other server processes ...
>>> Dec  2 2018 15:07:34 139147us    StartCentralThreads: 1 threads to stop
>>> Dec  2 2018 15:07:34 139174us    Initializing TCP ...
>>> Dec  2 2018 15:07:34 139265us    Starting TCP/IP Listener on ethernet interface, port 106
>>> Dec  2 2018 15:07:34 139302us    Starting TCP/IP Listener on ethernet interface, port 3659
>>> Dec  2 2018 15:07:34 139322us    Starting TCP/IP Listener on interface lo0, port 106
>>> Dec  2 2018 15:07:34 139350us    Starting TCP/IP Listener on interface lo0, port 3659
>>> Dec  2 2018 15:07:34 139443us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>> Dec  2 2018 15:07:34 139462us    Starting UNIX domain socket listener /var/run/passwordserver
>>> Dec  2 2018 15:07:34 140156us    Finished starting other server processes ...
>>> Dec  2 2018 15:07:34 140178us    -- Password Server successfully started --
>>> Dec  2 2018 15:07:34 140190us    -- Start time: 0 sec, 41 msec --
>>> Dec  2 2018 20:01:57 945387us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>> Dec  2 2018 20:35:44 395239us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>> Dec  2 2018 20:37:17 158109us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>> Dec  2 2018 20:37:43 63472us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>> Dec  2 2018 21:17:05 402081us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>> Dec  2 2018 21:37:24 961075us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>
>>> It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
>>>
>>> I’ll take a look and see if radiusconfig is a script…
>>>
>>> -Eric
>>>
>>>> On Dec 3, 2018, at 5:41 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>>
>>>> Pasted this time…
>>>>
>>>> FreeRADIUS Version 3.0.17
>>>> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
>>>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>>>> PARTICULAR PURPOSE
>>>> You may redistribute copies of FreeRADIUS under the terms of the
>>>> GNU General Public License
>>>> For more information about these matters, see the file named COPYRIGHT
>>>> Starting - reading configuration files ...
>>>> including dictionary file /usr/local/share/freeradius/dictionary
>>>> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
>>>> including dictionary file /usr/local/share/freeradius/dictionary.vqp
>>>> including dictionary file /usr/local/etc/raddb/dictionary
>>>> including configuration file /usr/local/etc/raddb/radiusd.conf
>>>> including configuration file /usr/local/etc/raddb/proxy.conf
>>>> including configuration file /usr/local/etc/raddb/clients.conf
>>>> including files in directory /usr/local/etc/raddb/mods-enabled/
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/always
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/chap
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/date
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/detail
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/digest
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/eap
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/echo
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/exec
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/expr
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/files
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/pap
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/realm
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/soh
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/sql
>>>> including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/unix
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
>>>> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
>>>> including files in directory /usr/local/etc/raddb/policy.d/
>>>> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
>>>> including configuration file /usr/local/etc/raddb/policy.d/accounting
>>>> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
>>>> including configuration file /usr/local/etc/raddb/policy.d/control
>>>> including configuration file /usr/local/etc/raddb/policy.d/cui
>>>> including configuration file /usr/local/etc/raddb/policy.d/debug
>>>> including configuration file /usr/local/etc/raddb/policy.d/dhcp
>>>> including configuration file /usr/local/etc/raddb/policy.d/eap
>>>> including configuration file /usr/local/etc/raddb/policy.d/filter
>>>> including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
>>>> including configuration file /usr/local/etc/raddb/policy.d/operator-name
>>>> including files in directory /usr/local/etc/raddb/sites-enabled/
>>>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>>>> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>>> main {
>>>>  security {
>>>>   allow_core_dumps = no
>>>>  }
>>>> name = "radiusd"
>>>> prefix = "/usr/local"
>>>> localstatedir = "/var"
>>>> logdir = "/var/log/radius"
>>>> run_dir = "/var/run/radiusd"
>>>> }
>>>> main {
>>>> name = "radiusd"
>>>> prefix = "/usr/local"
>>>> localstatedir = "/var"
>>>> sbindir = "/usr/local/sbin"
>>>> logdir = "/var/log/radius"
>>>> run_dir = "/var/run/radiusd"
>>>> libdir = "/usr/local/lib"
>>>> radacctdir = "/var/log/radius/radacct"
>>>> hostname_lookups = no
>>>> max_request_time = 30
>>>> cleanup_delay = 5
>>>> max_requests = 16384
>>>> pidfile = "/var/run/radiusd/radiusd.pid"
>>>> checkrad = "/usr/local/sbin/checkrad"
>>>> debug_level = 0
>>>> proxy_requests = yes
>>>>  log {
>>>>   stripped_names = no
>>>>   auth = no
>>>>   auth_badpass = no
>>>>   auth_goodpass = no
>>>>   colourise = yes
>>>>   msg_denied = "You are already logged in - access denied"
>>>>  }
>>>>  resources {
>>>>  }
>>>>  security {
>>>>   max_attributes = 200
>>>>   reject_delay = 1.000000
>>>>   status_server = yes
>>>>   allow_vulnerable_openssl = "no"
>>>>  }
>>>> }
>>>> radiusd: #### Loading Realms and Home Servers ####
>>>>  proxy server {
>>>>   retry_delay = 5
>>>>   retry_count = 3
>>>>   default_fallback = no
>>>>   dead_time = 120
>>>>   wake_all_if_all_dead = no
>>>>  }
>>>>  home_server localhost {
>>>>   ipaddr = 127.0.0.1
>>>>   port = 1812
>>>>   type = "auth"
>>>>   secret = <<< secret >>>
>>>>   response_window = 20.000000
>>>>   response_timeouts = 1
>>>>   max_outstanding = 65536
>>>>   zombie_period = 40
>>>>   status_check = "status-server"
>>>>   ping_interval = 30
>>>>   check_interval = 30
>>>>   check_timeout = 4
>>>>   num_answers_to_alive = 3
>>>>   revive_interval = 120
>>>>   limit {
>>>>   max_connections = 16
>>>>   max_requests = 0
>>>>   lifetime = 0
>>>>   idle_timeout = 0
>>>>   }
>>>>   coa {
>>>>   irt = 2
>>>>   mrt = 16
>>>>   mrc = 5
>>>>   mrd = 30
>>>>   }
>>>>  }
>>>>  home_server_pool my_auth_failover {
>>>> type = fail-over
>>>> home_server = localhost
>>>>  }
>>>>  realm example.com <http://example.com/> {
>>>> auth_pool = my_auth_failover
>>>>  }
>>>>  realm LOCAL {
>>>>  }
>>>> radiusd: #### Loading Clients ####
>>>>  client localhost {
>>>>   ipaddr = 127.0.0.1
>>>>   require_message_authenticator = no
>>>>   secret = <<< secret >>>
>>>>   nas_type = "other"
>>>>   proto = "*"
>>>>   limit {
>>>>   max_connections = 16
>>>>   lifetime = 0
>>>>   idle_timeout = 30
>>>>   }
>>>>  }
>>>>  client localhost_ipv6 {
>>>>   ipv6addr = ::1
>>>>   require_message_authenticator = no
>>>>   secret = <<< secret >>>
>>>>   limit {
>>>>   max_connections = 16
>>>>   lifetime = 0
>>>>   idle_timeout = 30
>>>>   }
>>>>  }
>>>> Debugger not attached
>>>>  # Creating Auth-Type = mschap
>>>>  # Creating Auth-Type = digest
>>>>  # Creating Auth-Type = eap
>>>>  # Creating Auth-Type = PAP
>>>>  # Creating Auth-Type = CHAP
>>>>  # Creating Auth-Type = MS-CHAP
>>>>  # Creating Auth-Type = opendirectory
>>>> radiusd: #### Instantiating modules ####
>>>>  modules {
>>>>   # Loaded module rlm_always
>>>>   # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always reject {
>>>>   rcode = "reject"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always fail {
>>>>   rcode = "fail"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always ok {
>>>>   rcode = "ok"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always handled {
>>>>   rcode = "handled"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always invalid {
>>>>   rcode = "invalid"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always userlock {
>>>>   rcode = "userlock"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always notfound {
>>>>   rcode = "notfound"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always noop {
>>>>   rcode = "noop"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   always updated {
>>>>   rcode = "updated"
>>>>   simulcount = 0
>>>>   mpp = no
>>>>   }
>>>>   # Loaded module rlm_attr_filter
>>>>   # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>   attr_filter attr_filter.post-proxy {
>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
>>>>   key = "%{Realm}"
>>>>   relaxed = no
>>>>   }
>>>>   # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>   attr_filter attr_filter.pre-proxy {
>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
>>>>   key = "%{Realm}"
>>>>   relaxed = no
>>>>   }
>>>>   # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>   attr_filter attr_filter.access_reject {
>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
>>>>   key = "%{User-Name}"
>>>>   relaxed = no
>>>>   }
>>>>   # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>   attr_filter attr_filter.access_challenge {
>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
>>>>   key = "%{User-Name}"
>>>>   relaxed = no
>>>>   }
>>>>   # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>   attr_filter attr_filter.accounting_response {
>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
>>>>   key = "%{User-Name}"
>>>>   relaxed = no
>>>>   }
>>>>   # Loaded module rlm_cache
>>>>   # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>>   cache cache_eap {
>>>>   driver = "rlm_cache_rbtree"
>>>>   key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>>>>   ttl = 15
>>>>   max_entries = 0
>>>>   epoch = 0
>>>>   add_stats = no
>>>>   }
>>>>   # Loaded module rlm_chap
>>>>   # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
>>>>   # Loaded module rlm_date
>>>>   # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
>>>>   date {
>>>>   format = "%b %e %Y %H:%M:%S %Z"
>>>>   utc = no
>>>>   }
>>>>   # Loaded module rlm_detail
>>>>   # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>>>   detail {
>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>>>>   header = "%t"
>>>>   permissions = 384
>>>>   locking = no
>>>>   escape_filenames = no
>>>>   log_packet_header = no
>>>>   }
>>>>   # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>   detail auth_log {
>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>>>>   header = "%t"
>>>>   permissions = 384
>>>>   locking = no
>>>>   escape_filenames = no
>>>>   log_packet_header = no
>>>>   }
>>>>   # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>   detail reply_log {
>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>>>>   header = "%t"
>>>>   permissions = 384
>>>>   locking = no
>>>>   escape_filenames = no
>>>>   log_packet_header = no
>>>>   }
>>>>   # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>   detail pre_proxy_log {
>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>>>>   header = "%t"
>>>>   permissions = 384
>>>>   locking = no
>>>>   escape_filenames = no
>>>>   log_packet_header = no
>>>>   }
>>>>   # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>   detail post_proxy_log {
>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>>>>   header = "%t"
>>>>   permissions = 384
>>>>   locking = no
>>>>   escape_filenames = no
>>>>   log_packet_header = no
>>>>   }
>>>>   # Loaded module rlm_digest
>>>>   # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
>>>>   # Loaded module rlm_dynamic_clients
>>>>   # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>>>   # Loaded module rlm_eap
>>>>   # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>>>   eap {
>>>>   default_eap_type = "ttls"
>>>>   timer_expire = 60
>>>>   ignore_unknown_eap_types = no
>>>>   cisco_accounting_username_bug = no
>>>>   max_sessions = 16384
>>>>   }
>>>>   # Loaded module rlm_exec
>>>>   # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
>>>>   exec echo {
>>>>   wait = yes
>>>>   program = "/bin/echo %{User-Name}"
>>>>   input_pairs = "request"
>>>>   output_pairs = "reply"
>>>>   shell_escape = yes
>>>>   }
>>>>   # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
>>>>   exec {
>>>>   wait = no
>>>>   input_pairs = "request"
>>>>   shell_escape = yes
>>>>   timeout = 10
>>>>   }
>>>>   # Loaded module rlm_expiration
>>>>   # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>>>   # Loaded module rlm_expr
>>>>   # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
>>>>   expr {
>>>>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>>>>   }
>>>>   # Loaded module rlm_files
>>>>   # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>>>   files {
>>>>   filename = "/usr/local/etc/raddb/mods-config/files/authorize"
>>>>   acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
>>>>   preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
>>>>   }
>>>>   # Loaded module rlm_linelog
>>>>   # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>   linelog {
>>>>   filename = "/var/log/radius/linelog"
>>>>   escape_filenames = no
>>>>   syslog_severity = "info"
>>>>   permissions = 384
>>>>   format = "This is a log message for %{User-Name}"
>>>>   reference = "messages.%{%{reply:Packet-Type}:-default}"
>>>>   }
>>>>   # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>   linelog log_accounting {
>>>>   filename = "/var/log/radius/linelog-accounting"
>>>>   escape_filenames = no
>>>>   syslog_severity = "info"
>>>>   permissions = 384
>>>>   format = ""
>>>>   reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>>>>   }
>>>>   # Loaded module rlm_logintime
>>>>   # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>>>   logintime {
>>>>   minimum_timeout = 60
>>>>   }
>>>>   # Loaded module rlm_mschap
>>>>   # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>>>   mschap {
>>>>   use_mppe = yes
>>>>   require_encryption = no
>>>>   require_strong = no
>>>>   with_ntdomain_hack = yes
>>>>    passchange {
>>>>    }
>>>>   allow_retry = yes
>>>>   winbind_retry_with_normalised_username = no
>>>>   use_open_directory = yes
>>>>   }
>>>>   # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>>>   exec ntlm_auth {
>>>>   wait = yes
>>>>   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>>>>   shell_escape = yes
>>>>   }
>>>>   # Loaded module rlm_opendirectory
>>>>   # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
>>>>   # Loaded module rlm_pap
>>>>   # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>>>   pap {
>>>>   normalise = yes
>>>>   }
>>>>   # Loaded module rlm_passwd
>>>>   # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>>>   passwd etc_passwd {
>>>>   filename = "/etc/passwd"
>>>>   format = "*User-Name:Crypt-Password:"
>>>>   delimiter = ":"
>>>>   ignore_nislike = no
>>>>   ignore_empty = yes
>>>>   allow_multiple_keys = no
>>>>   hash_size = 100
>>>>   }
>>>>   # Loaded module rlm_preprocess
>>>>   # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>>>   preprocess {
>>>>   huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
>>>>   hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
>>>>   with_ascend_hack = no
>>>>   ascend_channels_per_line = 23
>>>>   with_ntdomain_hack = no
>>>>   with_specialix_jetstream_hack = no
>>>>   with_cisco_vsa_hack = no
>>>>   with_alvarion_vsa_hack = no
>>>>   }
>>>>   # Loaded module rlm_radutmp
>>>>   # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
>>>>   radutmp {
>>>>   filename = "/var/log/radius/radutmp"
>>>>   username = "%{User-Name}"
>>>>   case_sensitive = yes
>>>>   check_with_nas = yes
>>>>   permissions = 384
>>>>   caller_id = yes
>>>>   }
>>>>   # Loaded module rlm_realm
>>>>   # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>   realm IPASS {
>>>>   format = "prefix"
>>>>   delimiter = "/"
>>>>   ignore_default = no
>>>>   ignore_null = no
>>>>   }
>>>>   # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>   realm suffix {
>>>>   format = "suffix"
>>>>   delimiter = "@"
>>>>   ignore_default = no
>>>>   ignore_null = no
>>>>   }
>>>>   # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>   realm realmpercent {
>>>>   format = "suffix"
>>>>   delimiter = "%"
>>>>   ignore_default = no
>>>>   ignore_null = no
>>>>   }
>>>>   # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>   realm ntdomain {
>>>>   format = "prefix"
>>>>   delimiter = "\\"
>>>>   ignore_default = no
>>>>   ignore_null = no
>>>>   }
>>>>   # Loaded module rlm_replicate
>>>>   # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
>>>>   # Loaded module rlm_soh
>>>>   # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
>>>>   soh {
>>>>   dhcp = yes
>>>>   }
>>>>   # Loaded module rlm_sql
>>>>   # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>>>   sql {
>>>>   driver = "rlm_sql_sqlite"
>>>>   server = ""
>>>>   port = 0
>>>>   login = ""
>>>>   password = <<< secret >>>
>>>>   radius_db = "radius"
>>>>   read_groups = yes
>>>>   read_profiles = yes
>>>>   read_clients = yes
>>>>   delete_stale_sessions = yes
>>>>   sql_user_name = "%{User-Name}"
>>>>   default_user_profile = ""
>>>>   client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
>>>>   authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>>>   authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>>>   authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>>>   authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>>>   group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
>>>>   simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
>>>>   simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
>>>>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>>>>    accounting {
>>>>     reference = "%{tolower:type.%{Acct-Status-Type}.query}"
>>>>     type {
>>>>      accounting-on {
>>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>>>      }
>>>>      accounting-off {
>>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>>>      }
>>>>      start {
>>>>       query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
>>>>      }
>>>>      interim-update {
>>>>       query = "UPDATE radacct SET acctupdatetime  = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval    = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>>>      }
>>>>      stop {
>>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>>>      }
>>>>     }
>>>>    }
>>>>    post-auth {
>>>>     reference = ".query"
>>>>     query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
>>>>    }
>>>>   }
>>>> rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
>>>> Creating attribute SQL-Group
>>>>   # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
>>>>   radutmp sradutmp {
>>>>   filename = "/var/log/radius/sradutmp"
>>>>   username = "%{User-Name}"
>>>>   case_sensitive = yes
>>>>   check_with_nas = yes
>>>>   permissions = 420
>>>>   caller_id = no
>>>>   }
>>>>   # Loaded module rlm_unix
>>>>   # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
>>>>   unix {
>>>>   radwtmp = "/var/log/radius/radwtmp"
>>>>   }
>>>> Creating attribute Unix-Group
>>>>   # Loaded module rlm_unpack
>>>>   # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
>>>>   # Loaded module rlm_utf8
>>>>   # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
>>>>   instantiate {
>>>>   }
>>>>   # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>>>   # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
>>>>   # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
>>>>   # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
>>>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
>>>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
>>>>   # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
>>>>   # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
>>>>   # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
>>>>   # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>>>   # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
>>>>   # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>   # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>   # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>   # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>>>    # Linked to sub-module rlm_eap_md5
>>>>    # Linked to sub-module rlm_eap_leap
>>>>    # Linked to sub-module rlm_eap_gtc
>>>>    gtc {
>>>>     challenge = "Password: "
>>>>     auth_type = "PAP"
>>>>    }
>>>>    # Linked to sub-module rlm_eap_tls
>>>>    tls {
>>>>     tls = "tls-common"
>>>>    }
>>>>    tls-config tls-common {
>>>>     verify_depth = 0
>>>>     ca_path = "/usr/local/etc/raddb/certs"
>>>>     pem_file_type = yes
>>>>     private_key_file = "/usr/local/etc/raddb/certs/server.key"
>>>>     certificate_file = "/usr/local/etc/raddb/certs/server.crt"
>>>>     ca_file = "/usr/local/etc/raddb/certs/ca.pem"
>>>>     dh_file = "/usr/local/etc/raddb/certs/dh"
>>>>     random_file = "/dev/urandom"
>>>>     fragment_size = 1024
>>>>     include_length = yes
>>>>     auto_chain = yes
>>>>     check_crl = no
>>>>     check_all_crl = no
>>>>     cipher_list = "DEFAULT"
>>>>     cipher_server_preference = no
>>>>     ecdh_curve = "prime256v1"
>>>>     tls_max_version = ""
>>>>     tls_min_version = "1.0"
>>>>     cache {
>>>>     enable = no
>>>>     lifetime = 24
>>>>     max_entries = 255
>>>>     }
>>>>     verify {
>>>>     skip_if_ocsp_ok = no
>>>>     }
>>>>     ocsp {
>>>>     enable = no
>>>>     override_cert_url = yes
>>>>     url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
>>>>     use_nonce = yes
>>>>     timeout = 0
>>>>     softfail = no
>>>>     }
>>>>    }
>>>>    # Linked to sub-module rlm_eap_ttls
>>>>    ttls {
>>>>     tls = "tls-common"
>>>>     default_eap_type = "mschapv2"
>>>>     copy_request_to_tunnel = no
>>>>     use_tunneled_reply = no
>>>>     virtual_server = "inner-tunnel"
>>>>     include_length = yes
>>>>     require_client_cert = no
>>>>    }
>>>> tls: Using cached TLS configuration from previous invocation
>>>>    # Linked to sub-module rlm_eap_peap
>>>>    peap {
>>>>     tls = "tls-common"
>>>>     default_eap_type = "mschapv2"
>>>>     copy_request_to_tunnel = no
>>>>     use_tunneled_reply = no
>>>>     proxy_tunneled_request_as_eap = yes
>>>>     virtual_server = "inner-tunnel"
>>>>     soh = no
>>>>     require_client_cert = no
>>>>    }
>>>> tls: Using cached TLS configuration from previous invocation
>>>>    # Linked to sub-module rlm_eap_mschapv2
>>>>    mschapv2 {
>>>>     with_ntdomain_hack = no
>>>>     send_error = no
>>>>    }
>>>>   # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>>>   # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
>>>>   # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>   # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>   # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>>>   # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>>> rlm_mschap (mschap): using internal authentication
>>>>   # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>>>   # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>>> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>>>>   # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
>>>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
>>>>   # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>   # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>   # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>   # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>   # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>>> rlm_sql_sqlite: libsqlite version: 3.19.3
>>>>    sqlite {
>>>>     filename = "/var/db/radius/freeradius.db"
>>>>     busy_timeout = 200
>>>>    }
>>>> rlm_sql (sql): Attempting to connect to database "radius"
>>>> rlm_sql (sql): Initialising connection pool
>>>>    pool {
>>>>     start = 5
>>>>     min = 3
>>>>     max = 32
>>>>     spare = 10
>>>>     uses = 0
>>>>     lifetime = 0
>>>>     cleanup_interval = 30
>>>>     idle_timeout = 60
>>>>     retry_delay = 30
>>>>     spread = no
>>>>    }
>>>> rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>> rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>> rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>> rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>> rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>> rlm_sql (sql): Processing generate_sql_clients
>>>> rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
>>>> rlm_sql (sql): Reserved connection (0)
>>>> rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
>>>> rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
>>>> rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
>>>> rlm_sql (sql): Released connection (0)
>>>> Need 5 more connections to reach 10 spares
>>>> rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>  } # modules
>>>> radiusd: #### Loading Virtual Servers ####
>>>> server { # from file /usr/local/etc/raddb/radiusd.conf
>>>> } # server
>>>> server default { # from file /usr/local/etc/raddb/sites-enabled/default
>>>>  # Loading authenticate {...}
>>>>  # Loading authorize {...}
>>>>  # Loading preacct {...}
>>>>  # Loading accounting {...}
>>>>  # Loading post-proxy {...}
>>>>  # Loading post-auth {...}
>>>> } # server default
>>>> server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>>>  # Loading authenticate {...}
>>>>  # Loading authorize {...}
>>>> Ignoring "ldap" (see raddb/mods-available/README.rst)
>>>>  # Loading session {...}
>>>>  # Loading post-proxy {...}
>>>>  # Loading post-auth {...}
>>>>  # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
>>>> } # server inner-tunnel
>>>> radiusd: #### Opening IP addresses and Ports ####
>>>> listen {
>>>>   type = "auth"
>>>>   ipaddr = *
>>>>   port = 0
>>>>    limit {
>>>>     max_connections = 16
>>>>     lifetime = 0
>>>>     idle_timeout = 30
>>>>    }
>>>> }
>>>> listen {
>>>>   type = "acct"
>>>>   ipaddr = *
>>>>   port = 0
>>>>    limit {
>>>>     max_connections = 16
>>>>     lifetime = 0
>>>>     idle_timeout = 30
>>>>    }
>>>> }
>>>> listen {
>>>>   type = "auth"
>>>>   ipv6addr = ::
>>>>   port = 0
>>>>    limit {
>>>>     max_connections = 16
>>>>     lifetime = 0
>>>>     idle_timeout = 30
>>>>    }
>>>> }
>>>> listen {
>>>>   type = "acct"
>>>>   ipv6addr = ::
>>>>   port = 0
>>>>    limit {
>>>>     max_connections = 16
>>>>     lifetime = 0
>>>>     idle_timeout = 30
>>>>    }
>>>> }
>>>> listen {
>>>>   type = "auth"
>>>>   ipaddr = 127.0.0.1
>>>>   port = 18120
>>>> }
>>>> Listening on auth address * port 1812 bound to server default
>>>> Listening on acct address * port 1813 bound to server default
>>>> Listening on auth address :: port 1812 bound to server default
>>>> Listening on acct address :: port 1813 bound to server default
>>>> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
>>>> Listening on proxy address * port 59453
>>>> Listening on proxy address :: port 59454
>>>> Ready to process requests
>>>> (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
>>>> (0)   Service-Type = Framed-User
>>>> (0)   Framed-Protocol = PPP
>>>> (0)   User-Name = "eric"
>>>> (0)   MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
>>>> (0)   MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
>>>> (0)   NAS-IP-Address = 127.0.1.1
>>>> (0)   NAS-Port = 0
>>>> (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
>>>> (0)   authorize {
>>>> (0)     policy filter_username {
>>>> (0)       if (&User-Name) {
>>>> (0)       if (&User-Name)  -> TRUE
>>>> (0)       if (&User-Name)  {
>>>> (0)         if (&User-Name =~ / /) {
>>>> (0)         if (&User-Name =~ / /)  -> FALSE
>>>> (0)         if (&User-Name =~ /@[^@]*@/ ) {
>>>> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>>> (0)         if (&User-Name =~ /\.\./ ) {
>>>> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
>>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>>>> (0)         if (&User-Name =~ /\.$/)  {
>>>> (0)         if (&User-Name =~ /\.$/)   -> FALSE
>>>> (0)         if (&User-Name =~ /@\./)  {
>>>> (0)         if (&User-Name =~ /@\./)   -> FALSE
>>>> (0)       } # if (&User-Name)  = notfound
>>>> (0)     } # policy filter_username = notfound
>>>> (0)     [preprocess] = ok
>>>> (0)     [chap] = noop
>>>> (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>>>> (0)     [mschap] = ok
>>>> (0)     [digest] = noop
>>>> (0) suffix: Checking for suffix after "@"
>>>> (0) suffix: No '@' in User-Name = "eric", looking up realm NULL
>>>> (0) suffix: No such realm "NULL"
>>>> (0)     [suffix] = noop
>>>> (0) eap: No EAP-Message, not doing EAP
>>>> (0)     [eap] = noop
>>>> (0) files: users: Matched entry DEFAULT at line 181
>>>> (0)     [files] = ok
>>>> (0) opendirectory: The host 192.168.1.1 does not have an access group.
>>>> (0)     [opendirectory] = ok
>>>> (0) sql: EXPAND %{User-Name}
>>>> (0) sql:    --> eric
>>>> (0) sql: SQL-User-Name set to 'eric'
>>>> rlm_sql (sql): Reserved connection (1)
>>>> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
>>>> (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>>>> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>>>> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
>>>> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>>>> (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>>>> (0) sql: User not found in any groups
>>>> rlm_sql (sql): Released connection (1)
>>>> Need 4 more connections to reach 10 spares
>>>> rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>> (0)     [sql] = notfound
>>>> (0)     [expiration] = noop
>>>> (0)     [logintime] = noop
>>>> (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
>>>> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
>>>> (0)     [pap] = noop
>>>> (0)   } # authorize = ok
>>>> (0) Found Auth-Type = mschap
>>>> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>>>> (0)   authenticate {
>>>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>>>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
>>>> (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
>>>> (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
>>>> (0) mschap:   Stepbuf server challenge :
>>>> ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
>>>> (0) mschap:   Stepbuf peer challenge   :
>>>> ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
>>>> (0) mschap:   Stepbuf p24              :
>>>> 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
>>>> (0)     [mschap] = ok
>>>> (0)   } # authenticate = ok
>>>> (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
>>>> (0)   post-auth {
>>>> (0)     update {
>>>> (0)       No attributes updated
>>>> (0)     } # update = noop
>>>> (0) sql: EXPAND .query
>>>> (0) sql:    --> .query
>>>> (0) sql: Using query template 'query'
>>>> rlm_sql (sql): Reserved connection (2)
>>>> (0) sql: EXPAND %{User-Name}
>>>> (0) sql:    --> eric
>>>> (0) sql: SQL-User-Name set to 'eric'
>>>> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
>>>> (0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>>>> (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>>>> (0) sql: SQL query returned: success
>>>> (0) sql: 1 record(s) updated
>>>> rlm_sql (sql): Released connection (2)
>>>> (0)     [sql] = ok
>>>> (0)     [exec] = noop
>>>> (0)     policy remove_reply_message_if_eap {
>>>> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
>>>> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>>>> (0)       else {
>>>> (0)         [noop] = noop
>>>> (0)       } # else = noop
>>>> (0)     } # policy remove_reply_message_if_eap = noop
>>>> (0)   } # post-auth = ok
>>>> (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
>>>> (0)   Framed-Protocol = PPP
>>>> (0)   Framed-Compression = Van-Jacobson-TCP-IP
>>>> (0) Finished request
>>>> Waking up in 4.9 seconds.
>>>> (0) Cleaning up request packet ID 0 with timestamp +27
>>>> Ready to process requests
>>>>
>>>>
>>>>> On Dec 2, 2018, at 9:47 PM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>>>
>>>>> I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
>>>>>
>>>>> I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
>>>>>
>>>>> Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>> -Eric
>>>>>
>>>>> <debugfile>
>>>>>
>>>>
>>>
>>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
I looked over the debug output from attempts that should have succeeded (valid username and password), vs. those that should have failed (invalid password). It seems like the result description is the following for a valid username / password:

(1) Sent Access-Reject Id 10 from 192.168.1.2:1812 to 192.168.1.1:43315 length 20

and this for an invalid password:

(0) Sent Access-Reject Id 9 from 192.168.1.2:1812 to 192.168.1.1:48225 length 20

That seems to imply that FreeRADIUS 3.0.17 is doing the right thing, but somehow the results for the Ubiquiti EdgeRouter VPN authentication are different. Am I reading the log correctly?

I’ve posted in the Ubiquiti forums asking for help there as well, assuming that I’m reading this debug log correctly and authentication is actually succeeding:

https://community.ubnt.com/t5/EdgeRouter/VPN-radius-authentication-incorrectly-failing/m-p/2584939#M230964

I did a quick web search to see if I could log the authentication response to the EdgeRouter, but didn’t find anything that was particularly clear.

Did the authentication response change from 2.2.10 to 3.0.17? I could presumably rebuild and reconfigure with a 2.X version to see if that would be more compatible with the EdgeRouter.

-Eric

> On Dec 3, 2018, at 7:16 AM, Eric Wittle <[hidden email]> wrote:
>
> And finally what success and failure look like from the router’s messages log:
>
> Successful authentication with OS X Server’s FreeRADIUS 2.10:
>
> Dec  3 12:11:39 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 60074.  Local: 33742, Remote: 28 (ref=0/0).  LNS session is 'default'
> Dec  3 12:11:39 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17357, Local: 45819, Remote: 7746, Serial: 1
> Dec  3 12:11:39 ubnt pppd[17357]: pppd 2.4.4 started by root, uid 0
> Dec  3 12:11:39 ubnt pppd[17357]: Connect: ppp0 <-->
> Dec  3 12:11:42 ubnt pppd[17357]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received
> Dec  3 12:11:43 ubnt pppd[17357]: Cannot determine ethernet address for proxy ARP
> Dec  3 12:11:43 ubnt pppd[17357]: local  IP address 10.255.255.0
> Dec  3 12:11:43 ubnt pppd[17357]: remote IP address 192.168.6.100
> Dec  3 12:12:23 ubnt pppd[17357]: Connection terminated: no multilink.
> Dec  3 12:12:23 ubnt pppd[17357]: Modem hangup
>
> Failed authentication with manually installed FreeRadius 3
>
> Dec  3 12:13:03 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 49849.  Local: 23776, Remote: 29 (ref=0/0).  LNS session is 'default'
> Dec  3 12:13:03 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17610, Local: 11728, Remote: 7750, Serial: 1
> Dec  3 12:13:03 ubnt pppd[17610]: pppd 2.4.4 started by root, uid 0
> Dec  3 12:13:03 ubnt pppd[17610]: Connect: ppp0 <-->
> Dec  3 12:13:06 ubnt pppd[17610]:
> Dec  3 12:13:06 ubnt pppd[17610]: Peer eric failed CHAP authentication
> Dec  3 12:13:12 ubnt pppd[17610]: Connection terminated: no multilink.
> Dec  3 12:13:12 ubnt pppd[17610]: Modem hangup
>
> -Eric
>
>> On Dec 3, 2018, at 6:48 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.
>>
>> -Eric
>>
>> rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> User-Name = "eric"
>> MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc
>> MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
>> +group authorize {
>> ++[preprocess] = ok
>> ++[chap] = noop
>> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>> ++[mschap] = ok
>> ++[digest] = noop
>> [suffix] No '@' in User-Name = "eric", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] = noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] = noop
>> [files] users: Matched entry DEFAULT at line 178
>> ++[files] = ok
>> [opendirectory] The host 192.168.1.1 does not have an access group.
>> ++[opendirectory] = ok
>> ++[expiration] = noop
>> ++[logintime] = noop
>> [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
>> ++[pap] = noop
>> +} # group authorize = ok
>> Found Auth-Type = MSCHAP
>> # Executing group from file /Library/Server/radius/raddb/sites-enabled/default
>> +group MS-CHAP {
>> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
>> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
>> [mschap] Creating challenge hash with username: eric
>> [mschap] Client is using MS-CHAPv2 for eric, we need NT-Password
>> [mschap] Using OpenDirectory to authenticate
>> [mschap] Doing OD MSCHAPv2 auth
>> [mschap] Successful authentication for eric
>> ++[mschap] = ok
>> +} # group MS-CHAP = ok
>> Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net <http://router.wittle.net/> port 0)
>> # Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default
>> +group post-auth {
>> ++[exec] = noop
>> +} # group post-auth = noop
>> Sending Access-Accept of id 2 to 192.168.1.1 port 60795
>> Framed-Protocol = PPP
>> Framed-Compression = Van-Jacobson-TCP-IP
>> MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530
>> Finished request 0.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96
>> Acct-Session-Id = "5C0514303B2A00"
>> User-Name = "eric"
>> Acct-Status-Type = Start
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Acct-Authentic = RADIUS
>> NAS-Port-Type = Async
>> Framed-IP-Address = 192.168.6.100
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Acct-Delay-Time = 0
>> # Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default
>> +group preacct {
>> ++[preprocess] = ok
>> [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent
>> [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"'
>> [acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184".
>> ++[acct_unique] = ok
>> [suffix] No '@' in User-Name = "eric", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] = noop
>> ++[files] = noop
>> +} # group preacct = ok
>> # Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default
>> +group accounting {
>> [detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1
>> [detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203
>> [detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203
>> [detail] expand: %t -> Mon Dec  3 06:32:00 2018
>> ++[detail] = ok
>> ++[exec] = noop
>> [attr_filter.accounting_response] expand: %{User-Name} -> eric
>> attr_filter: Matched entry DEFAULT at line 12
>> ++[attr_filter.accounting_response] = updated
>> +} # group accounting = updated
>> Sending Accounting-Response of id 3 to 192.168.1.1 port 40029
>> Finished request 1.
>> Cleaning up request 1 ID 3 with timestamp +23
>> Going to the next request
>> Waking up in 4.3 seconds.
>> Cleaning up request 0 ID 2 with timestamp +22
>> Ready to process requests.
>>
>>> On Dec 3, 2018, at 6:26 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>> OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
>>>
>>> Dec  3 2018 06:21:55 123216us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>
>>> So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
>>>
>>> -Eric
>>>
>>>> On Dec 3, 2018, at 6:14 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>>
>>>> Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
>>>>
>>>> The contents of ApplePasswordServer.Error.Log
>>>> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
>>>> -- Start: Server rolled log on: Nov 13 2018 21:17:19 --
>>>> Dec  2 2018 14:52:47 819295us    Requested SASL mechanism not loaded: SMB-NT
>>>> Dec  2 2018 15:03:43 692394us    Requested SASL mechanism not loaded: SMB-NT
>>>> Dec  2 2018 15:07:34 139111us    Requested SASL mechanism not loaded: SMB-NT
>>>>
>>>> The tail end of ApplePasswordServer.Server.Log
>>>>
>>>> bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
>>>> Dec  2 2018 14:52:43 233320us    Stopping server processes ...
>>>> Dec  2 2018 14:52:43 234062us    Closing all incoming connections ...
>>>> Dec  2 2018 14:52:43 234097us    StopCentralThreads: Stopping Connection Listeners ...
>>>> Dec  2 2018 14:52:43 234645us    StopCentralThreads: Current Threads: 10
>>>> Dec  2 2018 14:52:43 234669us    Stopping Network Processes ...
>>>> Dec  2 2018 14:52:43 234682us    Deinitializing networking ...
>>>> Dec  2 2018 14:52:43 234701us    Server Processes Stopped ...
>>>> Dec  2 2018 14:52:43 234718us    RunAppThread Stopped
>>>> Dec  2 2018 14:52:43 234747us    RunAppThread Deleted
>>>> Dec  2 2018 14:52:47 755661us    Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec  2 14:52:47 2018
>>>> .
>>>> Dec  2 2018 14:52:47 755702us    RunAppThread Created
>>>> Dec  2 2018 14:52:47 755746us    RunAppThread Started
>>>> Dec  2 2018 14:52:47 755760us    Initializing Server Globals ...
>>>> Dec  2 2018 14:52:47 768754us    Initializing Networking ...
>>>> Dec  2 2018 14:52:47 768819us    Initializing TCP ...
>>>> Dec  2 2018 14:52:47 819245us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>>> Dec  2 2018 14:52:47 824367us    Starting Central Thread ...
>>>> Dec  2 2018 14:52:47 824401us    Starting other server processes ...
>>>> Dec  2 2018 14:52:47 824412us    StartCentralThreads: 1 threads to stop
>>>> Dec  2 2018 14:52:47 824451us    Initializing TCP ...
>>>> Dec  2 2018 14:52:47 824580us    Starting TCP/IP Listener on ethernet interface, port 106
>>>> Dec  2 2018 14:52:47 824630us    Starting TCP/IP Listener on ethernet interface, port 3659
>>>> Dec  2 2018 14:52:47 824723us    Starting TCP/IP Listener on interface lo0, port 106
>>>> Dec  2 2018 14:52:47 824762us    Starting TCP/IP Listener on interface lo0, port 3659
>>>> Dec  2 2018 14:52:47 824800us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>>> Dec  2 2018 14:52:47 824820us    Starting UNIX domain socket listener /var/run/passwordserver
>>>> Dec  2 2018 14:52:47 825558us    Finished starting other server processes ...
>>>> Dec  2 2018 14:52:47 825582us    -- Password Server successfully started --
>>>> Dec  2 2018 14:52:47 825592us    -- Start time: 0 sec, 74 msec --
>>>> Dec  2 2018 15:03:32 701865us    Stopping server processes ...
>>>> Dec  2 2018 15:03:32 702676us    Closing all incoming connections ...
>>>> Dec  2 2018 15:03:32 702706us    StopCentralThreads: Stopping Connection Listeners ...
>>>> Dec  2 2018 15:03:32 703903us    StopCentralThreads: Current Threads: 3
>>>> Dec  2 2018 15:03:32 703930us    Stopping Network Processes ...
>>>> Dec  2 2018 15:03:32 703944us    Deinitializing networking ...
>>>> Dec  2 2018 15:03:32 703960us    Server Processes Stopped ...
>>>> Dec  2 2018 15:03:32 703977us    RunAppThread Stopped
>>>> Dec  2 2018 15:03:32 703989us    RunAppThread Deleted
>>>> Dec  2 2018 15:03:33 705899us    Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec  2 15:03:33 2018
>>>> .
>>>> Dec  2 2018 15:03:43 644217us    Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec  2 15:03:43 2018
>>>> .
>>>> Dec  2 2018 15:03:43 644253us    RunAppThread Created
>>>> Dec  2 2018 15:03:43 644295us    RunAppThread Started
>>>> Dec  2 2018 15:03:43 644316us    Initializing Server Globals ...
>>>> Dec  2 2018 15:03:43 677609us    Initializing Networking ...
>>>> Dec  2 2018 15:03:43 677736us    Initializing TCP ...
>>>> Dec  2 2018 15:03:43 692357us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>>> Dec  2 2018 15:03:43 692877us    Starting Central Thread ...
>>>> Dec  2 2018 15:03:43 692895us    Starting other server processes ...
>>>> Dec  2 2018 15:03:43 692905us    StartCentralThreads: 1 threads to stop
>>>> Dec  2 2018 15:03:43 692938us    Initializing TCP ...
>>>> Dec  2 2018 15:03:43 693040us    Starting TCP/IP Listener on ethernet interface, port 106
>>>> Dec  2 2018 15:03:43 693082us    Starting TCP/IP Listener on ethernet interface, port 3659
>>>> Dec  2 2018 15:03:43 693110us    Starting TCP/IP Listener on interface lo0, port 106
>>>> Dec  2 2018 15:03:43 693133us    Starting TCP/IP Listener on interface lo0, port 3659
>>>> Dec  2 2018 15:03:43 693156us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>>> Dec  2 2018 15:03:43 693167us    Starting UNIX domain socket listener /var/run/passwordserver
>>>> Dec  2 2018 15:03:43 694190us    Finished starting other server processes ...
>>>> Dec  2 2018 15:03:43 694212us    -- Password Server successfully started --
>>>> Dec  2 2018 15:03:43 694222us    -- Start time: 0 sec, 54 msec --
>>>> Dec  2 2018 15:05:24 289083us    Stopping server processes ...
>>>> Dec  2 2018 15:05:24 289128us    Closing all incoming connections ...
>>>> Dec  2 2018 15:05:24 289150us    StopCentralThreads: Stopping Connection Listeners ...
>>>> Dec  2 2018 15:05:24 290059us    StopCentralThreads: Current Threads: 3
>>>> Dec  2 2018 15:05:24 290086us    Stopping Network Processes ...
>>>> Dec  2 2018 15:05:24 290098us    Deinitializing networking ...
>>>> Dec  2 2018 15:05:24 290113us    Server Processes Stopped ...
>>>> Dec  2 2018 15:05:24 290129us    RunAppThread Stopped
>>>> Dec  2 2018 15:05:24 290142us    RunAppThread Deleted
>>>> Dec  2 2018 15:05:26 221197us    Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec  2 15:05:26 2018
>>>> .
>>>> Dec  2 2018 15:07:34 103685us    Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec  2 15:07:34 2018
>>>> .
>>>> Dec  2 2018 15:07:34 103718us    RunAppThread Created
>>>> Dec  2 2018 15:07:34 103758us    RunAppThread Started
>>>> Dec  2 2018 15:07:34 103779us    Initializing Server Globals ...
>>>> Dec  2 2018 15:07:34 118899us    Initializing Networking ...
>>>> Dec  2 2018 15:07:34 118961us    Initializing TCP ...
>>>> Dec  2 2018 15:07:34 139076us    SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
>>>> Dec  2 2018 15:07:34 139134us    Starting Central Thread ...
>>>> Dec  2 2018 15:07:34 139141us    Starting other server processes ...
>>>> Dec  2 2018 15:07:34 139147us    StartCentralThreads: 1 threads to stop
>>>> Dec  2 2018 15:07:34 139174us    Initializing TCP ...
>>>> Dec  2 2018 15:07:34 139265us    Starting TCP/IP Listener on ethernet interface, port 106
>>>> Dec  2 2018 15:07:34 139302us    Starting TCP/IP Listener on ethernet interface, port 3659
>>>> Dec  2 2018 15:07:34 139322us    Starting TCP/IP Listener on interface lo0, port 106
>>>> Dec  2 2018 15:07:34 139350us    Starting TCP/IP Listener on interface lo0, port 3659
>>>> Dec  2 2018 15:07:34 139443us    StartCentralThreads: Created 4 TCP/IP Connection Listeners
>>>> Dec  2 2018 15:07:34 139462us    Starting UNIX domain socket listener /var/run/passwordserver
>>>> Dec  2 2018 15:07:34 140156us    Finished starting other server processes ...
>>>> Dec  2 2018 15:07:34 140178us    -- Password Server successfully started --
>>>> Dec  2 2018 15:07:34 140190us    -- Start time: 0 sec, 41 msec --
>>>> Dec  2 2018 20:01:57 945387us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 20:35:44 395239us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 20:37:17 158109us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 20:37:43 63472us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 21:17:05 402081us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>> Dec  2 2018 21:37:24 961075us    AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
>>>>
>>>> It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
>>>>
>>>> I’ll take a look and see if radiusconfig is a script…
>>>>
>>>> -Eric
>>>>
>>>>> On Dec 3, 2018, at 5:41 AM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>>>
>>>>> Pasted this time…
>>>>>
>>>>> FreeRADIUS Version 3.0.17
>>>>> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
>>>>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>>>>> PARTICULAR PURPOSE
>>>>> You may redistribute copies of FreeRADIUS under the terms of the
>>>>> GNU General Public License
>>>>> For more information about these matters, see the file named COPYRIGHT
>>>>> Starting - reading configuration files ...
>>>>> including dictionary file /usr/local/share/freeradius/dictionary
>>>>> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
>>>>> including dictionary file /usr/local/share/freeradius/dictionary.vqp
>>>>> including dictionary file /usr/local/etc/raddb/dictionary
>>>>> including configuration file /usr/local/etc/raddb/radiusd.conf
>>>>> including configuration file /usr/local/etc/raddb/proxy.conf
>>>>> including configuration file /usr/local/etc/raddb/clients.conf
>>>>> including files in directory /usr/local/etc/raddb/mods-enabled/
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/always
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/chap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/date
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/detail
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/digest
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/eap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/echo
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/exec
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/expr
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/files
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/pap
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/realm
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/soh
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/sql
>>>>> including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/unix
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
>>>>> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
>>>>> including files in directory /usr/local/etc/raddb/policy.d/
>>>>> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
>>>>> including configuration file /usr/local/etc/raddb/policy.d/accounting
>>>>> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
>>>>> including configuration file /usr/local/etc/raddb/policy.d/control
>>>>> including configuration file /usr/local/etc/raddb/policy.d/cui
>>>>> including configuration file /usr/local/etc/raddb/policy.d/debug
>>>>> including configuration file /usr/local/etc/raddb/policy.d/dhcp
>>>>> including configuration file /usr/local/etc/raddb/policy.d/eap
>>>>> including configuration file /usr/local/etc/raddb/policy.d/filter
>>>>> including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
>>>>> including configuration file /usr/local/etc/raddb/policy.d/operator-name
>>>>> including files in directory /usr/local/etc/raddb/sites-enabled/
>>>>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>>>>> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>>>> main {
>>>>>  security {
>>>>>   allow_core_dumps = no
>>>>>  }
>>>>> name = "radiusd"
>>>>> prefix = "/usr/local"
>>>>> localstatedir = "/var"
>>>>> logdir = "/var/log/radius"
>>>>> run_dir = "/var/run/radiusd"
>>>>> }
>>>>> main {
>>>>> name = "radiusd"
>>>>> prefix = "/usr/local"
>>>>> localstatedir = "/var"
>>>>> sbindir = "/usr/local/sbin"
>>>>> logdir = "/var/log/radius"
>>>>> run_dir = "/var/run/radiusd"
>>>>> libdir = "/usr/local/lib"
>>>>> radacctdir = "/var/log/radius/radacct"
>>>>> hostname_lookups = no
>>>>> max_request_time = 30
>>>>> cleanup_delay = 5
>>>>> max_requests = 16384
>>>>> pidfile = "/var/run/radiusd/radiusd.pid"
>>>>> checkrad = "/usr/local/sbin/checkrad"
>>>>> debug_level = 0
>>>>> proxy_requests = yes
>>>>>  log {
>>>>>   stripped_names = no
>>>>>   auth = no
>>>>>   auth_badpass = no
>>>>>   auth_goodpass = no
>>>>>   colourise = yes
>>>>>   msg_denied = "You are already logged in - access denied"
>>>>>  }
>>>>>  resources {
>>>>>  }
>>>>>  security {
>>>>>   max_attributes = 200
>>>>>   reject_delay = 1.000000
>>>>>   status_server = yes
>>>>>   allow_vulnerable_openssl = "no"
>>>>>  }
>>>>> }
>>>>> radiusd: #### Loading Realms and Home Servers ####
>>>>>  proxy server {
>>>>>   retry_delay = 5
>>>>>   retry_count = 3
>>>>>   default_fallback = no
>>>>>   dead_time = 120
>>>>>   wake_all_if_all_dead = no
>>>>>  }
>>>>>  home_server localhost {
>>>>>   ipaddr = 127.0.0.1
>>>>>   port = 1812
>>>>>   type = "auth"
>>>>>   secret = <<< secret >>>
>>>>>   response_window = 20.000000
>>>>>   response_timeouts = 1
>>>>>   max_outstanding = 65536
>>>>>   zombie_period = 40
>>>>>   status_check = "status-server"
>>>>>   ping_interval = 30
>>>>>   check_interval = 30
>>>>>   check_timeout = 4
>>>>>   num_answers_to_alive = 3
>>>>>   revive_interval = 120
>>>>>   limit {
>>>>>   max_connections = 16
>>>>>   max_requests = 0
>>>>>   lifetime = 0
>>>>>   idle_timeout = 0
>>>>>   }
>>>>>   coa {
>>>>>   irt = 2
>>>>>   mrt = 16
>>>>>   mrc = 5
>>>>>   mrd = 30
>>>>>   }
>>>>>  }
>>>>>  home_server_pool my_auth_failover {
>>>>> type = fail-over
>>>>> home_server = localhost
>>>>>  }
>>>>>  realm example.com <http://example.com/> {
>>>>> auth_pool = my_auth_failover
>>>>>  }
>>>>>  realm LOCAL {
>>>>>  }
>>>>> radiusd: #### Loading Clients ####
>>>>>  client localhost {
>>>>>   ipaddr = 127.0.0.1
>>>>>   require_message_authenticator = no
>>>>>   secret = <<< secret >>>
>>>>>   nas_type = "other"
>>>>>   proto = "*"
>>>>>   limit {
>>>>>   max_connections = 16
>>>>>   lifetime = 0
>>>>>   idle_timeout = 30
>>>>>   }
>>>>>  }
>>>>>  client localhost_ipv6 {
>>>>>   ipv6addr = ::1
>>>>>   require_message_authenticator = no
>>>>>   secret = <<< secret >>>
>>>>>   limit {
>>>>>   max_connections = 16
>>>>>   lifetime = 0
>>>>>   idle_timeout = 30
>>>>>   }
>>>>>  }
>>>>> Debugger not attached
>>>>>  # Creating Auth-Type = mschap
>>>>>  # Creating Auth-Type = digest
>>>>>  # Creating Auth-Type = eap
>>>>>  # Creating Auth-Type = PAP
>>>>>  # Creating Auth-Type = CHAP
>>>>>  # Creating Auth-Type = MS-CHAP
>>>>>  # Creating Auth-Type = opendirectory
>>>>> radiusd: #### Instantiating modules ####
>>>>>  modules {
>>>>>   # Loaded module rlm_always
>>>>>   # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always reject {
>>>>>   rcode = "reject"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always fail {
>>>>>   rcode = "fail"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always ok {
>>>>>   rcode = "ok"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always handled {
>>>>>   rcode = "handled"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always invalid {
>>>>>   rcode = "invalid"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always userlock {
>>>>>   rcode = "userlock"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always notfound {
>>>>>   rcode = "notfound"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always noop {
>>>>>   rcode = "noop"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   always updated {
>>>>>   rcode = "updated"
>>>>>   simulcount = 0
>>>>>   mpp = no
>>>>>   }
>>>>>   # Loaded module rlm_attr_filter
>>>>>   # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.post-proxy {
>>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
>>>>>   key = "%{Realm}"
>>>>>   relaxed = no
>>>>>   }
>>>>>   # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.pre-proxy {
>>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
>>>>>   key = "%{Realm}"
>>>>>   relaxed = no
>>>>>   }
>>>>>   # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.access_reject {
>>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
>>>>>   key = "%{User-Name}"
>>>>>   relaxed = no
>>>>>   }
>>>>>   # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.access_challenge {
>>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
>>>>>   key = "%{User-Name}"
>>>>>   relaxed = no
>>>>>   }
>>>>>   # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>>   attr_filter attr_filter.accounting_response {
>>>>>   filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
>>>>>   key = "%{User-Name}"
>>>>>   relaxed = no
>>>>>   }
>>>>>   # Loaded module rlm_cache
>>>>>   # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>>>   cache cache_eap {
>>>>>   driver = "rlm_cache_rbtree"
>>>>>   key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>>>>>   ttl = 15
>>>>>   max_entries = 0
>>>>>   epoch = 0
>>>>>   add_stats = no
>>>>>   }
>>>>>   # Loaded module rlm_chap
>>>>>   # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
>>>>>   # Loaded module rlm_date
>>>>>   # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
>>>>>   date {
>>>>>   format = "%b %e %Y %H:%M:%S %Z"
>>>>>   utc = no
>>>>>   }
>>>>>   # Loaded module rlm_detail
>>>>>   # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>>>>   detail {
>>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>>>>>   header = "%t"
>>>>>   permissions = 384
>>>>>   locking = no
>>>>>   escape_filenames = no
>>>>>   log_packet_header = no
>>>>>   }
>>>>>   # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   detail auth_log {
>>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>>>>>   header = "%t"
>>>>>   permissions = 384
>>>>>   locking = no
>>>>>   escape_filenames = no
>>>>>   log_packet_header = no
>>>>>   }
>>>>>   # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   detail reply_log {
>>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>>>>>   header = "%t"
>>>>>   permissions = 384
>>>>>   locking = no
>>>>>   escape_filenames = no
>>>>>   log_packet_header = no
>>>>>   }
>>>>>   # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   detail pre_proxy_log {
>>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>>>>>   header = "%t"
>>>>>   permissions = 384
>>>>>   locking = no
>>>>>   escape_filenames = no
>>>>>   log_packet_header = no
>>>>>   }
>>>>>   # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   detail post_proxy_log {
>>>>>   filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>>>>>   header = "%t"
>>>>>   permissions = 384
>>>>>   locking = no
>>>>>   escape_filenames = no
>>>>>   log_packet_header = no
>>>>>   }
>>>>>   # Loaded module rlm_digest
>>>>>   # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
>>>>>   # Loaded module rlm_dynamic_clients
>>>>>   # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
>>>>>   # Loaded module rlm_eap
>>>>>   # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>>>>   eap {
>>>>>   default_eap_type = "ttls"
>>>>>   timer_expire = 60
>>>>>   ignore_unknown_eap_types = no
>>>>>   cisco_accounting_username_bug = no
>>>>>   max_sessions = 16384
>>>>>   }
>>>>>   # Loaded module rlm_exec
>>>>>   # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
>>>>>   exec echo {
>>>>>   wait = yes
>>>>>   program = "/bin/echo %{User-Name}"
>>>>>   input_pairs = "request"
>>>>>   output_pairs = "reply"
>>>>>   shell_escape = yes
>>>>>   }
>>>>>   # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
>>>>>   exec {
>>>>>   wait = no
>>>>>   input_pairs = "request"
>>>>>   shell_escape = yes
>>>>>   timeout = 10
>>>>>   }
>>>>>   # Loaded module rlm_expiration
>>>>>   # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>>>>   # Loaded module rlm_expr
>>>>>   # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
>>>>>   expr {
>>>>>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>>>>>   }
>>>>>   # Loaded module rlm_files
>>>>>   # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>>>>   files {
>>>>>   filename = "/usr/local/etc/raddb/mods-config/files/authorize"
>>>>>   acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
>>>>>   preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
>>>>>   }
>>>>>   # Loaded module rlm_linelog
>>>>>   # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>>   linelog {
>>>>>   filename = "/var/log/radius/linelog"
>>>>>   escape_filenames = no
>>>>>   syslog_severity = "info"
>>>>>   permissions = 384
>>>>>   format = "This is a log message for %{User-Name}"
>>>>>   reference = "messages.%{%{reply:Packet-Type}:-default}"
>>>>>   }
>>>>>   # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>>   linelog log_accounting {
>>>>>   filename = "/var/log/radius/linelog-accounting"
>>>>>   escape_filenames = no
>>>>>   syslog_severity = "info"
>>>>>   permissions = 384
>>>>>   format = ""
>>>>>   reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>>>>>   }
>>>>>   # Loaded module rlm_logintime
>>>>>   # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>>>>   logintime {
>>>>>   minimum_timeout = 60
>>>>>   }
>>>>>   # Loaded module rlm_mschap
>>>>>   # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>>>>   mschap {
>>>>>   use_mppe = yes
>>>>>   require_encryption = no
>>>>>   require_strong = no
>>>>>   with_ntdomain_hack = yes
>>>>>    passchange {
>>>>>    }
>>>>>   allow_retry = yes
>>>>>   winbind_retry_with_normalised_username = no
>>>>>   use_open_directory = yes
>>>>>   }
>>>>>   # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>>>>>   exec ntlm_auth {
>>>>>   wait = yes
>>>>>   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>>>>>   shell_escape = yes
>>>>>   }
>>>>>   # Loaded module rlm_opendirectory
>>>>>   # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
>>>>>   # Loaded module rlm_pap
>>>>>   # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>>>>   pap {
>>>>>   normalise = yes
>>>>>   }
>>>>>   # Loaded module rlm_passwd
>>>>>   # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>>>>   passwd etc_passwd {
>>>>>   filename = "/etc/passwd"
>>>>>   format = "*User-Name:Crypt-Password:"
>>>>>   delimiter = ":"
>>>>>   ignore_nislike = no
>>>>>   ignore_empty = yes
>>>>>   allow_multiple_keys = no
>>>>>   hash_size = 100
>>>>>   }
>>>>>   # Loaded module rlm_preprocess
>>>>>   # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>>>>   preprocess {
>>>>>   huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
>>>>>   hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
>>>>>   with_ascend_hack = no
>>>>>   ascend_channels_per_line = 23
>>>>>   with_ntdomain_hack = no
>>>>>   with_specialix_jetstream_hack = no
>>>>>   with_cisco_vsa_hack = no
>>>>>   with_alvarion_vsa_hack = no
>>>>>   }
>>>>>   # Loaded module rlm_radutmp
>>>>>   # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
>>>>>   radutmp {
>>>>>   filename = "/var/log/radius/radutmp"
>>>>>   username = "%{User-Name}"
>>>>>   case_sensitive = yes
>>>>>   check_with_nas = yes
>>>>>   permissions = 384
>>>>>   caller_id = yes
>>>>>   }
>>>>>   # Loaded module rlm_realm
>>>>>   # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   realm IPASS {
>>>>>   format = "prefix"
>>>>>   delimiter = "/"
>>>>>   ignore_default = no
>>>>>   ignore_null = no
>>>>>   }
>>>>>   # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   realm suffix {
>>>>>   format = "suffix"
>>>>>   delimiter = "@"
>>>>>   ignore_default = no
>>>>>   ignore_null = no
>>>>>   }
>>>>>   # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   realm realmpercent {
>>>>>   format = "suffix"
>>>>>   delimiter = "%"
>>>>>   ignore_default = no
>>>>>   ignore_null = no
>>>>>   }
>>>>>   # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   realm ntdomain {
>>>>>   format = "prefix"
>>>>>   delimiter = "\\"
>>>>>   ignore_default = no
>>>>>   ignore_null = no
>>>>>   }
>>>>>   # Loaded module rlm_replicate
>>>>>   # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
>>>>>   # Loaded module rlm_soh
>>>>>   # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
>>>>>   soh {
>>>>>   dhcp = yes
>>>>>   }
>>>>>   # Loaded module rlm_sql
>>>>>   # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>>>>   sql {
>>>>>   driver = "rlm_sql_sqlite"
>>>>>   server = ""
>>>>>   port = 0
>>>>>   login = ""
>>>>>   password = <<< secret >>>
>>>>>   radius_db = "radius"
>>>>>   read_groups = yes
>>>>>   read_profiles = yes
>>>>>   read_clients = yes
>>>>>   delete_stale_sessions = yes
>>>>>   sql_user_name = "%{User-Name}"
>>>>>   default_user_profile = ""
>>>>>   client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
>>>>>   authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>>>>   authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
>>>>>   authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>>>>   authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
>>>>>   group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
>>>>>   simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
>>>>>   simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
>>>>>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>>>>>    accounting {
>>>>>     reference = "%{tolower:type.%{Acct-Status-Type}.query}"
>>>>>     type {
>>>>>      accounting-on {
>>>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>>>>      }
>>>>>      accounting-off {
>>>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
>>>>>      }
>>>>>      start {
>>>>>       query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
>>>>>      }
>>>>>      interim-update {
>>>>>       query = "UPDATE radacct SET acctupdatetime  = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval    = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>>>>      }
>>>>>      stop {
>>>>>       query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
>>>>>      }
>>>>>     }
>>>>>    }
>>>>>    post-auth {
>>>>>     reference = ".query"
>>>>>     query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
>>>>>    }
>>>>>   }
>>>>> rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
>>>>> Creating attribute SQL-Group
>>>>>   # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
>>>>>   radutmp sradutmp {
>>>>>   filename = "/var/log/radius/sradutmp"
>>>>>   username = "%{User-Name}"
>>>>>   case_sensitive = yes
>>>>>   check_with_nas = yes
>>>>>   permissions = 420
>>>>>   caller_id = no
>>>>>   }
>>>>>   # Loaded module rlm_unix
>>>>>   # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
>>>>>   unix {
>>>>>   radwtmp = "/var/log/radius/radwtmp"
>>>>>   }
>>>>> Creating attribute Unix-Group
>>>>>   # Loaded module rlm_unpack
>>>>>   # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
>>>>>   # Loaded module rlm_utf8
>>>>>   # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
>>>>>   instantiate {
>>>>>   }
>>>>>   # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
>>>>>   # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
>>>>>   # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
>>>>>   # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
>>>>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
>>>>> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
>>>>>   # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
>>>>>   # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
>>>>>   # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
>>>>> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
>>>>>   # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
>>>>>   # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
>>>>>   # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
>>>>>   # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>>>>>    # Linked to sub-module rlm_eap_md5
>>>>>    # Linked to sub-module rlm_eap_leap
>>>>>    # Linked to sub-module rlm_eap_gtc
>>>>>    gtc {
>>>>>     challenge = "Password: "
>>>>>     auth_type = "PAP"
>>>>>    }
>>>>>    # Linked to sub-module rlm_eap_tls
>>>>>    tls {
>>>>>     tls = "tls-common"
>>>>>    }
>>>>>    tls-config tls-common {
>>>>>     verify_depth = 0
>>>>>     ca_path = "/usr/local/etc/raddb/certs"
>>>>>     pem_file_type = yes
>>>>>     private_key_file = "/usr/local/etc/raddb/certs/server.key"
>>>>>     certificate_file = "/usr/local/etc/raddb/certs/server.crt"
>>>>>     ca_file = "/usr/local/etc/raddb/certs/ca.pem"
>>>>>     dh_file = "/usr/local/etc/raddb/certs/dh"
>>>>>     random_file = "/dev/urandom"
>>>>>     fragment_size = 1024
>>>>>     include_length = yes
>>>>>     auto_chain = yes
>>>>>     check_crl = no
>>>>>     check_all_crl = no
>>>>>     cipher_list = "DEFAULT"
>>>>>     cipher_server_preference = no
>>>>>     ecdh_curve = "prime256v1"
>>>>>     tls_max_version = ""
>>>>>     tls_min_version = "1.0"
>>>>>     cache {
>>>>>     enable = no
>>>>>     lifetime = 24
>>>>>     max_entries = 255
>>>>>     }
>>>>>     verify {
>>>>>     skip_if_ocsp_ok = no
>>>>>     }
>>>>>     ocsp {
>>>>>     enable = no
>>>>>     override_cert_url = yes
>>>>>     url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
>>>>>     use_nonce = yes
>>>>>     timeout = 0
>>>>>     softfail = no
>>>>>     }
>>>>>    }
>>>>>    # Linked to sub-module rlm_eap_ttls
>>>>>    ttls {
>>>>>     tls = "tls-common"
>>>>>     default_eap_type = "mschapv2"
>>>>>     copy_request_to_tunnel = no
>>>>>     use_tunneled_reply = no
>>>>>     virtual_server = "inner-tunnel"
>>>>>     include_length = yes
>>>>>     require_client_cert = no
>>>>>    }
>>>>> tls: Using cached TLS configuration from previous invocation
>>>>>    # Linked to sub-module rlm_eap_peap
>>>>>    peap {
>>>>>     tls = "tls-common"
>>>>>     default_eap_type = "mschapv2"
>>>>>     copy_request_to_tunnel = no
>>>>>     use_tunneled_reply = no
>>>>>     proxy_tunneled_request_as_eap = yes
>>>>>     virtual_server = "inner-tunnel"
>>>>>     soh = no
>>>>>     require_client_cert = no
>>>>>    }
>>>>> tls: Using cached TLS configuration from previous invocation
>>>>>    # Linked to sub-module rlm_eap_mschapv2
>>>>>    mschapv2 {
>>>>>     with_ntdomain_hack = no
>>>>>     send_error = no
>>>>>    }
>>>>>   # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
>>>>>   # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
>>>>>   # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>>   # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
>>>>>   # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
>>>>>   # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
>>>>> rlm_mschap (mschap): using internal authentication
>>>>>   # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>>>>>   # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
>>>>> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>>>>>   # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
>>>>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
>>>>>   # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
>>>>>   # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
>>>>> rlm_sql_sqlite: libsqlite version: 3.19.3
>>>>>    sqlite {
>>>>>     filename = "/var/db/radius/freeradius.db"
>>>>>     busy_timeout = 200
>>>>>    }
>>>>> rlm_sql (sql): Attempting to connect to database "radius"
>>>>> rlm_sql (sql): Initialising connection pool
>>>>>    pool {
>>>>>     start = 5
>>>>>     min = 3
>>>>>     max = 32
>>>>>     spare = 10
>>>>>     uses = 0
>>>>>     lifetime = 0
>>>>>     cleanup_interval = 30
>>>>>     idle_timeout = 60
>>>>>     retry_delay = 30
>>>>>     spread = no
>>>>>    }
>>>>> rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> rlm_sql (sql): Processing generate_sql_clients
>>>>> rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
>>>>> rlm_sql (sql): Reserved connection (0)
>>>>> rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
>>>>> rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
>>>>> rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
>>>>> rlm_sql (sql): Released connection (0)
>>>>> Need 5 more connections to reach 10 spares
>>>>> rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>>  } # modules
>>>>> radiusd: #### Loading Virtual Servers ####
>>>>> server { # from file /usr/local/etc/raddb/radiusd.conf
>>>>> } # server
>>>>> server default { # from file /usr/local/etc/raddb/sites-enabled/default
>>>>>  # Loading authenticate {...}
>>>>>  # Loading authorize {...}
>>>>>  # Loading preacct {...}
>>>>>  # Loading accounting {...}
>>>>>  # Loading post-proxy {...}
>>>>>  # Loading post-auth {...}
>>>>> } # server default
>>>>> server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
>>>>>  # Loading authenticate {...}
>>>>>  # Loading authorize {...}
>>>>> Ignoring "ldap" (see raddb/mods-available/README.rst)
>>>>>  # Loading session {...}
>>>>>  # Loading post-proxy {...}
>>>>>  # Loading post-auth {...}
>>>>>  # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
>>>>> } # server inner-tunnel
>>>>> radiusd: #### Opening IP addresses and Ports ####
>>>>> listen {
>>>>>   type = "auth"
>>>>>   ipaddr = *
>>>>>   port = 0
>>>>>    limit {
>>>>>     max_connections = 16
>>>>>     lifetime = 0
>>>>>     idle_timeout = 30
>>>>>    }
>>>>> }
>>>>> listen {
>>>>>   type = "acct"
>>>>>   ipaddr = *
>>>>>   port = 0
>>>>>    limit {
>>>>>     max_connections = 16
>>>>>     lifetime = 0
>>>>>     idle_timeout = 30
>>>>>    }
>>>>> }
>>>>> listen {
>>>>>   type = "auth"
>>>>>   ipv6addr = ::
>>>>>   port = 0
>>>>>    limit {
>>>>>     max_connections = 16
>>>>>     lifetime = 0
>>>>>     idle_timeout = 30
>>>>>    }
>>>>> }
>>>>> listen {
>>>>>   type = "acct"
>>>>>   ipv6addr = ::
>>>>>   port = 0
>>>>>    limit {
>>>>>     max_connections = 16
>>>>>     lifetime = 0
>>>>>     idle_timeout = 30
>>>>>    }
>>>>> }
>>>>> listen {
>>>>>   type = "auth"
>>>>>   ipaddr = 127.0.0.1
>>>>>   port = 18120
>>>>> }
>>>>> Listening on auth address * port 1812 bound to server default
>>>>> Listening on acct address * port 1813 bound to server default
>>>>> Listening on auth address :: port 1812 bound to server default
>>>>> Listening on acct address :: port 1813 bound to server default
>>>>> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
>>>>> Listening on proxy address * port 59453
>>>>> Listening on proxy address :: port 59454
>>>>> Ready to process requests
>>>>> (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
>>>>> (0)   Service-Type = Framed-User
>>>>> (0)   Framed-Protocol = PPP
>>>>> (0)   User-Name = "eric"
>>>>> (0)   MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
>>>>> (0)   MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
>>>>> (0)   NAS-IP-Address = 127.0.1.1
>>>>> (0)   NAS-Port = 0
>>>>> (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
>>>>> (0)   authorize {
>>>>> (0)     policy filter_username {
>>>>> (0)       if (&User-Name) {
>>>>> (0)       if (&User-Name)  -> TRUE
>>>>> (0)       if (&User-Name)  {
>>>>> (0)         if (&User-Name =~ / /) {
>>>>> (0)         if (&User-Name =~ / /)  -> FALSE
>>>>> (0)         if (&User-Name =~ /@[^@]*@/ ) {
>>>>> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>>>> (0)         if (&User-Name =~ /\.\./ ) {
>>>>> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
>>>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>>>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>>>>> (0)         if (&User-Name =~ /\.$/)  {
>>>>> (0)         if (&User-Name =~ /\.$/)   -> FALSE
>>>>> (0)         if (&User-Name =~ /@\./)  {
>>>>> (0)         if (&User-Name =~ /@\./)   -> FALSE
>>>>> (0)       } # if (&User-Name)  = notfound
>>>>> (0)     } # policy filter_username = notfound
>>>>> (0)     [preprocess] = ok
>>>>> (0)     [chap] = noop
>>>>> (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>>>>> (0)     [mschap] = ok
>>>>> (0)     [digest] = noop
>>>>> (0) suffix: Checking for suffix after "@"
>>>>> (0) suffix: No '@' in User-Name = "eric", looking up realm NULL
>>>>> (0) suffix: No such realm "NULL"
>>>>> (0)     [suffix] = noop
>>>>> (0) eap: No EAP-Message, not doing EAP
>>>>> (0)     [eap] = noop
>>>>> (0) files: users: Matched entry DEFAULT at line 181
>>>>> (0)     [files] = ok
>>>>> (0) opendirectory: The host 192.168.1.1 does not have an access group.
>>>>> (0)     [opendirectory] = ok
>>>>> (0) sql: EXPAND %{User-Name}
>>>>> (0) sql:    --> eric
>>>>> (0) sql: SQL-User-Name set to 'eric'
>>>>> rlm_sql (sql): Reserved connection (1)
>>>>> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
>>>>> (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>>>>> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
>>>>> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
>>>>> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>>>>> (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
>>>>> (0) sql: User not found in any groups
>>>>> rlm_sql (sql): Released connection (1)
>>>>> Need 4 more connections to reach 10 spares
>>>>> rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
>>>>> rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
>>>>> (0)     [sql] = notfound
>>>>> (0)     [expiration] = noop
>>>>> (0)     [logintime] = noop
>>>>> (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
>>>>> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
>>>>> (0)     [pap] = noop
>>>>> (0)   } # authorize = ok
>>>>> (0) Found Auth-Type = mschap
>>>>> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>>>>> (0)   authenticate {
>>>>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>>>>> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
>>>>> (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
>>>>> (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
>>>>> (0) mschap:   Stepbuf server challenge :
>>>>> ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
>>>>> (0) mschap:   Stepbuf peer challenge   :
>>>>> ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
>>>>> (0) mschap:   Stepbuf p24              :
>>>>> 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
>>>>> (0)     [mschap] = ok
>>>>> (0)   } # authenticate = ok
>>>>> (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
>>>>> (0)   post-auth {
>>>>> (0)     update {
>>>>> (0)       No attributes updated
>>>>> (0)     } # update = noop
>>>>> (0) sql: EXPAND .query
>>>>> (0) sql:    --> .query
>>>>> (0) sql: Using query template 'query'
>>>>> rlm_sql (sql): Reserved connection (2)
>>>>> (0) sql: EXPAND %{User-Name}
>>>>> (0) sql:    --> eric
>>>>> (0) sql: SQL-User-Name set to 'eric'
>>>>> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
>>>>> (0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>>>>> (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
>>>>> (0) sql: SQL query returned: success
>>>>> (0) sql: 1 record(s) updated
>>>>> rlm_sql (sql): Released connection (2)
>>>>> (0)     [sql] = ok
>>>>> (0)     [exec] = noop
>>>>> (0)     policy remove_reply_message_if_eap {
>>>>> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
>>>>> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>>>>> (0)       else {
>>>>> (0)         [noop] = noop
>>>>> (0)       } # else = noop
>>>>> (0)     } # policy remove_reply_message_if_eap = noop
>>>>> (0)   } # post-auth = ok
>>>>> (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
>>>>> (0)   Framed-Protocol = PPP
>>>>> (0)   Framed-Compression = Van-Jacobson-TCP-IP
>>>>> (0) Finished request
>>>>> Waking up in 4.9 seconds.
>>>>> (0) Cleaning up request packet ID 0 with timestamp +27
>>>>> Ready to process requests
>>>>>
>>>>>
>>>>>> On Dec 2, 2018, at 9:47 PM, Eric Wittle <[hidden email] <mailto:[hidden email]>> wrote:
>>>>>>
>>>>>> I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
>>>>>>
>>>>>> I see an error: “Sun Dec  2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
>>>>>>
>>>>>> Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> <debugfile>
>>>>>>
>>>>>
>>>>
>>>
>>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
OK, I cut out the history on this thread, because I think I’ve narrowed it down. I enabled detail reply logging on both the 2.2.10 install that is working, and the 3.0.17 one that is not. The first response below is from 3.0.17, and the VPN software logs that as a CHAP authentication failure. The second response below is from the 2.2.10 version. I’m guessing at this point (but I have a forum post open on Ubiquiti to confirm) that the missing MS-CHAP2-Success value is the problem.

Mon Dec  3 21:44:12 2018
        Packet-Type = Access-Accept
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP
        Timestamp = 1543891452

Mon Dec  3 21:56:04 2018
        Packet-Type = Access-Accept
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP
        MS-CHAP2-Success = 0x31533d31413533414644303142413034324443374639313444384245423634373131433634363642463830

Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?

Thanks,

-Eric





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
And making some progress. In the sites-enabled/default file, added the following to the post-auth section:

       # ELW - Attempting to add the missing attribute I need
        update reply {
               MS-CHAP2-Success := "%{MS-CHAP2-Response}"
        }

Now reply detail looks like:

Mon Dec  3 22:41:33 2018
        Packet-Type = Access-Accept
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP
        MS-CHAP2-Success = 0x9d0043abe40ba2b954250b42c69a1409c1c100000000000000003f4600c8a3b9759e82a9a982364d69b51d2cf6c260d33db5
        Timestamp = 1543894893

And the messages file on the EdgeRouter says the following for an authentication request:

Dec  4 03:41:30 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 55099.  Local: 60667, Remote: 47 (ref=0/0).  LNS session is 'default'
Dec  4 03:41:30 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 7504, Local: 28750, Remote: 8210, Serial: 1
Dec  4 03:41:30 ubnt pppd[7504]: pppd 2.4.4 started by root, uid 0
Dec  4 03:41:30 ubnt pppd[7504]: Connect: ppp0 <-->
Dec  4 03:41:33 ubnt pppd[7504]: RADIUS: bad MS-CHAP2-Success packet
Dec  4 03:41:33 ubnt pppd[7504]: Peer eric failed CHAP authentication
Dec  4 03:41:39 ubnt pppd[7504]: Connection terminated: no multilink.
Dec  4 03:41:39 ubnt pppd[7504]: Modem hangup

So it is clearly looking at the MS-CHAP2-Success attribute, but I’m not getting the right value for this. Any idea where I would get this from?

I’ve tried to walk through the 2.2.10 configuration looking for where this comes from, with no luck.

-Eric


> On Dec 3, 2018, at 10:08 PM, Eric Wittle <[hidden email]> wrote:
>
> OK, I cut out the history on this thread, because I think I’ve narrowed it down. I enabled detail reply logging on both the 2.2.10 install that is working, and the 3.0.17 one that is not. The first response below is from 3.0.17, and the VPN software logs that as a CHAP authentication failure. The second response below is from the 2.2.10 version. I’m guessing at this point (but I have a forum post open on Ubiquiti to confirm) that the missing MS-CHAP2-Success value is the problem.
>
> Mon Dec  3 21:44:12 2018
>         Packet-Type = Access-Accept
>         Framed-Protocol = PPP
>         Framed-Compression = Van-Jacobson-TCP-IP
>         Timestamp = 1543891452
>
> Mon Dec  3 21:56:04 2018
>         Packet-Type = Access-Accept
>         Framed-Protocol = PPP
>         Framed-Compression = Van-Jacobson-TCP-IP
>         MS-CHAP2-Success = 0x31533d31413533414644303142413034324443374639313444384245423634373131433634363642463830
>
> Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?
>
> Thanks,
>
> -Eric
>
>
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Alan DeKok-2
On Dec 3, 2018, at 10:51 PM, Eric Wittle <[hidden email]> wrote:
>
> And making some progress. In the sites-enabled/default file, added the following to the post-auth section:
>
>       # ELW - Attempting to add the missing attribute I need
>        update reply {
>               MS-CHAP2-Success := "%{MS-CHAP2-Response}"
>        }

   Don't do that.  You can't just invent things and expect them to work.

> Now reply detail looks like:
>
> Mon Dec  3 22:41:33 2018
> Packet-Type = Access-Accept
> Framed-Protocol = PPP
> Framed-Compression = Van-Jacobson-TCP-IP
> MS-CHAP2-Success = 0x9d0043abe40ba2b954250b42c69a1409c1c100000000000000003f4600c8a3b9759e82a9a982364d69b51d2cf6c260d33db5
> Timestamp = 1543894893

  And don't look at that, either.  All of the documentation, etc. says to look at the debug output.

> And the messages file on the EdgeRouter says the following for an authentication request:
>
> Dec  4 03:41:30 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 55099.  Local: 60667, Remote: 47 (ref=0/0).  LNS session is 'default'
> Dec  4 03:41:30 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 7504, Local: 28750, Remote: 8210, Serial: 1
> Dec  4 03:41:30 ubnt pppd[7504]: pppd 2.4.4 started by root, uid 0
> Dec  4 03:41:30 ubnt pppd[7504]: Connect: ppp0 <-->
> Dec  4 03:41:33 ubnt pppd[7504]: RADIUS: bad MS-CHAP2-Success packet
> Dec  4 03:41:33 ubnt pppd[7504]: Peer eric failed CHAP authentication
> Dec  4 03:41:39 ubnt pppd[7504]: Connection terminated: no multilink.
> Dec  4 03:41:39 ubnt pppd[7504]: Modem hangup

  And don't look at that, either.  If FreeRADIUS isn't configured correctly, then it won't help to look at the NAS logs.

> So it is clearly looking at the MS-CHAP2-Success attribute, but I’m not getting the right value for this. Any idea where I would get this from?

  You get it from a successful authentication.  The MSCHAP module calculates it automatically.

  The short summary is to try to get this working:

a) without using OpenDirectory, but using a static / test password

b) with OpenDirectory, but using radtest to send MS-CHAP packets.

  i.e. skip the NAS entirely.  Just use RADIUS test tools, and look at the RADIUS debug messages.

  Maybe there's a problem with the OpenDirectory integration in v3.  I don't think so, because others use it, and Apple has instructions for using it.  So it should work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Adam Bishop-2
In reply to this post by Eric Wittle
On 4 Dec 2018, at 03:51, Eric Wittle <[hidden email]> wrote:
>               MS-CHAP2-Success := "%{MS-CHAP2-Response}"

You've put an authentication failure into the success attribute. You can't change a failure into a success just by declaring it to be so.

>> Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?

Have your authentication succeed. It's sent automatically.

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Paul Thornton-2
On 04/12/2018 12:37, Adam Bishop wrote:

> You've put an authentication failure into the success attribute. You can't change a failure into a success just by declaring it to be so.

Oh I don't know - just ask a politician for advice, they're experts at
things like that :)

[With apologies for the totally off-topic response]

Paul.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
In reply to this post by Eric Wittle
OK, Alan’s recommended approach from the last exchange:

> The short summary is to try to get this working:
>
> a) without using OpenDirectory, but using a static / test password
>

If you look at the “Appendix A” section below, you’ll see the debug output (just the packet part, I skipped the config dump, since I’ve sent it already earlier in this thread). It sure looks to me like a successful authentication against OpenDirectory, because of the following at the end:

“(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0”

Despite that success, the VPN still reports authentication failure. If my install and configuration is already successfully authenticating against OpenDirectory based on the debug output, what would I learn by running a test without OpenDirectory? I thought it a natural next step to look at what successful output meant from this configuration, and whether it was different than successful output from the prior version, which is accepted by the VPN client. I’m not sure why you disagree.

> b) with OpenDirectory, but using radtest to send MS-CHAP packets.
>
>  i.e. skip the NAS entirely.  Just use RADIUS test tools, and look at the RADIUS debug messages.

OK, I thought I’d try that, since you suggested it, but again I’m not sure what that is supposed to tell me if the debug output of running with an actual request from the VPN is returning a success code. So I tried it. Here’s the command I used:

/usr/local/bin/radtest -x -t chap eric <password> 127.0.0.1 0 <secret> 1 192.168.1.1

The server debug output showed a failure, but it was because of allegedly a secret mismatch. Here’s the output from the server in debug mode:

"rad_recv: Access-Request packet from host 127.0.0.1 port 64369, id=137, length=81
Received packet from 127.0.0.1 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.”

I thought that was odd, because I’m not seeing anything about secret mismatches when I’m using the actual VPN client. So I fired up the 2.2.10 radius install that is working, and it fails the same way with a secret mismatch. Furthermore, because part of the Apple instructions for migrating from their version to the one they recommend people install from OpenSource includes steps to dump the clients data from the existing database and import it into the new database, I still have the tmp file that is generated as part of that process. Here’s the single line from my one client:

1,192.168.1.1,router.wittle.net,other,,<secret>,,

And yes, the <secret> value in the temp file is the same as the secret value I provided to radtest.

>  Maybe there's a problem with the OpenDirectory integration in v3.  I don't think so, because others use it, and Apple has instructions for using it.  So it should work.

I’m not clear that anyone who uses Apple Server is using FreeRADIUS 3.0. As far as I know, I’m running the most recent version of Apple Server that doesn’t remove support for FreeRADIUS entirely, and that is running FreeRADIUS 2.2.10. You might want to read Apple’s instructions for how to install FreeRADIUS 3.0 in their migration guide for migrating services to OpenSource that they published because they’ve removed most of the components of Apple Server in the versions that shipped this fall. If you do, you’ll see at least two egregious errors in their installation instructions. The first is in how to set configuration options for talloc; they specify a configuration command with an argument of “-without-gettext”, which is an invalid argument; it has to be “—without-gettext”. The second, later, is instructions to change the ownership of the plist file with “chmod root:wheel”. If someone knows how to change ownership with chmod rather than chown, I’d be happy to see it. Since Apple can’t get the FreeRADIUS instructions for building correct, and they’re on version 1.2 of the migration guide without correcting them, I’m not sure I’d assume there are a bunch of FreeRADIUS OpenDirectory installations out there. Given that they have two egregious errors in the build instructions, my confidence in their configuration instructions being completely accurate is low. I’m pretty sure their instructions state to uncomment a specific line in an entire section that ships commented out, for example. That last one is from memory, I haven’t gone back and confirmed. But I will when I finally get this working. Once it is working, I’ll file a bug with Apple so that hopefully they can update the migration guide, and someone else can benefit from the large amount of time I’ve spent on this, and whatever help I end up getting from this list.

-Eric

Appendix A - Appears to be debug output from a successful authentication
========================================================

Ready to process requests
(1) Received Access-Request Id 45 from 192.168.1.1:59532 to 192.168.1.2:1812 length 132
(1)   Service-Type = Framed-User
(1)   Framed-Protocol = PPP
(1)   User-Name = "eric"
(1)   MS-CHAP-Challenge = 0x2a053a73fcd64ba4fafc59d5e78ab6d5
(1)   MS-CHAP2-Response = 0xa300f17177f7f822865736049dcf49eaf81600000000000000007ffbd34e0a6706395266205ea76afcc927029837596e9dcf
(1)   NAS-IP-Address = 127.0.1.1
(1)   NAS-Port = 0
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log:    --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(1) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(1) auth_log: EXPAND %t
(1) auth_log:    --> Tue Dec  4 07:54:15 2018
(1)     [auth_log] = ok
(1)     [chap] = noop
(1) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(1)     [mschap] = ok
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "eric", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry DEFAULT at line 181
(1)     [files] = ok
(1) opendirectory: The host 192.168.1.1 does not have an access group.
(1)     [opendirectory] = ok
(1) sql: EXPAND %{User-Name}
(1) sql:    --> eric
(1) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (3)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (3)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(1)     [sql] = notfound
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1)     [pap] = noop
(1)   } # authorize = ok
(1) Found Auth-Type = mschap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   authenticate {
(1) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(1) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
(1) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(1) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(1) mschap:   Stepbuf server challenge :
2a053a73fffffffcffffffd64bffffffa4fffffffafffffffc59ffffffd5ffffffe7ffffff8affffffb6ffffffd5
(1) mschap:   Stepbuf peer challenge   :
fffffff17177fffffff7fffffff822ffffff86573604ffffff9dffffffcf49ffffffeafffffff816
(1) mschap:   Stepbuf p24              :
7ffffffffbffffffd34e0a6706395266205effffffa76afffffffcffffffc92702ffffff9837596effffff9dffffffcf
(1)     [mschap] = ok
(1)   } # authenticate = ok
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1)   post-auth {
(1)     update {
(1)       No attributes updated
(1)     } # update = noop
(1) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(1) reply_log:    --> /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(1) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(1) reply_log: EXPAND %t
(1) reply_log:    --> Tue Dec  4 07:54:15 2018
(1)     [reply_log] = ok
(1) sql: EXPAND .query
(1) sql:    --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(1) sql: EXPAND %{User-Name}
(1) sql:    --> eric
(1) sql: SQL-User-Name set to 'eric'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(1) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 07:54:15')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 07:54:15')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(1)     [sql] = ok
(1)     [exec] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # post-auth = ok
(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0
(1)   Framed-Protocol = PPP
(1)   Framed-Compression = Van-Jacobson-TCP-IP
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 45 with timestamp +47
Ready to process requests

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Alan DeKok-2
On Dec 4, 2018, at 8:38 PM, Eric Wittle <[hidden email]> wrote:
> If you look at the “Appendix A” section below, you’ll see the debug output (just the packet part, I skipped the config dump, since I’ve sent it already earlier in this thread). It sure looks to me like a successful authentication against OpenDirectory, because of the following at the end:
>
> “(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
> (1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0”

  That's not good enough.  As you noted earlier, the reply also needs an MS-CHAP-Challenge.  Which it doesn't have.

  So... if you read the debug output, is there an MS-CHAP-Challenge?

> Despite that success, the VPN still reports authentication failure. If my install and configuration is already successfully authenticating against OpenDirectory based on the debug output, what would I learn by running a test without OpenDirectory?

  You would be able to track down exactly where the problem is.

  Right now, you have: (a) FreeRADIUS config, (b) correct password, (c) MS-CHAP authentication, (d) OpenDirectory, and (e) the NAS / VPN concentrator.

  Where is the problem?  You don't know.  The usual process to solve a complex problem is to make the problem simpler.  Eventually you narrow the problem down to just one thing.  Which is then either misconfigured, or misbehaving.

  You *cannot* look at just the Access-Accept, and say "well, it's all fine!".  You already know that the VPN is complaining about no MS-CHAP-Challenge.  And if you read the debug output, you know FreeRADIUS isn't sending one.  Which is should.

  So... maybe the issue os OpenDirectory, or the FreeRADIUS to OpenDirectory integration.

> I thought it a natural next step to look at what successful output meant from this configuration, and whether it was different than successful output from the prior version, which is accepted by the VPN client. I’m not sure why you disagree.

  I don't disagree.  But you're doing the classic flailing around, without really understanding the problem, or narrowing it down:

- looking at the detail file logs, not the debug logs
- looking at the VPN logs
- etc.

  Don't try a bunch of unrelated / useless things.  Read the debug log.  Narrow down the problem.

>> b) with OpenDirectory, but using radtest to send MS-CHAP packets.
>>
>> i.e. skip the NAS entirely.  Just use RADIUS test tools, and look at the RADIUS debug messages.
>
> OK, I thought I’d try that, since you suggested it, but again I’m not sure what that is supposed to tell me if the debug output of running with an actual request from the VPN is returning a success code. So I tried it. Here’s the command I used:
>
> /usr/local/bin/radtest -x -t chap eric <password> 127.0.0.1 0 <secret> 1 192.168.1.1

  At this point I'm going to have to ask that you start paying attention.  Running a test with CHAP is *not* the same thing as running a test with MS-CHAP.  They're different.

  And radtest *can* use MS-CHAP.  The "radtest -h" output shows this.

> The server debug output showed a failure, but it was because of allegedly a secret mismatch. Here’s the output from the server in debug mode:
>
> "rad_recv: Access-Request packet from host 127.0.0.1 port 64369, id=137, length=81
> Received packet from 127.0.0.1 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.”

  Yes, that's a shared secret error.

> I thought that was odd, because I’m not seeing anything about secret mismatches when I’m using the actual VPN client.

  Because it's coming from a different IP address.  Note that if you READ the debug output, it shows that the packet is received from 127.0.0.1.  And not 192.168.1.1.

  AND if you read the "radtest -h" output, you will see that you supplied 127.0.0.1 as the server IP, and 192.168.1.1 as at the "nasname".  i.e. NOT the source IP address of the packet.

> So I fired up the 2.2.10 radius install that is working, and it fails the same way with a secret mismatch.

  Because 127.0.0.1 != 192.168.1.1.

  This should be fairly straightforward.  If you want to send packets FROM 192.168.1.1, then you must send packets FROM that IP.

  If you send packets FROM 127.0.0.1, then you must use the shared secret for 127.0.0.1.  See the "clients.conf" file, and look for the client that defines 127.0.0.1.  When sending packets using "radtest" from localhost, use the shared secret from THAT, and not the shared secret for 192.168.1.1.

> Furthermore, because part of the Apple instructions for migrating from their version to the one they recommend people install from OpenSource includes steps to dump the clients data from the existing database and import it into the new database, I still have the tmp file that is generated as part of that process. Here’s the single line from my one client:
>
> 1,192.168.1.1,router.wittle.net,other,,<secret>,,
>
> And yes, the <secret> value in the temp file is the same as the secret value I provided to radtest.

  Which is the wrong shared secret.

  You are going over the same thing repeatedly, without paying attention to how things work.  Please take a step back and pay attention.

>> Maybe there's a problem with the OpenDirectory integration in v3.  I don't think so, because others use it, and Apple has instructions for using it.  So it should work.
>
> I’m not clear that anyone who uses Apple Server is using FreeRADIUS 3.0. As far as I know, I’m running the most recent version of Apple Server that doesn’t remove support for FreeRADIUS entirely, and that is running FreeRADIUS 2.2.10. You might want to read Apple’s instructions for how to install FreeRADIUS 3.0 in their migration guide for migrating services to OpenSource that they published because they’ve removed most of the components of Apple Server in the versions that shipped this fall. If you do, you’ll see at least two egregious errors in their installation instructions. The first is in how to set configuration options for talloc; they specify a configuration command with an argument of “-without-gettext”, which is an invalid argument; it has to be “—without-gettext”. The second, later, is instructions to change the ownership of the plist file with “chmod root:wheel”. If someone knows how to change ownership with chmod rather than chown, I’d be happy to see it.

   Those are both typos, and fairly straightforward ones.  They're not errors which *break* things.

> Since Apple can’t get the FreeRADIUS instructions for building correct, and they’re on version 1.2 of the migration guide without correcting them, I’m not sure I’d assume there are a bunch of FreeRADIUS OpenDirectory installations out there. Given that they have two egregious errors in the build instructions, my confidence in their configuration instructions being completely accurate is low. I’m pretty sure their instructions state to uncomment a specific line in an entire section that ships commented out, for example. That last one is from memory, I haven’t gone back and confirmed. But I will when I finally get this working. Once it is working, I’ll file a bug with Apple so that hopefully they can update the migration guide, and someone else can benefit from the large amount of time I’ve spent on this, and whatever help I end up getting from this list.

  I've been trying to help you.  So far it's not been easy.  You're working *really* hard at doing the wrong thing.  Take a step back.

> Appendix A - Appears to be debug output from a successful authentication
> ========================================================

  And as was noted in earlier messages, it's missing an MS-CHAP-Success attribute in the reply.

  You can't just post the same thing over and over, expecting that it will magically solve the problem.  It won't.

  Read this message a few times.  Take a step back, and *change your approach*.  Do one thing.  If it doesn't work, ask a question.  If it works, do another thing.

  Break the problem down into pieces.  Don't post messages where you try multiple things, and then waste time discovering "bugs", because you got something wrong.  It's frustrating for you, and for us.

  The problem shouldn't be that difficult to track down and/or fix.  But if you waste hours looking at the *wrong shared secret*, those are hours you could have spent more productively.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
In reply to this post by Eric Wittle
And now I’ll resume the path I was originally on.

The problem that is causing my VPN to fail authentication, from comparing the responses outside of debugging, is that 3.0.17 is not returning MS-CHAP2-Success. If we look at opendir.c in rlm_mschap, we see the following code:

        if (status == eDSNoErr) {
          RDEBUG2("ELW: status == eDSNoErr\n");
                if (pStepBuff->fBufferLength > 4) {
                  RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
                        size_t len;

                        memcpy(&len, pStepBuff->fBufferData, sizeof(len));
                        if (len == 40) {
                          RDEBUG2("ELW: len == 40\n");
                                char mschap_reply[42] = { '\0' };
                                pStepBuff->fBufferData[len+4] = '\0';
                                mschap_reply[0] = 'S';
                                mschap_reply[1] = '=';
                                memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len);
                                mschap_add_reply(request, &request->reply->vps,
                                                 *response->vp_strvalue,
                                                 "MS-CHAP2-Success",
                                                 mschap_reply, len+2);
                                RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%zu)\n", mschap_reply, len);
                        } else {
                          RDEBUG2("ELW: len == %zu\n", len);
                        }
                }
        }

You may notice a few extra lines I added for debugging purposes (text strings with ELW in them). This code seems pretty clearly where MS-CHAP2-Success is supposed to be added to the reply. Below, in the section headed Appendix A, you see the debug output from 3.0.17 with the additional debugging added. It clearly shows that the test “len == 40” is failing during successful authentication, and therefore the MS-CHAP2-Success value is not being added to the reply.

It has been many decades since I did C programming, so this exhausts my ability to debug the problem without digging out my Kernighan & Ritchie, assuming I could find it.

I’ve seen text in various comments that the open directory configuration is owned by Apple, should I assume that opendir.c is owned by them as well? If so, I’ll file a bug with them, and drop back to 2.2.10.

Appendix A
=========

Ready to process requests
(0) Received Access-Request Id 49 from 192.168.1.1:50192 to 192.168.1.2:1812 length 132
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   User-Name = "eric"
(0)   MS-CHAP-Challenge = 0x2865983ecdee941a08a635417c19deb5
(0)   MS-CHAP2-Response = 0x410010c7856c01bf71f1230a236ccd8a535a000000000000000008c485f49f713bcefda1a071a0df4565e3fd316e9c5aa40e
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(0) auth_log: EXPAND %t
(0) auth_log:    --> Tue Dec  4 21:59:38 2018
(0)     [auth_log] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "eric", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0)     [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0)     [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 136 seconds
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 136 seconds
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 136 seconds
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 136 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 136 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 136 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (6)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0)     [sql] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(0) mschap:   Stepbuf server challenge :
2865ffffff983effffffcdffffffeeffffff941a08ffffffa635417c19ffffffdeffffffb5
(0) mschap:   Stepbuf peer challenge   :
10ffffffc7ffffff856c01ffffffbf71fffffff1230a236cffffffcdffffff8a535a
(0) mschap:   Stepbuf p24              :
08ffffffc4ffffff85fffffff4ffffff9f713bffffffcefffffffdffffffa1ffffffa071ffffffa0ffffffdf4565ffffffe3fffffffd316effffff9c5affffffa40e
(0) mschap: ELW: status == eDSNoErr
(0) mschap: ELW: pStepBuff->fBufferLength > 4
(0) mschap: ELW: len == 3978992058181353512
(0)     [mschap] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log:    --> /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(0) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(0) reply_log: EXPAND %t
(0) reply_log:    --> Tue Dec  4 21:59:38 2018
(0)     [reply_log] = ok
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 21:59:38')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 21:59:38')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
(0)     [sql] = ok
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = ok
(0) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(0) Sent Access-Accept Id 49 from 192.168.1.2:1812 to 192.168.1.1:50192 length 0
(0)   Framed-Protocol = PPP
(0)   Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 49 with timestamp +136
Ready to process requests
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Matthew Newton-3
On Tue, 2018-12-04 at 22:16 -0500, Eric Wittle wrote:
>                 if (pStepBuff->fBufferLength > 4) {
>                   RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
>                         size_t len;


I suspect changing that from uint32_t to size_t has had the unintended
consequences of making it a 64-bit integer on your platform, which
breaks the (len == 40) comparison.

Try changing "size_t len" to "uint32_t len" and see if that fixes it.


> (0) mschap: ELW: len == 3978992058181353512

The lower 32 bits of this value are "40"... the rest is junk.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle
In reply to this post by Eric Wittle
Responding to Matthew (I subscribed with digest enabled, so replying to specific emails is a challenge. Mistake on my part).

Revised section of code is:

        if (status == eDSNoErr) {
          RDEBUG2("ELW: status == eDSNoErr\n");
                if (pStepBuff->fBufferLength > 4) {
                  RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
                        uint32_t len;

                        memcpy(&len, pStepBuff->fBufferData, sizeof(len));
                        RDEBUG2("ELW: sizeof(len) = %lu\n", sizeof(len));
                        RDEBUG2("ELW: value of len is %lu\n", len);
                        if (len == 40) {
                          RDEBUG2("ELW: Inside len == 40\n");
                                char mschap_reply[42] = { '\0' };
                                pStepBuff->fBufferData[len+4] = '\0';
                                mschap_reply[0] = 'S';
                                mschap_reply[1] = '=';
                                memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len);
                                RDEBUG2("About to mschap_add_reply with %s\n", mschap_reply);
                                mschap_add_reply(request, &request->reply->vps,
                                                 *response->vp_strvalue,
                                                 "MS-CHAP2-Success",
                                                 mschap_reply, len+2);
                                RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%zu)\n", mschap_reply, len);

That gets me a bit farther (inside the len == 40 check), but then I get a seg fault in the call to mschap_add_reply:

Ready to process requests
(0) Received Access-Request Id 62 from 192.168.1.1:44978 to 192.168.1.2:1812 length 132
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   User-Name = "eric"
(0)   MS-CHAP-Challenge = 0x574ca5b59a8e344553b717024fa20962
(0)   MS-CHAP2-Response = 0x3b0091c88b94ecc81c10752a252fd386ca2b0000000000000000a394fdc9ca017ded44b770f4d01a535f3fe7fee7a1f6df4c
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181205
(0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181205
(0) auth_log: EXPAND %t
(0) auth_log:    --> Wed Dec  5 08:30:37 2018
(0)     [auth_log] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "eric", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0)     [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0)     [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0)     [sql] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(0) mschap:   Stepbuf server challenge :
574cffffffa5ffffffb5ffffff9affffff8e344553ffffffb717024fffffffa20962
(0) mschap:   Stepbuf peer challenge   :
ffffff91ffffffc8ffffff8bffffff94ffffffecffffffc81c10752a252fffffffd3ffffff86ffffffca2b
(0) mschap:   Stepbuf p24              :
ffffffa3ffffff94fffffffdffffffc9ffffffca017dffffffed44ffffffb770fffffff4ffffffd01a535f3fffffffe7fffffffeffffffe7ffffffa1fffffff6ffffffdf4c
(0) mschap: ELW: status == eDSNoErr
(0) mschap: ELW: pStepBuff->fBufferLength > 4
(0) mschap: ELW: sizeof(len) = 4
(0) mschap: ELW: value of len is 40
(0) mschap: ELW: Inside len == 40
(0) mschap: About to mschap_add_reply with S=B523E9A9A2F00BF04246DD46E1C3BDC1E7F0CA3F????
Segmentation fault: 11



Matthew wrote:

On Tue, 2018-12-04 at 22:16 -0500, Eric Wittle wrote:
>                if (pStepBuff->fBufferLength > 4) {
>                  RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
>                        size_t len;


I suspect changing that from uint32_t to size_t has had the unintended
consequences of making it a 64-bit integer on your platform, which
breaks the (len == 40) comparison.

Try changing "size_t len" to "uint32_t len" and see if that fixes it.


> (0) mschap: ELW: len == 3978992058181353512

The lower 32 bits of this value are "40"... the rest is junk.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Matthew Newton-3
On Wed, 2018-12-05 at 08:36 -0500, Eric Wittle wrote:
> Responding to Matthew (I subscribed with digest enabled, so replying
> to specific emails is a challenge. Mistake on my part).

Try temporarily commenting out this line:


>                                 RDEBUG2("dsDoDirNodeAuth returns
> stepbuff: %s (len=%zu)\n", mschap_reply, len);

(or change the %zu to %ld)

That's the only other line of code in that section that has changed in
~10 years. I can't imagine telling it to print 64 bits when there are
only 32 is going to always end well.

The segfault happens somewherer after your RDEBUG line. Not necessarily
on the very next line, though.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
12