[defect]: duplicate packet caused by sending COA packet before any auth packets hit freeradius

[BSpendlove]

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

Hi all, I'm a bit stuck with an issue that I don't know if its FreeRADIUS but it seems weird to behave this way and completely crash the application, the story is that I am running FreeRADIUS in K8s and doing some testing, if I restart my pods and send a COA to be processed by FreeRADIUS before any authentication requests come in first, then it gets the right hump. If I sent an initial authentication request (even if its rejected) then this seems to get around the issue.

So I have come back to basics and just running the 3.2.5 alpine image in a docker-compose file with some default provided configurations in case it was a configuration error on my side. I will post separately the docker-compose and files I am mounting for my fresh configuration.

1) Build a fresh FreeRADIUS container with minimal COA configuration 2) Send a COA disconnect to the coa port (even if the secret is wrong) 3) Process duplicates packet like mad and FreeRADIUS comes to a halt

Log output from the FreeRADIUS daemon

Attaching to freeradius-1
freeradius-1  | FreeRADIUS Version 3.2.5
freeradius-1  | Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
freeradius-1  | There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
freeradius-1  | PARTICULAR PURPOSE
freeradius-1  | You may redistribute copies of FreeRADIUS under the terms of the
freeradius-1  | GNU General Public License
freeradius-1  | For more information about these matters, see the file named COPYRIGHT
freeradius-1  | Starting - reading configuration files ...
freeradius-1  | including dictionary file /opt/share/freeradius/dictionary
freeradius-1  | including dictionary file /opt/share/freeradius/dictionary.dhcp
freeradius-1  | including dictionary file /opt/share/freeradius/dictionary.vqp
freeradius-1  | including dictionary file /opt/etc/raddb/dictionary
freeradius-1  | including configuration file /opt/etc/raddb/radiusd.conf
freeradius-1  | including configuration file /opt/etc/raddb/proxy.conf
freeradius-1  | including configuration file /opt/etc/raddb/clients.conf
freeradius-1  | including files in directory /opt/etc/raddb/mods-enabled/
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/passwd
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/expr
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/chap
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/eap
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/soh
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/logintime
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/pap
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/digest
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/always
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/unix
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/totp
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/linelog
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/expiration
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/radutmp
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/sradutmp
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/replicate
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/utf8
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/date
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/preprocess
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/exec
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/realm
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/files
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/detail
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/unpack
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/dynamic_clients
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/mschap
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/echo
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/ntlm_auth
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/detail_coa
freeradius-1  | including configuration file /opt/etc/raddb/mods-enabled/sql
freeradius-1  | including configuration file /opt/etc/raddb/mods-config/sql/main/sqlite/queries.conf
freeradius-1  | including files in directory /opt/etc/raddb/policy.d/
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/debug
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/control
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/filter
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/eap
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/dhcp
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/operator-name
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/abfab-tr
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/rfc7542
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/accounting
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/moonshot-targeted-ids
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/canonicalization
freeradius-1  | including configuration file /opt/etc/raddb/policy.d/cui
freeradius-1  | including files in directory /opt/etc/raddb/sites-enabled/
freeradius-1  | including configuration file /opt/etc/raddb/sites-enabled/inner-tunnel
freeradius-1  | including configuration file /opt/etc/raddb/sites-enabled/default
freeradius-1  | including configuration file /opt/etc/raddb/sites-enabled/coa
freeradius-1  | main {
freeradius-1  |  security {
freeradius-1  |     allow_core_dumps = no
freeradius-1  |  }
freeradius-1  |     name = "radiusd"
freeradius-1  |     prefix = "/opt"
freeradius-1  |     localstatedir = "/opt/var"
freeradius-1  |     logdir = "/opt/var/log/radius"
freeradius-1  |     run_dir = "/opt/var/run/radiusd"
freeradius-1  | }
freeradius-1  | main {
freeradius-1  |     name = "radiusd"
freeradius-1  |     prefix = "/opt"
freeradius-1  |     localstatedir = "/opt/var"
freeradius-1  |     sbindir = "/opt/sbin"
freeradius-1  |     logdir = "/opt/var/log/radius"
freeradius-1  |     run_dir = "/opt/var/run/radiusd"
freeradius-1  |     libdir = "/opt/lib"
freeradius-1  |     radacctdir = "/opt/var/log/radius/radacct"
freeradius-1  |     hostname_lookups = no
freeradius-1  |     max_request_time = 30
freeradius-1  |     proxy_dedup_window = 1
freeradius-1  |     cleanup_delay = 5
freeradius-1  |     max_requests = 16384
freeradius-1  |     max_fds = 512
freeradius-1  |     postauth_client_lost = no
freeradius-1  |     pidfile = "/opt/var/run/radiusd/radiusd.pid"
freeradius-1  |     checkrad = "/opt/sbin/checkrad"
freeradius-1  |     debug_level = 0
freeradius-1  |     proxy_requests = yes
freeradius-1  |  log {
freeradius-1  |     stripped_names = no
freeradius-1  |     auth = no
freeradius-1  |     auth_badpass = no
freeradius-1  |     auth_goodpass = no
freeradius-1  |     colourise = yes
freeradius-1  |     msg_denied = "You are already logged in - access denied"
freeradius-1  |  }
freeradius-1  |  resources {
freeradius-1  |  }
freeradius-1  |  security {
freeradius-1  |     max_attributes = 200
freeradius-1  |     reject_delay = 1.000000
freeradius-1  |     status_server = yes
freeradius-1  |     require_message_authenticator = "auto"
freeradius-1  |     limit_proxy_state = "auto"
freeradius-1  |     allow_vulnerable_openssl = "no"
freeradius-1  |  }
freeradius-1  | }
freeradius-1  | radiusd: #### Loading Realms and Home Servers ####
freeradius-1  |  proxy server {
freeradius-1  |     retry_delay = 5
freeradius-1  |     retry_count = 3
freeradius-1  |     default_fallback = no
freeradius-1  |     dead_time = 120
freeradius-1  |     wake_all_if_all_dead = no
freeradius-1  |  }
freeradius-1  |  home_server localhost {
freeradius-1  |     nonblock = no
freeradius-1  |     ipaddr = 127.0.0.1
freeradius-1  |     port = 1812
freeradius-1  |     type = "auth"
freeradius-1  |     secret = <<< secret >>>
freeradius-1  |     response_window = 20.000000
freeradius-1  |     response_timeouts = 1
freeradius-1  |     max_outstanding = 65536
freeradius-1  |     zombie_period = 40
freeradius-1  |     status_check = "status-server"
freeradius-1  |     ping_interval = 30
freeradius-1  |     check_interval = 30
freeradius-1  |     check_timeout = 4
freeradius-1  |     num_answers_to_alive = 3
freeradius-1  |     revive_interval = 120
freeradius-1  |   limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     max_requests = 0
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 0
freeradius-1  |   }
freeradius-1  |   coa {
freeradius-1  |     irt = 2
freeradius-1  |     mrt = 16
freeradius-1  |     mrc = 5
freeradius-1  |     mrd = 30
freeradius-1  |   }
freeradius-1  |  }
freeradius-1  |  home_server coa-nas1 {
freeradius-1  |     nonblock = no
freeradius-1  |     ipaddr = 192.0.2.1
freeradius-1  |     port = 1700
freeradius-1  |     type = "coa"
freeradius-1  |     secret = <<< secret >>>
freeradius-1  |     response_window = 30.000000
freeradius-1  |     response_timeouts = 1
freeradius-1  |     max_outstanding = 65536
freeradius-1  |     zombie_period = 40
freeradius-1  |     status_check = "none"
freeradius-1  |     ping_interval = 30
freeradius-1  |     check_timeout = 4
freeradius-1  |     num_answers_to_alive = 3
freeradius-1  |     revive_interval = 300
freeradius-1  |   limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     max_requests = 0
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 0
freeradius-1  |   }
freeradius-1  |   coa {
freeradius-1  |     irt = 2
freeradius-1  |     mrt = 16
freeradius-1  |     mrc = 5
freeradius-1  |     mrd = 30
freeradius-1  |   }
freeradius-1  |  }
freeradius-1  |  home_server_pool my_auth_failover {
freeradius-1  |     type = fail-over
freeradius-1  |     home_server = localhost
freeradius-1  |  }
freeradius-1  |  realm example.com {
freeradius-1  |     auth_pool = my_auth_failover
freeradius-1  |  }
freeradius-1  |  realm LOCAL {
freeradius-1  |  }
freeradius-1  |  home_server_pool coa-nas1 {
freeradius-1  |     type = fail-over
freeradius-1  |     virtual_server = originate-coa-relay
freeradius-1  |     home_server = coa-nas1
freeradius-1  |  }
freeradius-1  | radiusd: #### Loading Clients ####
freeradius-1  |  client 172.21.0.1 {
freeradius-1  |     ipaddr = 172.21.0.1
freeradius-1  |     secret = <<< secret >>>
freeradius-1  |   limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 30
freeradius-1  |   }
freeradius-1  |  }
freeradius-1  |  client localhost {
freeradius-1  |     ipaddr = 127.0.0.1
freeradius-1  |     secret = <<< secret >>>
freeradius-1  |   limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 30
freeradius-1  |   }
freeradius-1  |  }
freeradius-1  |  client 172.19.0.1 {
freeradius-1  |     ipaddr = 172.19.0.1
freeradius-1  |     secret = <<< secret >>>
freeradius-1  |   limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 30
freeradius-1  |   }
freeradius-1  |  }
freeradius-1  | Found debugger attached
freeradius-1  |  # Creating Auth-Type = mschap
freeradius-1  |  # Creating Auth-Type = eap
freeradius-1  |  # Creating Auth-Type = PAP
freeradius-1  |  # Creating Auth-Type = CHAP
freeradius-1  |  # Creating Auth-Type = MS-CHAP
freeradius-1  |  # Creating Auth-Type = digest
freeradius-1  |  # Creating Autz-Type = New-TLS-Connection
freeradius-1  | radiusd: #### Instantiating modules ####
freeradius-1  |  modules {
freeradius-1  |   # Loaded module rlm_passwd
freeradius-1  |   # Loading module "etc_passwd" from file /opt/etc/raddb/mods-enabled/passwd
freeradius-1  |   passwd etc_passwd {
freeradius-1  |     filename = "/etc/passwd"
freeradius-1  |     format = "*User-Name:Crypt-Password:"
freeradius-1  |     delimiter = ":"
freeradius-1  |     ignore_nislike = no
freeradius-1  |     ignore_empty = yes
freeradius-1  |     allow_multiple_keys = no
freeradius-1  |     hash_size = 100
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_expr
freeradius-1  |   # Loading module "expr" from file /opt/etc/raddb/mods-enabled/expr
freeradius-1  |   expr {
freeradius-1  |     safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_chap
freeradius-1  |   # Loading module "chap" from file /opt/etc/raddb/mods-enabled/chap
freeradius-1  |   # Loaded module rlm_eap
freeradius-1  |   # Loading module "eap" from file /opt/etc/raddb/mods-enabled/eap
freeradius-1  |   eap {
freeradius-1  |     default_eap_type = "md5"
freeradius-1  |     timer_expire = 60
freeradius-1  |     max_eap_type = 52
freeradius-1  |     ignore_unknown_eap_types = no
freeradius-1  |     cisco_accounting_username_bug = no
freeradius-1  |     max_sessions = 16384
freeradius-1  |     dedup_key = ""
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_detail
freeradius-1  |   # Loading module "auth_log" from file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  |   detail auth_log {
freeradius-1  |     filename = "/opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
freeradius-1  |     header = "%t"
freeradius-1  |     permissions = 384
freeradius-1  |     locking = no
freeradius-1  |     dates_as_integer = no
freeradius-1  |     escape_filenames = no
freeradius-1  |     log_packet_header = no
freeradius-1  |   }
freeradius-1  |   # Loading module "reply_log" from file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  |   detail reply_log {
freeradius-1  |     filename = "/opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
freeradius-1  |     header = "%t"
freeradius-1  |     permissions = 384
freeradius-1  |     locking = no
freeradius-1  |     dates_as_integer = no
freeradius-1  |     escape_filenames = no
freeradius-1  |     log_packet_header = no
freeradius-1  |   }
freeradius-1  |   # Loading module "pre_proxy_log" from file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  |   detail pre_proxy_log {
freeradius-1  |     filename = "/opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
freeradius-1  |     header = "%t"
freeradius-1  |     permissions = 384
freeradius-1  |     locking = no
freeradius-1  |     dates_as_integer = no
freeradius-1  |     escape_filenames = no
freeradius-1  |     log_packet_header = no
freeradius-1  |   }
freeradius-1  |   # Loading module "post_proxy_log" from file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  |   detail post_proxy_log {
freeradius-1  |     filename = "/opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
freeradius-1  |     header = "%t"
freeradius-1  |     permissions = 384
freeradius-1  |     locking = no
freeradius-1  |     dates_as_integer = no
freeradius-1  |     escape_filenames = no
freeradius-1  |     log_packet_header = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_soh
freeradius-1  |   # Loading module "soh" from file /opt/etc/raddb/mods-enabled/soh
freeradius-1  |   soh {
freeradius-1  |     dhcp = yes
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_logintime
freeradius-1  |   # Loading module "logintime" from file /opt/etc/raddb/mods-enabled/logintime
freeradius-1  |   logintime {
freeradius-1  |     minimum_timeout = 60
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_pap
freeradius-1  |   # Loading module "pap" from file /opt/etc/raddb/mods-enabled/pap
freeradius-1  |   pap {
freeradius-1  |     normalise = yes
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_digest
freeradius-1  |   # Loading module "digest" from file /opt/etc/raddb/mods-enabled/digest
freeradius-1  |   # Loaded module rlm_always
freeradius-1  |   # Loading module "reject" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always reject {
freeradius-1  |     rcode = "reject"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loading module "fail" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always fail {
freeradius-1  |     rcode = "fail"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loading module "ok" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always ok {
freeradius-1  |     rcode = "ok"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loading module "handled" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always handled {
freeradius-1  |     rcode = "handled"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loading module "invalid" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always invalid {
freeradius-1  |     rcode = "invalid"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loading module "userlock" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always userlock {
freeradius-1  |     rcode = "userlock"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loading module "notfound" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always notfound {
freeradius-1  |     rcode = "notfound"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loading module "noop" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always noop {
freeradius-1  |     rcode = "noop"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loading module "updated" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   always updated {
freeradius-1  |     rcode = "updated"
freeradius-1  |     simulcount = 0
freeradius-1  |     mpp = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_unix
freeradius-1  |   # Loading module "unix" from file /opt/etc/raddb/mods-enabled/unix
freeradius-1  |   unix {
freeradius-1  |     radwtmp = "/opt/var/log/radius/radwtmp"
freeradius-1  |   }
freeradius-1  | Creating attribute Unix-Group
freeradius-1  |   # Loaded module rlm_totp
freeradius-1  |   # Loading module "totp" from file /opt/etc/raddb/mods-enabled/totp
freeradius-1  |   totp {
freeradius-1  |     time_step = 30
freeradius-1  |     otp_length = 6
freeradius-1  |     lookback_steps = 1
freeradius-1  |     lookback_interval = 30
freeradius-1  |     lookforward_steps = 0
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_linelog
freeradius-1  |   # Loading module "linelog" from file /opt/etc/raddb/mods-enabled/linelog
freeradius-1  |   linelog {
freeradius-1  |     filename = "/opt/var/log/radius/linelog"
freeradius-1  |     escape_filenames = no
freeradius-1  |     syslog_severity = "info"
freeradius-1  |     permissions = 384
freeradius-1  |     format = "This is a log message for %{User-Name}"
freeradius-1  |     reference = "messages.%{%{reply:Packet-Type}:-default}"
freeradius-1  |   }
freeradius-1  |   # Loading module "log_accounting" from file /opt/etc/raddb/mods-enabled/linelog
freeradius-1  |   linelog log_accounting {
freeradius-1  |     filename = "/opt/var/log/radius/linelog-accounting"
freeradius-1  |     escape_filenames = no
freeradius-1  |     syslog_severity = "info"
freeradius-1  |     permissions = 384
freeradius-1  |     format = ""
freeradius-1  |     reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_expiration
freeradius-1  |   # Loading module "expiration" from file /opt/etc/raddb/mods-enabled/expiration
freeradius-1  |   # Loaded module rlm_radutmp
freeradius-1  |   # Loading module "radutmp" from file /opt/etc/raddb/mods-enabled/radutmp
freeradius-1  |   radutmp {
freeradius-1  |     filename = "/opt/var/log/radius/radutmp"
freeradius-1  |     username = "%{User-Name}"
freeradius-1  |     case_sensitive = yes
freeradius-1  |     check_with_nas = yes
freeradius-1  |     permissions = 384
freeradius-1  |     caller_id = yes
freeradius-1  |   }
freeradius-1  |   # Loading module "sradutmp" from file /opt/etc/raddb/mods-enabled/sradutmp
freeradius-1  |   radutmp sradutmp {
freeradius-1  |     filename = "/opt/var/log/radius/sradutmp"
freeradius-1  |     username = "%{User-Name}"
freeradius-1  |     case_sensitive = yes
freeradius-1  |     check_with_nas = yes
freeradius-1  |     permissions = 420
freeradius-1  |     caller_id = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_replicate
freeradius-1  |   # Loading module "replicate" from file /opt/etc/raddb/mods-enabled/replicate
freeradius-1  |   # Loaded module rlm_utf8
freeradius-1  |   # Loading module "utf8" from file /opt/etc/raddb/mods-enabled/utf8
freeradius-1  |   # Loaded module rlm_date
freeradius-1  |   # Loading module "date" from file /opt/etc/raddb/mods-enabled/date
freeradius-1  |   date {
freeradius-1  |     format = "%b %e %Y %H:%M:%S %Z"
freeradius-1  |     utc = no
freeradius-1  |   }
freeradius-1  |   # Loading module "wispr2date" from file /opt/etc/raddb/mods-enabled/date
freeradius-1  |   date wispr2date {
freeradius-1  |     format = "%Y-%m-%dT%H:%M:%S"
freeradius-1  |     utc = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_preprocess
freeradius-1  |   # Loading module "preprocess" from file /opt/etc/raddb/mods-enabled/preprocess
freeradius-1  |   preprocess {
freeradius-1  |     huntgroups = "/opt/etc/raddb/mods-config/preprocess/huntgroups"
freeradius-1  |     hints = "/opt/etc/raddb/mods-config/preprocess/hints"
freeradius-1  |     with_ascend_hack = no
freeradius-1  |     ascend_channels_per_line = 23
freeradius-1  |     with_ntdomain_hack = no
freeradius-1  |     with_specialix_jetstream_hack = no
freeradius-1  |     with_cisco_vsa_hack = no
freeradius-1  |     with_alvarion_vsa_hack = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_exec
freeradius-1  |   # Loading module "exec" from file /opt/etc/raddb/mods-enabled/exec
freeradius-1  |   exec {
freeradius-1  |     wait = no
freeradius-1  |     input_pairs = "request"
freeradius-1  |     shell_escape = yes
freeradius-1  |     timeout = 10
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_realm
freeradius-1  |   # Loading module "IPASS" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   realm IPASS {
freeradius-1  |     format = "prefix"
freeradius-1  |     delimiter = "/"
freeradius-1  |     ignore_default = no
freeradius-1  |     ignore_null = no
freeradius-1  |   }
freeradius-1  |   # Loading module "suffix" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   realm suffix {
freeradius-1  |     format = "suffix"
freeradius-1  |     delimiter = "@"
freeradius-1  |     ignore_default = no
freeradius-1  |     ignore_null = no
freeradius-1  |   }
freeradius-1  |   # Loading module "bangpath" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   realm bangpath {
freeradius-1  |     format = "prefix"
freeradius-1  |     delimiter = "!"
freeradius-1  |     ignore_default = no
freeradius-1  |     ignore_null = no
freeradius-1  |   }
freeradius-1  |   # Loading module "realmpercent" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   realm realmpercent {
freeradius-1  |     format = "suffix"
freeradius-1  |     delimiter = "%"
freeradius-1  |     ignore_default = no
freeradius-1  |     ignore_null = no
freeradius-1  |   }
freeradius-1  |   # Loading module "ntdomain" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   realm ntdomain {
freeradius-1  |     format = "prefix"
freeradius-1  |     delimiter = "\"
freeradius-1  |     ignore_default = no
freeradius-1  |     ignore_null = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_files
freeradius-1  |   # Loading module "files" from file /opt/etc/raddb/mods-enabled/files
freeradius-1  |   files {
freeradius-1  |     filename = "/opt/etc/raddb/mods-config/files/authorize"
freeradius-1  |     acctusersfile = "/opt/etc/raddb/mods-config/files/accounting"
freeradius-1  |     preproxy_usersfile = "/opt/etc/raddb/mods-config/files/pre-proxy"
freeradius-1  |   }
freeradius-1  |   # Loading module "detail" from file /opt/etc/raddb/mods-enabled/detail
freeradius-1  |   detail {
freeradius-1  |     filename = "/opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
freeradius-1  |     header = "%t"
freeradius-1  |     permissions = 384
freeradius-1  |     locking = no
freeradius-1  |     dates_as_integer = no
freeradius-1  |     escape_filenames = no
freeradius-1  |     log_packet_header = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_attr_filter
freeradius-1  |   # Loading module "attr_filter.post-proxy" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  |   attr_filter attr_filter.post-proxy {
freeradius-1  |     filename = "/opt/etc/raddb/mods-config/attr_filter/post-proxy"
freeradius-1  |     key = "%{Realm}"
freeradius-1  |     relaxed = no
freeradius-1  |   }
freeradius-1  |   # Loading module "attr_filter.pre-proxy" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  |   attr_filter attr_filter.pre-proxy {
freeradius-1  |     filename = "/opt/etc/raddb/mods-config/attr_filter/pre-proxy"
freeradius-1  |     key = "%{Realm}"
freeradius-1  |     relaxed = no
freeradius-1  |   }
freeradius-1  |   # Loading module "attr_filter.access_reject" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  |   attr_filter attr_filter.access_reject {
freeradius-1  |     filename = "/opt/etc/raddb/mods-config/attr_filter/access_reject"
freeradius-1  |     key = "%{User-Name}"
freeradius-1  |     relaxed = no
freeradius-1  |   }
freeradius-1  |   # Loading module "attr_filter.access_challenge" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  |   attr_filter attr_filter.access_challenge {
freeradius-1  |     filename = "/opt/etc/raddb/mods-config/attr_filter/access_challenge"
freeradius-1  |     key = "%{User-Name}"
freeradius-1  |     relaxed = no
freeradius-1  |   }
freeradius-1  |   # Loading module "attr_filter.accounting_response" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  |   attr_filter attr_filter.accounting_response {
freeradius-1  |     filename = "/opt/etc/raddb/mods-config/attr_filter/accounting_response"
freeradius-1  |     key = "%{User-Name}"
freeradius-1  |     relaxed = no
freeradius-1  |   }
freeradius-1  |   # Loading module "attr_filter.coa" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  |   attr_filter attr_filter.coa {
freeradius-1  |     filename = "/opt/etc/raddb/mods-config/attr_filter/coa"
freeradius-1  |     key = "%{User-Name}"
freeradius-1  |     relaxed = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_unpack
freeradius-1  |   # Loading module "unpack" from file /opt/etc/raddb/mods-enabled/unpack
freeradius-1  |   # Loaded module rlm_dynamic_clients
freeradius-1  |   # Loading module "dynamic_clients" from file /opt/etc/raddb/mods-enabled/dynamic_clients
freeradius-1  |   # Loaded module rlm_mschap
freeradius-1  |   # Loading module "mschap" from file /opt/etc/raddb/mods-enabled/mschap
freeradius-1  |   mschap {
freeradius-1  |     use_mppe = yes
freeradius-1  |     require_encryption = no
freeradius-1  |     require_strong = no
freeradius-1  |     with_ntdomain_hack = yes
freeradius-1  |    passchange {
freeradius-1  |    }
freeradius-1  |     allow_retry = yes
freeradius-1  |     winbind_retry_with_normalised_username = no
freeradius-1  |   }
freeradius-1  |   # Loading module "echo" from file /opt/etc/raddb/mods-enabled/echo
freeradius-1  |   exec echo {
freeradius-1  |     wait = yes
freeradius-1  |     program = "/bin/echo %{User-Name}"
freeradius-1  |     input_pairs = "request"
freeradius-1  |     output_pairs = "reply"
freeradius-1  |     shell_escape = yes
freeradius-1  |   }
freeradius-1  |   # Loading module "ntlm_auth" from file /opt/etc/raddb/mods-enabled/ntlm_auth
freeradius-1  |   exec ntlm_auth {
freeradius-1  |     wait = yes
freeradius-1  |     program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
freeradius-1  |     shell_escape = yes
freeradius-1  |   }
freeradius-1  |   # Loading module "detail_coa" from file /opt/etc/raddb/mods-enabled/detail_coa
freeradius-1  |   detail detail_coa {
freeradius-1  |     filename = "/opt/var/log/radius/radacct/detail_coa"
freeradius-1  |     header = "%t"
freeradius-1  |     permissions = 384
freeradius-1  |     locking = yes
freeradius-1  |     dates_as_integer = no
freeradius-1  |     escape_filenames = no
freeradius-1  |     log_packet_header = no
freeradius-1  |   }
freeradius-1  |   # Loaded module rlm_sql
freeradius-1  |   # Loading module "sql" from file /opt/etc/raddb/mods-enabled/sql
freeradius-1  |   sql {
freeradius-1  |     driver = "rlm_sql_null"
freeradius-1  |     server = ""
freeradius-1  |     port = 0
freeradius-1  |     login = ""
freeradius-1  |     password = <<< secret >>>
freeradius-1  |     radius_db = "radius"
freeradius-1  |     read_groups = yes
freeradius-1  |     read_profiles = yes
freeradius-1  |     read_clients = no
freeradius-1  |     delete_stale_sessions = yes
freeradius-1  |     sql_user_name = "%{User-Name}"
freeradius-1  |     default_user_profile = ""
freeradius-1  |     client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
freeradius-1  |     authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
freeradius-1  |     authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
freeradius-1  |     authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
freeradius-1  |     authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
freeradius-1  |     group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
freeradius-1  |     simul_count_query = "SELECT COUNT(*) FROM radacct a LEFT OUTER JOIN nasreload n USING (nasipaddress) WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL AND (a.acctstarttime > n.reloadtime OR n.reloadtime IS NULL)"
freeradius-1  |     simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct a LEFT OUTER JOIN nasreload n USING (nasipaddress) WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL AND (a.acctstarttime > n.reloadtime OR n.reloadtime IS NULL)"
freeradius-1  |     safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
freeradius-1  |     auto_escape = no
freeradius-1  |    accounting {
freeradius-1  |     reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}"
freeradius-1  |     type {
freeradius-1  |      accounting-on {
freeradius-1  |         query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-%l}, acctsessiontime   = (%{%{integer:Event-Timestamp}:-%l} - acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{%{integer:Event-Timestamp}:-%l}"
freeradius-1  |      }
freeradius-1  |      accounting-off {
freeradius-1  |         query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-%l}, acctsessiontime   = (%{%{integer:Event-Timestamp}:-%l} - acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{%{integer:Event-Timestamp}:-%l}"
freeradius-1  |      }
freeradius-1  |      start {
freeradius-1  |         query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix ) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-%l}, %{%{integer:Event-Timestamp}:-%l}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}' )"
freeradius-1  |      }
freeradius-1  |      interim-update {
freeradius-1  |         query = "UPDATE radacct SET acctupdatetime  = %{%{integer:Event-Timestamp}:-%l}, acctinterval    = 0, framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
freeradius-1  |      }
freeradius-1  |      stop {
freeradius-1  |         query = "UPDATE radacct SET acctstoptime    = %{%{integer:Event-Timestamp}:-%l}, acctsessiontime    = %{%{Acct-Session-Time}:-NULL}, acctinputoctets    = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
freeradius-1  |      }
freeradius-1  |     }
freeradius-1  |    }
freeradius-1  |    post-auth {
freeradius-1  |     reference = ".query"
freeradius-1  |     query = "INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )"
freeradius-1  |    }
freeradius-1  |   }
freeradius-1  | rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked
freeradius-1  | Creating attribute SQL-Group
freeradius-1  |   instantiate {
freeradius-1  |   }
freeradius-1  |   # Instantiating module "etc_passwd" from file /opt/etc/raddb/mods-enabled/passwd
freeradius-1  | rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
freeradius-1  |   # Instantiating module "eap" from file /opt/etc/raddb/mods-enabled/eap
freeradius-1  |    # Linked to sub-module rlm_eap_md5
freeradius-1  |    # Linked to sub-module rlm_eap_gtc
freeradius-1  |    gtc {
freeradius-1  |     challenge = "Password: "
freeradius-1  |     auth_type = "PAP"
freeradius-1  |    }
freeradius-1  |    # Linked to sub-module rlm_eap_tls
freeradius-1  |    tls {
freeradius-1  |     tls = "tls-common"
freeradius-1  |    }
freeradius-1  |    tls-config tls-common {
freeradius-1  |     verify_depth = 0
freeradius-1  |     ca_path = "/opt/etc/raddb/certs"
freeradius-1  |     pem_file_type = yes
freeradius-1  |     private_key_file = "/opt/etc/raddb/certs/server.pem"
freeradius-1  |     certificate_file = "/opt/etc/raddb/certs/server.pem"
freeradius-1  |     ca_file = "/opt/etc/raddb/certs/ca.pem"
freeradius-1  |     private_key_password = <<< secret >>>
freeradius-1  |     fragment_size = 1024
freeradius-1  |     include_length = yes
freeradius-1  |     auto_chain = yes
freeradius-1  |     check_crl = no
freeradius-1  |     check_all_crl = no
freeradius-1  |     ca_path_reload_interval = 0
freeradius-1  |     cipher_list = "DEFAULT"
freeradius-1  |     cipher_server_preference = no
freeradius-1  |     reject_unknown_intermediate_ca = no
freeradius-1  |     ecdh_curve = ""
freeradius-1  |     tls_max_version = "1.2"
freeradius-1  |     tls_min_version = "1.2"
freeradius-1  |     cache {
freeradius-1  |         enable = no
freeradius-1  |         lifetime = 24
freeradius-1  |         max_entries = 255
freeradius-1  |     }
freeradius-1  |     verify {
freeradius-1  |         skip_if_ocsp_ok = no
freeradius-1  |     }
freeradius-1  |     ocsp {
freeradius-1  |         enable = no
freeradius-1  |         override_cert_url = yes
freeradius-1  |         url = "http://127.0.0.1/ocsp/"
freeradius-1  |         use_nonce = yes
freeradius-1  |         timeout = 0
freeradius-1  |         softfail = no
freeradius-1  |     }
freeradius-1  |    }
freeradius-1  |    # Linked to sub-module rlm_eap_ttls
freeradius-1  |    ttls {
freeradius-1  |     tls = "tls-common"
freeradius-1  |     default_eap_type = "md5"
freeradius-1  |     copy_request_to_tunnel = no
freeradius-1  |     use_tunneled_reply = no
freeradius-1  |     virtual_server = "inner-tunnel"
freeradius-1  |     include_length = yes
freeradius-1  |     require_client_cert = no
freeradius-1  |    }
freeradius-1  | tls: Using cached TLS configuration from previous invocation
freeradius-1  |    # Linked to sub-module rlm_eap_peap
freeradius-1  |    peap {
freeradius-1  |     tls = "tls-common"
freeradius-1  |     default_eap_type = "mschapv2"
freeradius-1  |     copy_request_to_tunnel = no
freeradius-1  |     use_tunneled_reply = no
freeradius-1  |     proxy_tunneled_request_as_eap = yes
freeradius-1  |     virtual_server = "inner-tunnel"
freeradius-1  |     soh = no
freeradius-1  |     require_client_cert = no
freeradius-1  |    }
freeradius-1  | tls: Using cached TLS configuration from previous invocation
freeradius-1  |    # Linked to sub-module rlm_eap_mschapv2
freeradius-1  |    mschapv2 {
freeradius-1  |     with_ntdomain_hack = no
freeradius-1  |     send_error = no
freeradius-1  |    }
freeradius-1  |   # Instantiating module "auth_log" from file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  | rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
freeradius-1  |   # Instantiating module "reply_log" from file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  |   # Instantiating module "pre_proxy_log" from file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  |   # Instantiating module "post_proxy_log" from file /opt/etc/raddb/mods-enabled/detail.log
freeradius-1  |   # Instantiating module "logintime" from file /opt/etc/raddb/mods-enabled/logintime
freeradius-1  |   # Instantiating module "pap" from file /opt/etc/raddb/mods-enabled/pap
freeradius-1  |   # Instantiating module "reject" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "fail" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "ok" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "handled" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "invalid" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "userlock" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "notfound" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "noop" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "updated" from file /opt/etc/raddb/mods-enabled/always
freeradius-1  |   # Instantiating module "totp" from file /opt/etc/raddb/mods-enabled/totp
freeradius-1  |   # Instantiating module "linelog" from file /opt/etc/raddb/mods-enabled/linelog
freeradius-1  |   # Instantiating module "log_accounting" from file /opt/etc/raddb/mods-enabled/linelog
freeradius-1  |   # Instantiating module "expiration" from file /opt/etc/raddb/mods-enabled/expiration
freeradius-1  |   # Instantiating module "preprocess" from file /opt/etc/raddb/mods-enabled/preprocess
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/preprocess/huntgroups
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/preprocess/hints
freeradius-1  |   # Instantiating module "IPASS" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   # Instantiating module "suffix" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   # Instantiating module "bangpath" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   # Instantiating module "realmpercent" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   # Instantiating module "ntdomain" from file /opt/etc/raddb/mods-enabled/realm
freeradius-1  |   # Instantiating module "files" from file /opt/etc/raddb/mods-enabled/files
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/files/authorize
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/files/accounting
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/files/pre-proxy
freeradius-1  |   # Instantiating module "detail" from file /opt/etc/raddb/mods-enabled/detail
freeradius-1  |   # Instantiating module "attr_filter.post-proxy" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/attr_filter/post-proxy
freeradius-1  |   # Instantiating module "attr_filter.pre-proxy" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/attr_filter/pre-proxy
freeradius-1  |   # Instantiating module "attr_filter.access_reject" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/attr_filter/access_reject
freeradius-1  |   # Instantiating module "attr_filter.access_challenge" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/attr_filter/access_challenge
freeradius-1  |   # Instantiating module "attr_filter.accounting_response" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/attr_filter/accounting_response
freeradius-1  |   # Instantiating module "attr_filter.coa" from file /opt/etc/raddb/mods-enabled/attr_filter
freeradius-1  | reading pairlist file /opt/etc/raddb/mods-config/attr_filter/coa
freeradius-1  |   # Instantiating module "mschap" from file /opt/etc/raddb/mods-enabled/mschap
freeradius-1  | rlm_mschap (mschap): using internal authentication
freeradius-1  |   # Instantiating module "detail_coa" from file /opt/etc/raddb/mods-enabled/detail_coa
freeradius-1  |   # Instantiating module "sql" from file /opt/etc/raddb/mods-enabled/sql
freeradius-1  | rlm_sql (sql): Attempting to connect to database "radius"
freeradius-1  | rlm_sql (sql): Initialising connection pool
freeradius-1  |    pool {
freeradius-1  |     start = 5
freeradius-1  |     min = 3
freeradius-1  |     max = 32
freeradius-1  |     spare = 10
freeradius-1  |     uses = 0
freeradius-1  |     lifetime = 0
freeradius-1  |     cleanup_interval = 30
freeradius-1  |     idle_timeout = 60
freeradius-1  |     retry_delay = 30
freeradius-1  |     max_retries = 5
freeradius-1  |     spread = no
freeradius-1  |    }
freeradius-1  | rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
freeradius-1  | rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
freeradius-1  | rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
freeradius-1  | rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
freeradius-1  | rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
freeradius-1  |  } # modules
freeradius-1  | radiusd: #### Loading Virtual Servers ####
freeradius-1  | server { # from file /opt/etc/raddb/radiusd.conf
freeradius-1  | } # server
freeradius-1  | server inner-tunnel { # from file /opt/etc/raddb/sites-enabled/inner-tunnel
freeradius-1  |  # Loading authenticate {...}
freeradius-1  | Compiling Auth-Type PAP for attr Auth-Type
freeradius-1  | Compiling Auth-Type CHAP for attr Auth-Type
freeradius-1  | Compiling Auth-Type MS-CHAP for attr Auth-Type
freeradius-1  |  # Loading authorize {...}
freeradius-1  | Ignoring "ldap" (see raddb/mods-available/README.rst)
freeradius-1  |  # Loading session {...}
freeradius-1  |  # Loading post-proxy {...}
freeradius-1  |  # Loading post-auth {...}
freeradius-1  |  # Skipping contents of 'if' as it is always 'false' -- /opt/etc/raddb/sites-enabled/inner-tunnel:366
freeradius-1  | Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
freeradius-1  | } # server inner-tunnel
freeradius-1  | server default { # from file /opt/etc/raddb/sites-enabled/default
freeradius-1  |  # Loading authenticate {...}
freeradius-1  | Compiling Auth-Type PAP for attr Auth-Type
freeradius-1  | Compiling Auth-Type CHAP for attr Auth-Type
freeradius-1  | Compiling Auth-Type MS-CHAP for attr Auth-Type
freeradius-1  |  # Loading authorize {...}
freeradius-1  | Compiling Autz-Type New-TLS-Connection for attr Autz-Type
freeradius-1  |  # Loading preacct {...}
freeradius-1  |  # Loading accounting {...}
freeradius-1  |  # Loading post-proxy {...}
freeradius-1  |  # Loading post-auth {...}
freeradius-1  | Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
freeradius-1  | Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
freeradius-1  | Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
freeradius-1  | } # server default
freeradius-1  | server coa { # from file /opt/etc/raddb/sites-enabled/coa
freeradius-1  |  # Loading recv-coa {...}
freeradius-1  | } # server coa
freeradius-1  | server coa-buffered-reader { # from file /opt/etc/raddb/sites-enabled/coa
freeradius-1  |  # Loading accounting {...}
freeradius-1  | } # server coa-buffered-reader
freeradius-1  | server originate-coa-relay { # from file /opt/etc/raddb/sites-enabled/coa
freeradius-1  |  # Loading post-proxy {...}
freeradius-1  | Compiling Post-Proxy-Type Fail-CoA for attr Post-Proxy-Type
freeradius-1  | Compiling Post-Proxy-Type Fail-Disconnect for attr Post-Proxy-Type
freeradius-1  | } # server originate-coa-relay
freeradius-1  | radiusd: #### Opening IP addresses and Ports ####
freeradius-1  | listen {
freeradius-1  |     type = "coa"
freeradius-1  |     virtual_server = "coa"
freeradius-1  |     ipaddr = *
freeradius-1  |     port = 3799
freeradius-1  | }
freeradius-1  | listen {
freeradius-1  |     type = "auth"
freeradius-1  |     ipaddr = 127.0.0.1
freeradius-1  |     port = 18120
freeradius-1  | }
freeradius-1  | listen {
freeradius-1  |     type = "auth"
freeradius-1  |     ipaddr = *
freeradius-1  |     port = 0
freeradius-1  |    limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 30
freeradius-1  |    }
freeradius-1  | }
freeradius-1  | listen {
freeradius-1  |     type = "acct"
freeradius-1  |     ipaddr = *
freeradius-1  |     port = 0
freeradius-1  |    limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 30
freeradius-1  |    }
freeradius-1  | }
freeradius-1  | listen {
freeradius-1  |     type = "auth"
freeradius-1  |     ipv6addr = ::
freeradius-1  |     port = 0
freeradius-1  |    limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 30
freeradius-1  |    }
freeradius-1  | }
freeradius-1  | listen {
freeradius-1  |     type = "acct"
freeradius-1  |     ipv6addr = ::
freeradius-1  |     port = 0
freeradius-1  |    limit {
freeradius-1  |     max_connections = 16
freeradius-1  |     lifetime = 0
freeradius-1  |     idle_timeout = 30
freeradius-1  |    }
freeradius-1  | }
freeradius-1  | listen {
freeradius-1  |     type = "detail"
freeradius-1  |   listen {
freeradius-1  |     filename = "/opt/var/log/radius/radacct/detail_coa"
freeradius-1  |     load_factor = 90
freeradius-1  |     poll_interval = 1
freeradius-1  |     retry_interval = 30
freeradius-1  |     one_shot = no
freeradius-1  |     track = yes
freeradius-1  |   }
freeradius-1  | }
freeradius-1  | Listening on coa address * port 3799 bound to server coa
freeradius-1  | Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
freeradius-1  | Listening on auth address * port 1812 bound to server default
freeradius-1  | Listening on acct address * port 1813 bound to server default
freeradius-1  | Listening on auth address :: port 1812 bound to server default
freeradius-1  | Listening on acct address :: port 1813 bound to server default
freeradius-1  | Listening on detail file /opt/var/log/radius/radacct/detail_coa as server coa-buffered-reader
freeradius-1  | Listening on proxy address * port 58303
freeradius-1  | Listening on proxy address :: port 56906
freeradius-1  | Ready to process requests
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 1.240370 sec
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 1.118034 sec
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 1.014187 sec
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 0.796534 sec
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 0.779417 sec
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 1.231089 sec
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 0.787711 sec
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 0.914939 sec
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Polling for detail file
freeradius-1  | detail (/opt/var/log/radius/radacct/detail_coa): Detail listener state unopened waiting 1.193919 sec
freeradius-1  | (0) Received Disconnect-Request Id 133 from 172.19.0.1:58912 to 172.19.0.2:3799 length 35
freeradius-1  | Dropping packet without response because of error: Received Disconnect-Request packet from client 172.19.0.1 with invalid Request Authenticator!  (Shared secret is incorrect.) (from client 172.19.0.1)
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.19.0.1 port 58912 - ID: 133 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.3 seconds.

Relevant log output from client utilities

time echo 'Acct-Session-Id = "769df3 312343"' | radclient localhost:3799 disconnect devs3cr3t! -x -d configs/radius/ Sent Disconnect-Request Id 133 from 0.0.0.0:58912 to 127.0.0.1:3799 length 35 Acct-Session-Id = "769df3 312343"

Backtrace from LLDB or GDB

No response

[BSpendlove]

My docker-compose file I am testing this with:

services:
  freeradius:
    image: freeradius/freeradius-server:3.2.5-alpine
    command: -X
    ports:
      - "1812:1812/udp"
      - "1813:1813/udp"
      - "3799:3799/udp"
    volumes:
      - "${PWD}/test:/etc/raddb/sites-enabled/coa" # just the coa-relay within v3.2.x branch -> sites-available/coa_relay
      - "${PWD}/configs/radius/clients.conf:/etc/raddb/clients.conf" # just 2 clients configured with the secret below
      - "${PWD}/detail_coa:/etc/raddb/mods-enabled/detail_coa" # detail_coa example from the sites-available/coa_relay L64
      - "${PWD}/sql:/etc/raddb/mods-enabled/sql" # same sql file inside v3.2.x branch -> mods-available/sql
    environment:
      RADIUS_SECRET: "secret123"
      RADIUS_STATUS_SECRET: "adminsecret"
    restart: always

If I send an initial authentication packet like so:

time echo "User-Name=bad-username-example" | radclient localhost:1812 auth secret123 -x
Sent Access-Request Id 76 from 0.0.0.0:43455 to 127.0.0.1:1812 length 42
        User-Name = "bad-username-example"

then send a COA packet or disconnect packet, everything works fine and the packet doesn't end up getting duplicated by freeradius. Even if I send a packet with a bad secret!

[alandekok]

Please try the v3.2.x branch. I've pushed a patch which should fix this.

[BSpendlove]

Hi, I've just tried v3.2.x and with a correct secret I get this after sending a COA disconnect when the container starts:

freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1  | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205

With a wrong secret I get:

freeradius-1  | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.5 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.5 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.5 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.5 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module 
freeradius-1  | Waking up in 0.5 seconds.
freeradius-1  | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module 

If there is any logs or commands you would like me to run then please do let me know! Thanks

[alandekok]

I've pushed a fix.