mcnewton
commented
10 months ago You already asked this on the freeradius-users mailing list. GitHub issues are for bug reports not configuration questions.
Closed qunigouming007 closed 10 months ago
mcnewton
commented
10 months ago You already asked this on the freeradius-users mailing list. GitHub issues are for bug reports not configuration questions.
qunigouming007
commented
10 months ago I'm so sorry and please forgive me for doing something stupid the first time.I want to delete this comment immediately, but I can’t find it. Can you help delete it? That will thank you!
Matthew Newton @.***> 于2023年12月6日周三 18:44写道:
Closed #5240 https://github.com/FreeRADIUS/freeradius-server/issues/5240 as completed.
— Reply to this email directly, view it on GitHub https://github.com/FreeRADIUS/freeradius-server/issues/5240#event-11166512720, or unsubscribe https://github.com/notifications/unsubscribe-auth/BEPWGCVBLB7N53SCJDWQSLLYIBEADAVCNFSM6AAAAABAIXSOVWVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRGE3DMNJRGI3TEMA . You are receiving this because you authored the thread.Message ID: @.*** com>
Message
The following is the debugging process tee debugfile I provide for freeradius sever to execute radiusd -X 2>&1 | (this includes valid authentication and invalid authentication processes):
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/sql including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client all_client { ipaddr = 0.0.0.0/0 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached
Creating Auth-Type = mschap
Creating Auth-Type = digest
Creating Auth-Type = eap
Creating Auth-Type = PAP
Creating Auth-Type = CHAP
Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules #### modules {
Loaded module rlm_always
Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject { rcode = "reject" simulcount = 0 mpp = no }
Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail { rcode = "fail" simulcount = 0 mpp = no }
Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok { rcode = "ok" simulcount = 0 mpp = no }
Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled { rcode = "handled" simulcount = 0 mpp = no }
Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid { rcode = "invalid" simulcount = 0 mpp = no }
Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock { rcode = "userlock" simulcount = 0 mpp = no }
Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound { rcode = "notfound" simulcount = 0 mpp = no }
Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop { rcode = "noop" simulcount = 0 mpp = no }
Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated { rcode = "updated" simulcount = 0 mpp = no }
Loaded module rlm_attr_filter
Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no }
Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no }
Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no }
Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no }
Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no }
Loaded module rlm_cache
Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no }
Loaded module rlm_chap
Loading module "chap" from file /etc/raddb/mods-enabled/chap
Loaded module rlm_date
Loading module "date" from file /etc/raddb/mods-enabled/date
date { format = "%b %e %Y %H:%M:%S %Z" }
Loaded module rlm_detail
Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }
Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }
Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }
Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }
Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }
Loaded module rlm_dhcp
Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
Loaded module rlm_digest
Loading module "digest" from file /etc/raddb/mods-enabled/digest
Loaded module rlm_dynamic_clients
Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
Loaded module rlm_eap
Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 }
Loaded module rlm_exec
Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes }
Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 }
Loaded module rlm_expiration
Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
Loaded module rlm_expr
Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr { safecharacters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" }
Loaded module rlm_files
Loading module "files" from file /etc/raddb/mods-enabled/files
files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" }
Loaded module rlm_linelog
Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" }
Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" }
Loaded module rlm_logintime
Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime { minimum_timeout = 60 }
Loaded module rlm_mschap
Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no }
Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes }
Loaded module rlm_pap
Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap { normalise = yes }
Loaded module rlm_passwd
Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 }
Loaded module rlm_preprocess
Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no }
Loaded module rlm_radutmp
Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes }
Loaded module rlm_realm
Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no }
Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no }
Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no }
Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no }
Loaded module rlm_replicate
Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
Loaded module rlm_soh
Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh { dhcp = yes }
Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no }
Loaded module rlm_unix
Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group
Loaded module rlm_unpack
Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
Loaded module rlm_utf8
Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
Loaded module rlm_sql
Loading module "sql" from file /etc/raddb/mods-enabled/sql
sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "dbuser" password = <<< secret >>> radius_db = "radiusdb" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY i d" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY i d" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedproto col FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safecharacters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '% {NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '% {NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, c onnectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatec ause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME( %{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', ' ', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Tim estamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsess iontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctet s = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time} :-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Giga words}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE Ac ctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group instantiate { }
Instantiating module "reject" from file /etc/raddb/mods-enabled/always
Instantiating module "fail" from file /etc/raddb/mods-enabled/always
Instantiating module "ok" from file /etc/raddb/mods-enabled/always
Instantiating module "handled" from file /etc/raddb/mods-enabled/always
Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
Instantiating module "noop" from file /etc/raddb/mods-enabled/always
Instantiating module "updated" from file /etc/raddb/mods-enabled/always
Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT" .
Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
Linked to sub-module rlm_eap_md5
Linked to sub-module rlm_eap_leap
Linked to sub-module rlm_eap_gtc
gtc { challenge = "Password: " auth_type = "PAP" }
Linked to sub-module rlm_eap_tls
tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } }
Linked to sub-module rlm_eap_ttls
ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation
Linked to sub-module rlm_eap_peap
peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation
Linked to sub-module rlm_eap_mschapv2
mschapv2 { with_ntdomain_hack = no send_error = no }
Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy
Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints
Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
Instantiating module "sql" from file /etc/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.48-MariaDB mysql { tls { } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radiusdb" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 11.2.2-MariaDB-log, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 11.2.2-MariaDB-log, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 11.2.2-MariaDB-log, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 11.2.2-MariaDB-log, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 11.2.2-MariaDB-log, protocol version 10 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default
Loading authenticate {...}
Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
Loading preacct {...}
Loading accounting {...}
Loading post-proxy {...}
Loading post-auth {...}
} # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
Loading authenticate {...}
Loading authorize {...}
Loading session {...}
Loading post-proxy {...}
Loading post-auth {...}
Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:330
} # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address port 1812 bound to server default Listening on acct address port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 34346 Listening on proxy address :: port 45544 Ready to process requests
The following will be the debugging information of the certification process of the switch:
(0) Received Access-Request Id 228 from 192.168.1.243:38272 to 192.168.2.118:1812 length 215 (0) User-Name = "netnoc" (0) NAS-Identifier = "4F-37U-S6812" (0) Acct-Session-Id = "0000000106121519040000000108000026168" (0) User-Password = "123456" (0) Calling-Station-Id = "192.168.2.1" (0) NAS-Port-Type = Virtual (0) Attr-26.25506.230 = 0x4d2d4769676162697445746865726e6574302f302f30 (0) Framed-IP-Address = 192.168.2.1 (0) Service-Type = Login-User (0) NAS-IP-Address = 192.168.1.243 (0) H3C-Product-ID = "H3C S6812-48X6C" (0) H3C-NAS-Startup-Timestamp = 1609459214 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]@/ ) { (0) if (&User-Name =~ /@[^@]@/ ) -> FALSE (0) if (&User-Name =~ /../ ) { (0) if (&User-Name =~ /../ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE (0) if (&User-Name =~ /.$/) { (0) if (&User-Name =~ /.$/) -> FALSE (0) if (&User-Name =~ /@./) { (0) if (&User-Name =~ /@./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "netnoc", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> netnoc (0) sql: SQL-User-Name set to 'netnoc' rlm_sql (sql): Reserved connection (0) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'netnoc' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'netnoc' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: MD5-Password := 0x6466346638383237653136313136306566383961303439343861363962323139 (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'netnoc' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'netnoc' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'netnoc' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'netnoc' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 11.2.2-MariaDB-log, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing MD5-Password from hex encoding, 32 bytes -> 16 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" MD5-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND %{User-Name} (0) sql: --> netnoc (0) sql: SQL-User-Name set to 'netnoc' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'netnoc', '123456', 'Access-Accept', '2023-12-05 10: 07:15.051206') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'netnoc', '123456', 'Access-Accept', '2023 -12-05 10:07:15.051206') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 228 from 192.168.2.118:1812 to 192.168.1.243:38272 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 228 with timestamp +5 Ready to process requests (1) Received Access-Request Id 175 from 192.168.1.244:63378 to 192.168.2.118:1812 length 170 (1) User-Name = "netnoc" (1) User-Password = "123456" (1) Service-Type = Administrative-User (1) Framed-Protocol = X.75-Synchronous (1) Framed-IP-Address = 192.168.2.1 (1) NAS-Identifier = "4F-CE6857-ASW244" (1) NAS-Port-Type = Virtual (1) NAS-IP-Address = 192.168.1.244 (1) Huawei-Startup-Stamp = 1701770673 (1) Huawei-Version = "Huawei VRP Software Version" (1) Huawei-Product-ID = "VRP" (1) Message-Authenticator = 0x83f55529c0423e10fb1e141aa00a5fff (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]@/ ) { (1) if (&User-Name =~ /@[^@]@/ ) -> FALSE (1) if (&User-Name =~ /../ ) { (1) if (&User-Name =~ /../ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE (1) if (&User-Name =~ /.$/) { (1) if (&User-Name =~ /.$/) -> FALSE (1) if (&User-Name =~ /@./) { (1) if (&User-Name =~ /@./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "netnoc", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop (1) sql: EXPAND %{User-Name} (1) sql: --> netnoc (1) sql: SQL-User-Name set to 'netnoc' rlm_sql (sql): Reserved connection (2) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'netnoc' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'netnoc' ORDER BY id (1) sql: User found in radcheck table (1) sql: Conditional check items matched, merging assignment check items (1) sql: MD5-Password := 0x6466346638383237653136313136306566383961303439343861363962323139 (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'netnoc' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'netnoc' ORDER BY id (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'netnoc' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'netnoc' ORDER BY priority (1) sql: User not found in any groups rlm_sql (sql): Released connection (2) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 11.2.2-MariaDB-log, protocol version 10 (1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: Normalizing MD5-Password from hex encoding, 32 bytes -> 16 bytes (1) [pap] = updated (1) } # authorize = updated (1) Found Auth-Type = PAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Auth-Type PAP { (1) pap: Login attempt with password (1) pap: Comparing with "known-good" MD5-Password (1) pap: User authenticated successfully (1) [pap] = ok (1) } # Auth-Type PAP = ok (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default (1) post-auth { (1) update { (1) No attributes updated (1) } # update = noop (1) sql: EXPAND .query (1) sql: --> .query (1) sql: Using query template 'query' rlm_sql (sql): Reserved connection (3) (1) sql: EXPAND %{User-Name} (1) sql: --> netnoc (1) sql: SQL-User-Name set to 'netnoc' (1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (1) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'netnoc', '123456', 'Access-Accept', '2023-12-05 10: 07:21.420568') (1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'netnoc', '123456', 'Access-Accept', '2023 -12-05 10:07:21.420568') (1) sql: SQL query returned: success (1) sql: 1 record(s) updated rlm_sql (sql): Released connection (3) (1) [sql] = ok (1) [exec] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # post-auth = ok (1) Sent Access-Accept Id 175 from 192.168.2.118:1812 to 192.168.1.244:63378 length 0 (1) Finished request Waking up in 4.9 seconds
The following is the mysql account information:
MariaDB [radiusdb]> SELECT * FROM radcheck; +----+----------+--------------------+----+----------------------------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------------------------------+ | 1 | netnoc | MD5-Password | := | df4f8827e161sdfg56a04948a69b219 |
The following is my network configuration file using H3C S6812-48X6C. I tried to use both freeradius and system domains but failed, which is very frustrating.
local-user usermgmt service-type ssh terminal authorization-attribute level 3 password cipher sjkak25u98sdk quit
ssh server enable ssh user usermgmt service-type all authentication-type password
dot1x dot1x authentication-method pap domain default enable freeradius(system)
radius scheme freeradius primary authentication 192.168.2.118 key simple demo_radius_secret user-name-format without-domain quit radius scheme system user-name-format without-domain quit
domain freeradius authentication login radius-scheme freeradius local quit domain system authentication login radius-scheme freeradius local quit
user-interface vty 0 4 acl 2000 inbound authentication-mode scheme protocol inbound ssh
I don’t know if providing the above information will be helpful or troublesome to you. If so, I'm so sorry! I look forward to having you reply to my email again if I need to provide more information. At the same time, I also look forward to your help me solve this problem! Thanks everyone!