[SOLVED] Authentification with PAM Impossible on docker container

[baimard]

• Defect - Unexpected behaviour (obvious or verified by project member).

Defect

How to reproduce the issue

Build image with official Dockerfile

or :

FROM debian
RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y freeradius libpam0g-dev
RUN apt-get install -y libpam-yubico 
RUN ln -s /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam
COPY docker-entrypoint.sh /
RUN chown root:root /docker-entrypoint.sh
RUN chmod 755 /docker-entrypoint.sh
EXPOSE 1812/udp 1813/udp
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["freeradius"]

Output of [radiusd|freeradius] -X showing issue occurring

(you may need to run [radiusd|freeradius] -fxx -l stdout if using eg RADIUS with TLS)

baimard@x-brun:/mnt/rasp/freeradius$ docker-compose up
Creating network "freeradius_default" with the default driver
Creating freeradius_radius_1 ... done
Attaching to freeradius_radius_1
radius_1  | FreeRADIUS Version 3.0.17
radius_1  | Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
radius_1  | There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
radius_1  | PARTICULAR PURPOSE
radius_1  | You may redistribute copies of FreeRADIUS under the terms of the
radius_1  | GNU General Public License
radius_1  | For more information about these matters, see the file named COPYRIGHT
radius_1  | Starting - reading configuration files ...
radius_1  | including dictionary file /usr/share/freeradius/dictionary
radius_1  | including dictionary file /usr/share/freeradius/dictionary.dhcp
radius_1  | including dictionary file /usr/share/freeradius/dictionary.vqp
radius_1  | including dictionary file /etc/freeradius/3.0/dictionary
radius_1  | including configuration file /etc/freeradius/3.0/radiusd.conf
radius_1  | including configuration file /etc/freeradius/3.0/proxy.conf
radius_1  | including configuration file /etc/freeradius/3.0/clients.conf
radius_1  | including files in directory /etc/freeradius/3.0/mods-enabled/
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/expr
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/replicate
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/mschap
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/eap
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/utf8
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/logintime
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/chap
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/expiration
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/always
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/unix
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/exec
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/passwd
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/files
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/linelog
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/digest
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/detail
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/pap
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/soh
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/realm
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/pam
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/unpack
radius_1  | including configuration file /etc/freeradius/3.0/mods-enabled/echo
radius_1  | including files in directory /etc/freeradius/3.0/policy.d/
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/eap
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/dhcp
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/filter
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/operator-name
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/debug
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/cui
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/canonicalization
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/accounting
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/control
radius_1  | including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
radius_1  | including files in directory /etc/freeradius/3.0/sites-enabled/
radius_1  | including configuration file /etc/freeradius/3.0/sites-enabled/default
radius_1  | including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
radius_1  | main {
radius_1  |  security {
radius_1  |     user = "root"
radius_1  |     group = "root"
radius_1  |     allow_core_dumps = no
radius_1  |  }
radius_1  |     name = "freeradius"
radius_1  |     prefix = "/usr"
radius_1  |     localstatedir = "/var"
radius_1  |     logdir = "/var/log/freeradius"
radius_1  |     run_dir = "/var/run/freeradius"
radius_1  | }
radius_1  | main {
radius_1  |     name = "freeradius"
radius_1  |     prefix = "/usr"
radius_1  |     localstatedir = "/var"
radius_1  |     sbindir = "/usr/sbin"
radius_1  |     logdir = "/var/log/freeradius"
radius_1  |     run_dir = "/var/run/freeradius"
radius_1  |     libdir = "/usr/lib/freeradius"
radius_1  |     radacctdir = "/var/log/freeradius/radacct"
radius_1  |     hostname_lookups = no
radius_1  |     max_request_time = 30
radius_1  |     cleanup_delay = 5
radius_1  |     max_requests = 16384
radius_1  |     pidfile = "/var/run/freeradius/freeradius.pid"
radius_1  |     checkrad = "/usr/sbin/checkrad"
radius_1  |     debug_level = 0
radius_1  |     proxy_requests = yes
radius_1  |  log {
radius_1  |     stripped_names = no
radius_1  |     auth = no
radius_1  |     auth_badpass = no
radius_1  |     auth_goodpass = no
radius_1  |     colourise = yes
radius_1  |     msg_denied = "You are already logged in - access denied"
radius_1  |  }
radius_1  |  resources {
radius_1  |  }
radius_1  |  security {
radius_1  |     max_attributes = 200
radius_1  |     reject_delay = 1.000000
radius_1  |     status_server = yes
radius_1  |  }
radius_1  | }
radius_1  | radiusd: #### Loading Realms and Home Servers ####
radius_1  |  proxy server {
radius_1  |     retry_delay = 5
radius_1  |     retry_count = 3
radius_1  |     default_fallback = no
radius_1  |     dead_time = 120
radius_1  |     wake_all_if_all_dead = no
radius_1  |  }
radius_1  |  home_server localhost {
radius_1  |     ipaddr = 127.0.0.1
radius_1  |     port = 1812
radius_1  |     type = "auth"
radius_1  |     secret = <<< secret >>>
radius_1  |     response_window = 20.000000
radius_1  |     response_timeouts = 1
radius_1  |     max_outstanding = 65536
radius_1  |     zombie_period = 40
radius_1  |     status_check = "status-server"
radius_1  |     ping_interval = 30
radius_1  |     check_interval = 30
radius_1  |     check_timeout = 4
radius_1  |     num_answers_to_alive = 3
radius_1  |     revive_interval = 120
radius_1  |   limit {
radius_1  |     max_connections = 16
radius_1  |     max_requests = 0
radius_1  |     lifetime = 0
radius_1  |     idle_timeout = 0
radius_1  |   }
radius_1  |   coa {
radius_1  |     irt = 2
radius_1  |     mrt = 16
radius_1  |     mrc = 5
radius_1  |     mrd = 30
radius_1  |   }
radius_1  |  }
radius_1  |  home_server_pool my_auth_failover {
radius_1  |     type = fail-over
radius_1  |     home_server = localhost
radius_1  |  }
radius_1  |  realm example.com {
radius_1  |     auth_pool = my_auth_failover
radius_1  |  }
radius_1  |  realm LOCAL {
radius_1  |  }
radius_1  | radiusd: #### Loading Clients ####
radius_1  |  client dockernet {
radius_1  |     ipaddr = 10.0.0.0/8
radius_1  |     require_message_authenticator = no
radius_1  |     secret = <<< secret >>>
radius_1  |   limit {
radius_1  |     max_connections = 16
radius_1  |     lifetime = 0
radius_1  |     idle_timeout = 30
radius_1  |   }
radius_1  |  }
radius_1  |  client test {
radius_1  |     ipaddr = 192.168.0.0/16
radius_1  |     require_message_authenticator = no
radius_1  |     secret = <<< secret >>>
radius_1  |   limit {
radius_1  |     max_connections = 16
radius_1  |     lifetime = 0
radius_1  |     idle_timeout = 30
radius_1  |   }
radius_1  |  }
radius_1  |  client localhost {
radius_1  |     ipaddr = 127.0.0.1
radius_1  |     require_message_authenticator = no
radius_1  |     secret = <<< secret >>>
radius_1  |     nas_type = "other"
radius_1  |     proto = "*"
radius_1  |   limit {
radius_1  |     max_connections = 16
radius_1  |     lifetime = 0
radius_1  |     idle_timeout = 30
radius_1  |   }
radius_1  |  }
radius_1  | Debug state unknown (cap_sys_ptrace capability not set)
radius_1  |  # Creating Auth-Type = mschap
radius_1  |  # Creating Auth-Type = digest
radius_1  |  # Creating Auth-Type = pam
radius_1  |  # Creating Auth-Type = eap
radius_1  |  # Creating Auth-Type = PAP
radius_1  |  # Creating Auth-Type = CHAP
radius_1  |  # Creating Auth-Type = MS-CHAP
radius_1  | radiusd: #### Instantiating modules ####
radius_1  |  modules {
radius_1  |   # Loaded module rlm_expr
radius_1  |   # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
radius_1  |   expr {
radius_1  |     safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
radius_1  |   }
radius_1  |   # Loaded module rlm_replicate
radius_1  |   # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
radius_1  |   # Loaded module rlm_mschap
radius_1  |   # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
radius_1  |   mschap {
radius_1  |     use_mppe = yes
radius_1  |     require_encryption = no
radius_1  |     require_strong = no
radius_1  |     with_ntdomain_hack = yes
radius_1  |    passchange {
radius_1  |    }
radius_1  |     allow_retry = yes
radius_1  |     winbind_retry_with_normalised_username = no
radius_1  |   }
radius_1  |   # Loaded module rlm_eap
radius_1  |   # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
radius_1  |   eap {
radius_1  |     default_eap_type = "md5"
radius_1  |     timer_expire = 60
radius_1  |     ignore_unknown_eap_types = no
radius_1  |     cisco_accounting_username_bug = no
radius_1  |     max_sessions = 16384
radius_1  |   }
radius_1  |   # Loaded module rlm_preprocess
radius_1  |   # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
radius_1  |   preprocess {
radius_1  |     huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
radius_1  |     hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
radius_1  |     with_ascend_hack = no
radius_1  |     ascend_channels_per_line = 23
radius_1  |     with_ntdomain_hack = no
radius_1  |     with_specialix_jetstream_hack = no
radius_1  |     with_cisco_vsa_hack = no
radius_1  |     with_alvarion_vsa_hack = no
radius_1  |   }
radius_1  |   # Loaded module rlm_radutmp
radius_1  |   # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radius_1  |   radutmp {
radius_1  |     filename = "/var/log/freeradius/radutmp"
radius_1  |     username = "%{User-Name}"
radius_1  |     case_sensitive = yes
radius_1  |     check_with_nas = yes
radius_1  |     permissions = 384
radius_1  |     caller_id = yes
radius_1  |   }
radius_1  |   # Loaded module rlm_utf8
radius_1  |   # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
radius_1  |   # Loaded module rlm_attr_filter
radius_1  |   # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  |   attr_filter attr_filter.post-proxy {
radius_1  |     filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
radius_1  |     key = "%{Realm}"
radius_1  |     relaxed = no
radius_1  |   }
radius_1  |   # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  |   attr_filter attr_filter.pre-proxy {
radius_1  |     filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
radius_1  |     key = "%{Realm}"
radius_1  |     relaxed = no
radius_1  |   }
radius_1  |   # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  |   attr_filter attr_filter.access_reject {
radius_1  |     filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
radius_1  |     key = "%{User-Name}"
radius_1  |     relaxed = no
radius_1  |   }
radius_1  |   # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  |   attr_filter attr_filter.access_challenge {
radius_1  |     filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
radius_1  |     key = "%{User-Name}"
radius_1  |     relaxed = no
radius_1  |   }
radius_1  |   # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  |   attr_filter attr_filter.accounting_response {
radius_1  |     filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
radius_1  |     key = "%{User-Name}"
radius_1  |     relaxed = no
radius_1  |   }
radius_1  |   # Loaded module rlm_logintime
radius_1  |   # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
radius_1  |   logintime {
radius_1  |     minimum_timeout = 60
radius_1  |   }
radius_1  |   # Loaded module rlm_chap
radius_1  |   # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
radius_1  |   # Loaded module rlm_expiration
radius_1  |   # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
radius_1  |   # Loaded module rlm_always
radius_1  |   # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always reject {
radius_1  |     rcode = "reject"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always fail {
radius_1  |     rcode = "fail"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always ok {
radius_1  |     rcode = "ok"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always handled {
radius_1  |     rcode = "handled"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always invalid {
radius_1  |     rcode = "invalid"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always userlock {
radius_1  |     rcode = "userlock"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always notfound {
radius_1  |     rcode = "notfound"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always noop {
radius_1  |     rcode = "noop"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   always updated {
radius_1  |     rcode = "updated"
radius_1  |     simulcount = 0
radius_1  |     mpp = no
radius_1  |   }
radius_1  |   # Loaded module rlm_unix
radius_1  |   # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
radius_1  |   unix {
radius_1  |     radwtmp = "/var/log/freeradius/radwtmp"
radius_1  |   }
radius_1  | Creating attribute Unix-Group
radius_1  |   # Loaded module rlm_exec
radius_1  |   # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
radius_1  |   exec ntlm_auth {
radius_1  |     wait = yes
radius_1  |     program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
radius_1  |     shell_escape = yes
radius_1  |   }
radius_1  |   # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
radius_1  |   exec {
radius_1  |     wait = no
radius_1  |     input_pairs = "request"
radius_1  |     shell_escape = yes
radius_1  |     timeout = 10
radius_1  |   }
radius_1  |   # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radius_1  |   radutmp sradutmp {
radius_1  |     filename = "/var/log/freeradius/sradutmp"
radius_1  |     username = "%{User-Name}"
radius_1  |     case_sensitive = yes
radius_1  |     check_with_nas = yes
radius_1  |     permissions = 420
radius_1  |     caller_id = no
radius_1  |   }
radius_1  |   # Loaded module rlm_passwd
radius_1  |   # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
radius_1  |   passwd etc_passwd {
radius_1  |     filename = "/etc/passwd"
radius_1  |     format = "*User-Name:Crypt-Password:"
radius_1  |     delimiter = ":"
radius_1  |     ignore_nislike = no
radius_1  |     ignore_empty = yes
radius_1  |     allow_multiple_keys = no
radius_1  |     hash_size = 100
radius_1  |   }
radius_1  |   # Loaded module rlm_files
radius_1  |   # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
radius_1  |   files {
radius_1  |     filename = "/etc/freeradius/3.0/mods-config/files/authorize"
radius_1  |     acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
radius_1  |     preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
radius_1  |   }
radius_1  |   # Loaded module rlm_linelog
radius_1  |   # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
radius_1  |   linelog {
radius_1  |     filename = "/var/log/freeradius/linelog"
radius_1  |     escape_filenames = no
radius_1  |     syslog_severity = "info"
radius_1  |     permissions = 384
radius_1  |     format = "This is a log message for %{User-Name}"
radius_1  |     reference = "messages.%{%{reply:Packet-Type}:-default}"
radius_1  |   }
radius_1  |   # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
radius_1  |   linelog log_accounting {
radius_1  |     filename = "/var/log/freeradius/linelog-accounting"
radius_1  |     escape_filenames = no
radius_1  |     syslog_severity = "info"
radius_1  |     permissions = 384
radius_1  |     format = ""
radius_1  |     reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
radius_1  |   }
radius_1  |   # Loaded module rlm_digest
radius_1  |   # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
radius_1  |   # Loaded module rlm_detail
radius_1  |   # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
radius_1  |   detail {
radius_1  |     filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
radius_1  |     header = "%t"
radius_1  |     permissions = 384
radius_1  |     locking = no
radius_1  |     escape_filenames = no
radius_1  |     log_packet_header = no
radius_1  |   }
radius_1  |   # Loaded module rlm_dynamic_clients
radius_1  |   # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
radius_1  |   # Loaded module rlm_pap
radius_1  |   # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
radius_1  |   pap {
radius_1  |     normalise = yes
radius_1  |   }
radius_1  |   # Loaded module rlm_soh
radius_1  |   # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
radius_1  |   soh {
radius_1  |     dhcp = yes
radius_1  |   }
radius_1  |   # Loaded module rlm_realm
radius_1  |   # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
radius_1  |   realm IPASS {
radius_1  |     format = "prefix"
radius_1  |     delimiter = "/"
radius_1  |     ignore_default = no
radius_1  |     ignore_null = no
radius_1  |   }
radius_1  |   # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
radius_1  |   realm suffix {
radius_1  |     format = "suffix"
radius_1  |     delimiter = "@"
radius_1  |     ignore_default = no
radius_1  |     ignore_null = no
radius_1  |   }
radius_1  |   # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
radius_1  |   realm realmpercent {
radius_1  |     format = "suffix"
radius_1  |     delimiter = "%"
radius_1  |     ignore_default = no
radius_1  |     ignore_null = no
radius_1  |   }
radius_1  |   # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
radius_1  |   realm ntdomain {
radius_1  |     format = "prefix"
radius_1  |     delimiter = "\\"
radius_1  |     ignore_default = no
radius_1  |     ignore_null = no
radius_1  |   }
radius_1  |   # Loaded module rlm_pam
radius_1  |   # Loading module "pam" from file /etc/freeradius/3.0/mods-enabled/pam
radius_1  |   pam {
radius_1  |     pam_auth = "radiusd"
radius_1  |   }
radius_1  |   # Loaded module rlm_cache
radius_1  |   # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
radius_1  |   cache cache_eap {
radius_1  |     driver = "rlm_cache_rbtree"
radius_1  |     key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
radius_1  |     ttl = 15
radius_1  |     max_entries = 0
radius_1  |     epoch = 0
radius_1  |     add_stats = no
radius_1  |   }
radius_1  |   # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  |   detail auth_log {
radius_1  |     filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
radius_1  |     header = "%t"
radius_1  |     permissions = 384
radius_1  |     locking = no
radius_1  |     escape_filenames = no
radius_1  |     log_packet_header = no
radius_1  |   }
radius_1  |   # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  |   detail reply_log {
radius_1  |     filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
radius_1  |     header = "%t"
radius_1  |     permissions = 384
radius_1  |     locking = no
radius_1  |     escape_filenames = no
radius_1  |     log_packet_header = no
radius_1  |   }
radius_1  |   # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  |   detail pre_proxy_log {
radius_1  |     filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
radius_1  |     header = "%t"
radius_1  |     permissions = 384
radius_1  |     locking = no
radius_1  |     escape_filenames = no
radius_1  |     log_packet_header = no
radius_1  |   }
radius_1  |   # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  |   detail post_proxy_log {
radius_1  |     filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
radius_1  |     header = "%t"
radius_1  |     permissions = 384
radius_1  |     locking = no
radius_1  |     escape_filenames = no
radius_1  |     log_packet_header = no
radius_1  |   }
radius_1  |   # Loaded module rlm_unpack
radius_1  |   # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
radius_1  |   # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
radius_1  |   exec echo {
radius_1  |     wait = yes
radius_1  |     program = "/bin/echo %{User-Name}"
radius_1  |     input_pairs = "request"
radius_1  |     output_pairs = "reply"
radius_1  |     shell_escape = yes
radius_1  |   }
radius_1  |   instantiate {
radius_1  |   }
radius_1  |   # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
radius_1  | rlm_mschap (mschap): using internal authentication
radius_1  |   # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
radius_1  |    # Linked to sub-module rlm_eap_md5
radius_1  |    # Linked to sub-module rlm_eap_leap
radius_1  |    # Linked to sub-module rlm_eap_gtc
radius_1  |    gtc {
radius_1  |     challenge = "Password: "
radius_1  |     auth_type = "PAP"
radius_1  |    }
radius_1  |    # Linked to sub-module rlm_eap_tls
radius_1  |    tls {
radius_1  |     tls = "tls-common"
radius_1  |    }
radius_1  |    tls-config tls-common {
radius_1  |     verify_depth = 0
radius_1  |     ca_path = "/etc/freeradius/3.0/certs"
radius_1  |     pem_file_type = yes
radius_1  |     private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
radius_1  |     certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
radius_1  |     ca_file = "/etc/ssl/certs/ca-certificates.crt"
radius_1  |     private_key_password = <<< secret >>>
radius_1  |     dh_file = "/etc/freeradius/3.0/certs/dh"
radius_1  |     fragment_size = 1024
radius_1  |     include_length = yes
radius_1  |     auto_chain = yes
radius_1  |     check_crl = no
radius_1  |     check_all_crl = no
radius_1  |     cipher_list = "DEFAULT"
radius_1  |     cipher_server_preference = no
radius_1  |     ecdh_curve = "prime256v1"
radius_1  |     tls_max_version = ""
radius_1  |     tls_min_version = "1.0"
radius_1  |     cache {
radius_1  |         enable = no
radius_1  |         lifetime = 24
radius_1  |         max_entries = 255
radius_1  |     }
radius_1  |     verify {
radius_1  |         skip_if_ocsp_ok = no
radius_1  |     }
radius_1  |     ocsp {
radius_1  |         enable = no
radius_1  |         override_cert_url = yes
radius_1  |         url = "http://127.0.0.1/ocsp/"
radius_1  |         use_nonce = yes
radius_1  |         timeout = 0
radius_1  |         softfail = no
radius_1  |     }
radius_1  |    }
radius_1  |    # Linked to sub-module rlm_eap_ttls
radius_1  |    ttls {
radius_1  |     tls = "tls-common"
radius_1  |     default_eap_type = "md5"
radius_1  |     copy_request_to_tunnel = no
radius_1  |     use_tunneled_reply = no
radius_1  |     virtual_server = "inner-tunnel"
radius_1  |     include_length = yes
radius_1  |     require_client_cert = no
radius_1  |    }
radius_1  | tls: Using cached TLS configuration from previous invocation
radius_1  |    # Linked to sub-module rlm_eap_peap
radius_1  |    peap {
radius_1  |     tls = "tls-common"
radius_1  |     default_eap_type = "mschapv2"
radius_1  |     copy_request_to_tunnel = no
radius_1  |     use_tunneled_reply = no
radius_1  |     proxy_tunneled_request_as_eap = yes
radius_1  |     virtual_server = "inner-tunnel"
radius_1  |     soh = no
radius_1  |     require_client_cert = no
radius_1  |    }
radius_1  | tls: Using cached TLS configuration from previous invocation
radius_1  |    # Linked to sub-module rlm_eap_mschapv2
radius_1  |    mschapv2 {
radius_1  |     with_ntdomain_hack = no
radius_1  |     send_error = no
radius_1  |    }
radius_1  |   # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
radius_1  |   # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
radius_1  |   # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
radius_1  |   # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
radius_1  | [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay"   found in filter list for realm "DEFAULT". 
radius_1  | [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec"  found in filter list for realm "DEFAULT". 
radius_1  |   # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
radius_1  |   # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
radius_1  |   # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
radius_1  |   # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
radius_1  |   # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
radius_1  |   # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
radius_1  | rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
radius_1  |   # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
radius_1  | reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
radius_1  |   # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
radius_1  |   # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
radius_1  |   # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
radius_1  |   # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
radius_1  |   # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
radius_1  |   # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
radius_1  |   # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
radius_1  |   # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
radius_1  |   # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
radius_1  | rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
radius_1  |   # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  | rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
radius_1  |   # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  |   # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  |   # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
radius_1  |  } # modules
radius_1  | radiusd: #### Loading Virtual Servers ####
radius_1  | server { # from file /etc/freeradius/3.0/radiusd.conf
radius_1  | } # server
radius_1  | server default { # from file /etc/freeradius/3.0/sites-enabled/default
radius_1  |  # Loading authenticate {...}
radius_1  |  # Loading authorize {...}
radius_1  | Ignoring "sql" (see raddb/mods-available/README.rst)
radius_1  | Ignoring "ldap" (see raddb/mods-available/README.rst)
radius_1  |  # Loading preacct {...}
radius_1  |  # Loading accounting {...}
radius_1  |  # Loading post-proxy {...}
radius_1  |  # Loading post-auth {...}
radius_1  | } # server default
radius_1  | server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
radius_1  |  # Loading authenticate {...}
radius_1  |  # Loading authorize {...}
radius_1  |  # Loading session {...}
radius_1  |  # Loading post-proxy {...}
radius_1  |  # Loading post-auth {...}
radius_1  |  # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:331
radius_1  | } # server inner-tunnel
radius_1  | radiusd: #### Opening IP addresses and Ports ####
radius_1  | listen {
radius_1  |     type = "auth"
radius_1  |     ipaddr = *
radius_1  |     port = 0
radius_1  |    limit {
radius_1  |     max_connections = 16
radius_1  |     lifetime = 0
radius_1  |     idle_timeout = 30
radius_1  |    }
radius_1  | }
radius_1  | listen {
radius_1  |     type = "acct"
radius_1  |     ipaddr = *
radius_1  |     port = 0
radius_1  |    limit {
radius_1  |     max_connections = 16
radius_1  |     lifetime = 0
radius_1  |     idle_timeout = 30
radius_1  |    }
radius_1  | }
radius_1  | listen {
radius_1  |     type = "auth"
radius_1  |     ipv6addr = ::
radius_1  |     port = 0
radius_1  |    limit {
radius_1  |     max_connections = 16
radius_1  |     lifetime = 0
radius_1  |     idle_timeout = 30
radius_1  |    }
radius_1  | }
radius_1  | listen {
radius_1  |     type = "acct"
radius_1  |     ipv6addr = ::
radius_1  |     port = 0
radius_1  |    limit {
radius_1  |     max_connections = 16
radius_1  |     lifetime = 0
radius_1  |     idle_timeout = 30
radius_1  |    }
radius_1  | }
radius_1  | listen {
radius_1  |     type = "auth"
radius_1  |     ipaddr = 127.0.0.1
radius_1  |     port = 18120
radius_1  | }
radius_1  | Listening on auth address * port 1812 bound to server default
radius_1  | Listening on acct address * port 1813 bound to server default
radius_1  | Listening on auth address :: port 1812 bound to server default
radius_1  | Listening on acct address :: port 1813 bound to server default
radius_1  | Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
radius_1  | Listening on proxy address * port 52750
radius_1  | Listening on proxy address :: port 51242
radius_1  | Ready to process requests
radius_1  | (0) Received Access-Request Id 133 from 192.168.0.238:50416 to 172.26.0.2:1812 length 109
radius_1  | (0)   User-Name = "baimard"
radius_1  | (0)   User-Password = "vvfbvjgblevccrinkjhchkhludiidddgfkirnkvjjbuk"
radius_1  | (0)   NAS-IP-Address = 127.0.1.1
radius_1  | (0)   NAS-Port = 1812
radius_1  | (0)   Message-Authenticator = 0x55e63e672fa7fad9f8d9f488a0eeff13
radius_1  | (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
radius_1  | (0)   authorize {
radius_1  | (0)     policy filter_username {
radius_1  | (0)       if (&User-Name) {
radius_1  | (0)       if (&User-Name)  -> TRUE
radius_1  | (0)       if (&User-Name)  {
radius_1  | (0)         if (&User-Name =~ / /) {
radius_1  | (0)         if (&User-Name =~ / /)  -> FALSE
radius_1  | (0)         if (&User-Name =~ /@[^@]*@/ ) {
radius_1  | (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
radius_1  | (0)         if (&User-Name =~ /\.\./ ) {
radius_1  | (0)         if (&User-Name =~ /\.\./ )  -> FALSE
radius_1  | (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
radius_1  | (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
radius_1  | (0)         if (&User-Name =~ /\.$/)  {
radius_1  | (0)         if (&User-Name =~ /\.$/)   -> FALSE
radius_1  | (0)         if (&User-Name =~ /@\./)  {
radius_1  | (0)         if (&User-Name =~ /@\./)   -> FALSE
radius_1  | (0)       } # if (&User-Name)  = notfound
radius_1  | (0)     } # policy filter_username = notfound
radius_1  | (0)     [preprocess] = ok
radius_1  | (0)     [chap] = noop
radius_1  | (0)     [mschap] = noop
radius_1  | (0)     [digest] = noop
radius_1  | (0) suffix: Checking for suffix after "@"
radius_1  | (0) suffix: No '@' in User-Name = "baimard", looking up realm NULL
radius_1  | (0) suffix: No such realm "NULL"
radius_1  | (0)     [suffix] = noop
radius_1  | (0) eap: No EAP-Message, not doing EAP
radius_1  | (0)     [eap] = noop
radius_1  | (0) files: users: Matched entry DEFAULT at line 88
radius_1  | (0)     [files] = ok
radius_1  | (0)     [expiration] = noop
radius_1  | (0)     [logintime] = noop
radius_1  | (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
radius_1  | (0) pap: WARNING: Authentication will fail unless a "known good" password is available
radius_1  | (0)     [pap] = noop
radius_1  | (0)   } # authorize = ok
radius_1  | (0) Found Auth-Type = pam
radius_1  | (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
radius_1  | (0)   Auth-Type PAM {
radius_1  | (0) pam: Using pamauth string "radiusd" for pam.conf lookup
radius_1  | debug: ../pam_yubico.c:838 (parse_cfg): called.
radius_1  | debug: ../pam_yubico.c:839 (parse_cfg): flags 0 argc 3
radius_1  | debug: ../pam_yubico.c:841 (parse_cfg): argv[0]=id=16
radius_1  | debug: ../pam_yubico.c:841 (parse_cfg): argv[1]=debug
radius_1  | debug: ../pam_yubico.c:841 (parse_cfg): argv[2]=authfile=/etc/yubikey_mappings
radius_1  | debug: ../pam_yubico.c:842 (parse_cfg): id=16
radius_1  | debug: ../pam_yubico.c:843 (parse_cfg): key=(null)
radius_1  | debug: ../pam_yubico.c:844 (parse_cfg): debug=1
radius_1  | debug: ../pam_yubico.c:845 (parse_cfg): debug_file=1
radius_1  | debug: ../pam_yubico.c:846 (parse_cfg): alwaysok=0
radius_1  | debug: ../pam_yubico.c:847 (parse_cfg): verbose_otp=0
radius_1  | debug: ../pam_yubico.c:848 (parse_cfg): try_first_pass=0
radius_1  | debug: ../pam_yubico.c:849 (parse_cfg): use_first_pass=0
radius_1  | debug: ../pam_yubico.c:850 (parse_cfg): nullok=0
radius_1  | debug: ../pam_yubico.c:851 (parse_cfg): authfile=/etc/yubikey_mappings
radius_1  | debug: ../pam_yubico.c:852 (parse_cfg): ldapserver=(null)
radius_1  | debug: ../pam_yubico.c:853 (parse_cfg): ldap_uri=(null)
radius_1  | debug: ../pam_yubico.c:854 (parse_cfg): ldap_bind_user=(null)
radius_1  | debug: ../pam_yubico.c:855 (parse_cfg): ldap_bind_password=(null)
radius_1  | debug: ../pam_yubico.c:856 (parse_cfg): ldap_filter=(null)
radius_1  | debug: ../pam_yubico.c:857 (parse_cfg): ldap_cacertfile=(null)
radius_1  | debug: ../pam_yubico.c:858 (parse_cfg): ldapdn=(null)
radius_1  | debug: ../pam_yubico.c:859 (parse_cfg): user_attr=(null)
radius_1  | debug: ../pam_yubico.c:860 (parse_cfg): yubi_attr=(null)
radius_1  | debug: ../pam_yubico.c:861 (parse_cfg): yubi_attr_prefix=(null)
radius_1  | debug: ../pam_yubico.c:862 (parse_cfg): url=(null)
radius_1  | debug: ../pam_yubico.c:863 (parse_cfg): urllist=(null)
radius_1  | debug: ../pam_yubico.c:864 (parse_cfg): capath=(null)
radius_1  | debug: ../pam_yubico.c:865 (parse_cfg): cainfo=(null)
radius_1  | debug: ../pam_yubico.c:866 (parse_cfg): proxy=(null)
radius_1  | debug: ../pam_yubico.c:867 (parse_cfg): token_id_length=12
radius_1  | debug: ../pam_yubico.c:868 (parse_cfg): mode=client
radius_1  | debug: ../pam_yubico.c:869 (parse_cfg): chalresp_path=(null)
radius_1  | debug: ../pam_yubico.c:899 (pam_sm_authenticate): pam_yubico version: 2.26
radius_1  | debug: ../pam_yubico.c:914 (pam_sm_authenticate): get user returned: baimard
radius_1  | debug: ../pam_yubico.c:157 (authorize_user_token): Using system-wide auth_file /etc/yubikey_mappings
radius_1  | debug: ../util.c:154 (check_user_token): Authorization line: baimard:vvfbvjgblevc
radius_1  | debug: ../util.c:159 (check_user_token): Matched user: baimard
radius_1  | debug: ../util.c:165 (check_user_token): Authorization token: vvfbvjgblevc
radius_1  | debug: ../util.c:165 (check_user_token): Authorization token: (null)
radius_1  | debug: ../pam_yubico.c:1034 (pam_sm_authenticate): Tokens found for user
radius_1  | debug: ../pam_yubico.c:1096 (pam_sm_authenticate): conv returned 44 bytes
radius_1  | debug: ../pam_yubico.c:1111 (pam_sm_authenticate): Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
radius_1  | debug: ../pam_yubico.c:1118 (pam_sm_authenticate): OTP: vvfbvjgblevccrinkjhchkhludiidddgfkirnkvjjbuk ID: vvfbvjgblevc 
radius_1  | debug: ../pam_yubico.c:157 (authorize_user_token): Using system-wide auth_file /etc/yubikey_mappings
radius_1  | debug: ../util.c:154 (check_user_token): Authorization line: baimard:vvfbvjgblevc
radius_1  | debug: ../util.c:159 (check_user_token): Matched user: baimard
radius_1  | debug: ../util.c:165 (check_user_token): Authorization token: vvfbvjgblevc
radius_1  | debug: ../util.c:169 (check_user_token): Match user/token as baimard/vvfbvjgblevc
radius_1  | debug: ../pam_yubico.c:1154 (pam_sm_authenticate): Token is associated to the user. Validating the OTP...
radius_1  | debug: ../pam_yubico.c:1156 (pam_sm_authenticate): ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP)
radius_1  | debug: ../pam_yubico.c:1157 (pam_sm_authenticate): ykclient url used: https://api5.yubico.com/wsapi/2.0/verify?id=16&nonce=prkyouigecwxlofgjwpatynejrqhwyin&otp=vvfbvjgblevccrinkjhchkhludiidddgfkirnkvjjbuk&timestamp=1
radius_1  | debug: ../pam_yubico.c:1220 (pam_sm_authenticate): done. [Authentication failure]
radius_1  | (0) pam: ERROR: pam_acct_mgmt failed: Authentication failure
radius_1  | (0)     [pam] = reject
radius_1  | (0)   } # Auth-Type PAM = reject
radius_1  | (0) Failed to authenticate the user
radius_1  | (0) Using Post-Auth-Type Reject
radius_1  | (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
radius_1  | (0)   Post-Auth-Type REJECT {
radius_1  | (0) attr_filter.access_reject: EXPAND %{User-Name}
radius_1  | (0) attr_filter.access_reject:    --> baimard
radius_1  | (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
radius_1  | (0)     [attr_filter.access_reject] = updated
radius_1  | (0)     [eap] = noop
radius_1  | (0)     policy remove_reply_message_if_eap {
radius_1  | (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
radius_1  | (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
radius_1  | (0)       else {
radius_1  | (0)         [noop] = noop
radius_1  | (0)       } # else = noop
radius_1  | (0)     } # policy remove_reply_message_if_eap = noop
radius_1  | (0)   } # Post-Auth-Type REJECT = updated
radius_1  | (0) Delaying response for 1.000000 seconds
radius_1  | Waking up in 0.9 seconds.
radius_1  | (0) Sending delayed response
radius_1  | (0) Sent Access-Reject Id 133 from 172.26.0.2:1812 to 192.168.0.238:50416 length 20
radius_1  | Waking up in 3.9 seconds.
radius_1  | (0) Cleaning up request packet ID 133 with timestamp +8
radius_1  | Ready to process requests
radius_1  | (1) Received Access-Request Id 189 from 192.168.0.238:59572 to 172.26.0.2:1812 length 109
radius_1  | (1)   User-Name = "baimard"
radius_1  | (1)   User-Password = "vvfbvjgblevcerbujtkudertidcrbnnnlbutergbflul"
radius_1  | (1)   NAS-IP-Address = 127.0.1.1
radius_1  | (1)   NAS-Port = 1812
radius_1  | (1)   Message-Authenticator = 0x73651723c672d1893254f3fdd90d8a30
radius_1  | (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
radius_1  | (1)   authorize {
radius_1  | (1)     policy filter_username {
radius_1  | (1)       if (&User-Name) {
radius_1  | (1)       if (&User-Name)  -> TRUE
radius_1  | (1)       if (&User-Name)  {
radius_1  | (1)         if (&User-Name =~ / /) {
radius_1  | (1)         if (&User-Name =~ / /)  -> FALSE
radius_1  | (1)         if (&User-Name =~ /@[^@]*@/ ) {
radius_1  | (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
radius_1  | (1)         if (&User-Name =~ /\.\./ ) {
radius_1  | (1)         if (&User-Name =~ /\.\./ )  -> FALSE
radius_1  | (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
radius_1  | (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
radius_1  | (1)         if (&User-Name =~ /\.$/)  {
radius_1  | (1)         if (&User-Name =~ /\.$/)   -> FALSE
radius_1  | (1)         if (&User-Name =~ /@\./)  {
radius_1  | (1)         if (&User-Name =~ /@\./)   -> FALSE
radius_1  | (1)       } # if (&User-Name)  = notfound
radius_1  | (1)     } # policy filter_username = notfound
radius_1  | (1)     [preprocess] = ok
radius_1  | (1)     [chap] = noop
radius_1  | (1)     [mschap] = noop
radius_1  | (1)     [digest] = noop
radius_1  | (1) suffix: Checking for suffix after "@"
radius_1  | (1) suffix: No '@' in User-Name = "baimard", looking up realm NULL
radius_1  | (1) suffix: No such realm "NULL"
radius_1  | (1)     [suffix] = noop
radius_1  | (1) eap: No EAP-Message, not doing EAP
radius_1  | (1)     [eap] = noop
radius_1  | (1) files: users: Matched entry DEFAULT at line 88
radius_1  | (1)     [files] = ok
radius_1  | (1)     [expiration] = noop
radius_1  | (1)     [logintime] = noop
radius_1  | (1) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
radius_1  | (1) pap: WARNING: Authentication will fail unless a "known good" password is available
radius_1  | (1)     [pap] = noop
radius_1  | (1)   } # authorize = ok
radius_1  | (1) Found Auth-Type = pam
radius_1  | (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
radius_1  | (1)   Auth-Type PAM {
radius_1  | (1) pam: Using pamauth string "radiusd" for pam.conf lookup
radius_1  | debug: ../pam_yubico.c:838 (parse_cfg): called.
radius_1  | debug: ../pam_yubico.c:839 (parse_cfg): flags 0 argc 3
radius_1  | debug: ../pam_yubico.c:841 (parse_cfg): argv[0]=id=16
radius_1  | debug: ../pam_yubico.c:841 (parse_cfg): argv[1]=debug
radius_1  | debug: ../pam_yubico.c:841 (parse_cfg): argv[2]=authfile=/etc/yubikey_mappings
radius_1  | debug: ../pam_yubico.c:842 (parse_cfg): id=16
radius_1  | debug: ../pam_yubico.c:843 (parse_cfg): key=(null)
radius_1  | debug: ../pam_yubico.c:844 (parse_cfg): debug=1
radius_1  | debug: ../pam_yubico.c:845 (parse_cfg): debug_file=1
radius_1  | debug: ../pam_yubico.c:846 (parse_cfg): alwaysok=0
radius_1  | debug: ../pam_yubico.c:847 (parse_cfg): verbose_otp=0
radius_1  | debug: ../pam_yubico.c:848 (parse_cfg): try_first_pass=0
radius_1  | debug: ../pam_yubico.c:849 (parse_cfg): use_first_pass=0
radius_1  | debug: ../pam_yubico.c:850 (parse_cfg): nullok=0
radius_1  | debug: ../pam_yubico.c:851 (parse_cfg): authfile=/etc/yubikey_mappings
radius_1  | debug: ../pam_yubico.c:852 (parse_cfg): ldapserver=(null)
radius_1  | debug: ../pam_yubico.c:853 (parse_cfg): ldap_uri=(null)
radius_1  | debug: ../pam_yubico.c:854 (parse_cfg): ldap_bind_user=(null)
radius_1  | debug: ../pam_yubico.c:855 (parse_cfg): ldap_bind_password=(null)
radius_1  | debug: ../pam_yubico.c:856 (parse_cfg): ldap_filter=(null)
radius_1  | debug: ../pam_yubico.c:857 (parse_cfg): ldap_cacertfile=(null)
radius_1  | debug: ../pam_yubico.c:858 (parse_cfg): ldapdn=(null)
radius_1  | debug: ../pam_yubico.c:859 (parse_cfg): user_attr=(null)
radius_1  | debug: ../pam_yubico.c:860 (parse_cfg): yubi_attr=(null)
radius_1  | debug: ../pam_yubico.c:861 (parse_cfg): yubi_attr_prefix=(null)
radius_1  | debug: ../pam_yubico.c:862 (parse_cfg): url=(null)
radius_1  | debug: ../pam_yubico.c:863 (parse_cfg): urllist=(null)
radius_1  | debug: ../pam_yubico.c:864 (parse_cfg): capath=(null)
radius_1  | debug: ../pam_yubico.c:865 (parse_cfg): cainfo=(null)
radius_1  | debug: ../pam_yubico.c:866 (parse_cfg): proxy=(null)
radius_1  | debug: ../pam_yubico.c:867 (parse_cfg): token_id_length=12
radius_1  | debug: ../pam_yubico.c:868 (parse_cfg): mode=client
radius_1  | debug: ../pam_yubico.c:869 (parse_cfg): chalresp_path=(null)
radius_1  | debug: ../pam_yubico.c:899 (pam_sm_authenticate): pam_yubico version: 2.26
radius_1  | debug: ../pam_yubico.c:914 (pam_sm_authenticate): get user returned: baimard
radius_1  | debug: ../pam_yubico.c:157 (authorize_user_token): Using system-wide auth_file /etc/yubikey_mappings
radius_1  | debug: ../util.c:154 (check_user_token): Authorization line: baimard:vvfbvjgblevc
radius_1  | debug: ../util.c:159 (check_user_token): Matched user: baimard
radius_1  | debug: ../util.c:165 (check_user_token): Authorization token: vvfbvjgblevc
radius_1  | debug: ../util.c:165 (check_user_token): Authorization token: (null)
radius_1  | debug: ../pam_yubico.c:1034 (pam_sm_authenticate): Tokens found for user
radius_1  | debug: ../pam_yubico.c:1096 (pam_sm_authenticate): conv returned 44 bytes
radius_1  | debug: ../pam_yubico.c:1111 (pam_sm_authenticate): Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
radius_1  | debug: ../pam_yubico.c:1118 (pam_sm_authenticate): OTP: vvfbvjgblevcerbujtkudertidcrbnnnlbutergbflul ID: vvfbvjgblevc 
radius_1  | debug: ../pam_yubico.c:157 (authorize_user_token): Using system-wide auth_file /etc/yubikey_mappings
radius_1  | debug: ../util.c:154 (check_user_token): Authorization line: baimard:vvfbvjgblevc
radius_1  | debug: ../util.c:159 (check_user_token): Matched user: baimard
radius_1  | debug: ../util.c:165 (check_user_token): Authorization token: vvfbvjgblevc
radius_1  | debug: ../util.c:169 (check_user_token): Match user/token as baimard/vvfbvjgblevc
radius_1  | debug: ../pam_yubico.c:1154 (pam_sm_authenticate): Token is associated to the user. Validating the OTP...
radius_1  | debug: ../pam_yubico.c:1156 (pam_sm_authenticate): ykclient return value (0): Success
radius_1  | debug: ../pam_yubico.c:1157 (pam_sm_authenticate): ykclient url used: https://api4.yubico.com/wsapi/2.0/verify?id=16&nonce=roobwpopdwrjnqclwenpiwvdeyuwipbz&otp=vvfbvjgblevcerbujtkudertidcrbnnnlbutergbflul&timestamp=1
radius_1  | debug: ../pam_yubico.c:1220 (pam_sm_authenticate): done. [Success]
radius_1  | (1) pam: ERROR: pam_acct_mgmt failed: Authentication failure
radius_1  | (1)     [pam] = reject
radius_1  | (1)   } # Auth-Type PAM = reject
radius_1  | (1) Failed to authenticate the user
radius_1  | (1) Using Post-Auth-Type Reject
radius_1  | (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
radius_1  | (1)   Post-Auth-Type REJECT {
radius_1  | (1) attr_filter.access_reject: EXPAND %{User-Name}
radius_1  | (1) attr_filter.access_reject:    --> baimard
radius_1  | (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
radius_1  | (1)     [attr_filter.access_reject] = updated
radius_1  | (1)     [eap] = noop
radius_1  | (1)     policy remove_reply_message_if_eap {
radius_1  | (1)       if (&reply:EAP-Message && &reply:Reply-Message) {
radius_1  | (1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
radius_1  | (1)       else {
radius_1  | (1)         [noop] = noop
radius_1  | (1)       } # else = noop
radius_1  | (1)     } # policy remove_reply_message_if_eap = noop
radius_1  | (1)   } # Post-Auth-Type REJECT = updated
radius_1  | (1) Delaying response for 1.000000 seconds
radius_1  | Waking up in 0.9 seconds.
radius_1  | (1) Sending delayed response
radius_1  | (1) Sent Access-Reject Id 189 from 172.26.0.2:1812 to 192.168.0.238:59572 length 20
radius_1  | Waking up in 3.9 seconds.
radius_1  | (1) Cleaning up request packet ID 189 with timestamp +27
radius_1  | Ready to process requests
^CGracefully stopping... (press Ctrl+C again to force)
Stopping freeradius_radius_1 ... 

problem is here :

radius_1  | debug: ../util.c:165 (check_user_token): Authorization token: vvfbvjgblevc
radius_1  | debug: ../util.c:169 (check_user_token): Match user/token as baimard/vvfbvjgblevc
radius_1  | debug: ../pam_yubico.c:1154 (pam_sm_authenticate): Token is associated to the user. Validating the OTP...
radius_1  | debug: ../pam_yubico.c:1156 (pam_sm_authenticate): ykclient return value (0): Success
radius_1  | debug: ../pam_yubico.c:1157 (pam_sm_authenticate): ykclient url used: https://api4.yubico.com/wsapi/2.0/verify?id=16&nonce=roobwpopdwrjnqclwenpiwvdeyuwipbz&otp=vvfbvjgblevcerbujtkudertidcrbnnnlbutergbflul&timestamp=1
radius_1  | debug: ../pam_yubico.c:1220 (pam_sm_authenticate): done. [Success]
radius_1  | (1) pam: ERROR: pam_acct_mgmt failed: Authentication failure
radius_1  | (1)     [pam] = reject
radius_1  | (1)   } # Auth-Type PAM = reject

On a serveur install on virtual machine with EXACT SAME CONFIGURATION :

[../pam_yubico.c:authorize_user_token(154)] Using system-wide auth_file /etc/yubikey_mappings
[../util.c:check_user_token(151)] Authorization line: baimard:vvfbvjgblevc
[../util.c:check_user_token(156)] Matched user: baimard
[../util.c:check_user_token(162)] Authorization token: vvfbvjgblevc
[../util.c:check_user_token(166)] Match user/token as baimard/vvfbvjgblevc
[../pam_yubico.c:pam_sm_authenticate(1109)] done. [Success]
(1) pam: Authentication succeeded
(1)     [pam] = ok
(1)   } # authenticate = ok

Same result with other PAM configuration ...

[alandekok]

The code in FreeRADIUS does this:

ret = pam_acct_mgmt(handle, 0);
if (ret != PAM_SUCCESS) {
    RERROR("pam_acct_mgmt failed: %s", pam_strerror(handle, ret));

i.e. we call the PAM library, and the PAM library returns a failure. There is very little that we can do in FreeRADIUS to fix an issue with the PAM library.

If FreeRADIUS has the EXACT SAME CONFIGURATION on both machines, then the problem isn't FreeRADIUS. It's something else. i.e. the PAM library and it's configuration.

[baimard]

FYI :

I have the same problem with the official image of freeradius :

https://hub.docker.com/r/freeradius/freeradius-server

We are looking for what is missing from the container.

Thank you for your attention

[alandekok]

As I tried to say, you have to configure PAM. Read the PAM documentation for how to do that.

[baimard]

Thank you.

Just for information, if someone have the same problem. I was thinking that the yubikey mapping was enough, but in the docker container you need to create the user by : "useradd "

[alandekok]

PAM requires users to exist in the local DB (NSS, /etc/passwd, whatever). Otherwise it fails.

FreeRADIUS has no such issue. Which is why we recommend using the rlm_yubikey module that comes with it.

[Nokta-strigo]

PAM requires users to exist in the local DB (NSS, /etc/passwd, whatever). Otherwise it fails.

Actually in PAM that's the default behaviour, but you can control it via account management group. To make PAM skip local user existence check you need to add that line to your /etc/pam.d/radiusd file (and, possibly, remove any other lines starting with "account"): account sufficient pam_permit.so That tells that pam should use pam_permit.so module to verify (that's different from authenticate!) account. And pam_permit.so is a special module that always returns "OK". There must be another line[s] in the file, starting with auth, that tells pam how to actually authenticate users. See man pam.conf for more info.

[baimard]

Thank you !