Re: openLDAP authorization with PAP authentication

[Alan DeKok]

Jay Ludlow wrote:
> I am very new to radius, and I am having a problem configuring radius to
> authenticate by checking my already running openldap server for
> authorization and then using PAP for authentication.

  I suggest formatting your post in paragraphs to clearly delineate
ideas.  Right now, it's just a wall of pale blue text.  That makes it
hard for people to read your message, and therefore hard for people to
help you.

  In short, you are logging in with a username that appears in
/etc/passwd.  FreeRADIUS is using the password taken from there, instead
of the password from LDAP.

  Edit raddb/sites-available/default, and remove the "unix" entry from
the "authorize" section.  After that, it will start using the password
from LDAP.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Alan DeKok]

NdK wrote:
>>   The radclient program has since been updated.
> Then it could be better to update that page, since it's the reference
> for all newbies that try to make it work.

  Yeah, I've gone and fixed that.  "git" is nice for updating web pages.

> "It *should* work" is more correct :(
> There still are many things that can go wrong.

  If it doesn't work, the web pages explain which part to blame.  99% of
the time, it's a bug in someone else's software.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[NdK]

Il 20/01/2012 19:44, Alan DeKok ha scritto:

>   The radclient program has since been updated.
Then it could be better to update that page, since it's the reference
for all newbies that try to make it work.

>   You hard-coded it to *always* do NTLM authentication, using the PAP
> credentials.  Then you sent it a request which didn't contain a
> cleartext password.
That's easy, it's on the page: remove the DEFAUL added for testing :)

>   Again, the guide explains this in great detail.  Follow it, and it
> will work.
"It *should* work" is more correct :(
There still are many things that can go wrong.

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Alan DeKok]

Dhiraj Gaur wrote:
rt the server and use a test client to send an MS-CHAP
> authentication request. The |radclient| cannot currently be used to send
> this request, unfortunately, which makes testing a little difficult If
> everything goes well, you should see the server returning an
> Access-Accept 
> message as above."

  The radclient program has since been updated.

> Hence I was of the view radtest cannot work for MS-CHAP authentication.

  Sure.  However, see "radtest -h".  If you're running a recent version,
it will tell you it can do MS-CHAP.

> Request you to point me to the right link and way to do the MS-CHAP
> procedure and testing the same thorugh radtest. I could not understand
> "There's no User-Password in MS-CHAP."

  You hard-coded it to *always* do NTLM authentication, using the PAP
credentials.  Then you sent it a request which didn't contain a
cleartext password.

  Again, the guide explains this in great detail.  Follow it, and it
will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[NdK]

Il 20/01/2012 17:17, Dhiraj Gaur ha scritto:

> Thanks for the reply. I already followed your site and was able to make
> ntlm_auth work. For MS-CHAP the AD page of your site says
> 
> "Start the server and use a test client to send an MS-CHAP
> authentication request. The |radclient| cannot currently be used to send
> this request, unfortunately, which makes testing a little difficult If
> everything goes well, you should see the server returning an
> Access-Accept 
> message as above."
Been there too.
But after that I tested with eapol_test from wpa_supplicant. With
negative results :(

> Hence I was of the view radtest cannot work for MS-CHAP authentication.
> Request you to point me to the right link and way to do the MS-CHAP
> procedure and testing the same thorugh radtest. I could not understand
> "There's no User-Password in MS-CHAP."
It's not sent to the server, so you can't use --pass= for ntlm_auth.
It's only used to encrypt the challenge.


BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Distributing Certificates

[Phil Mayers]

On 01/20/2012 02:36 PM, Alan Buxey wrote:


CA distribution was always the issue for private CA - but most sites now go for
using a deployment tool of some kind to get clients set up - and all of them 
can deal with
installing a CA, so thats a problem gone.  the system is closed-loop, visitors 
never need to
trust your RADIUS server cert...only your own folk do - so why use public in 
this space?


Couple of things to note:

Firstly, *if* you are using a public CA you should try very, very hard 
to ensure your clients are checking the cert CN. This somewhat 
alleviates the "anyone can buy a cert" risk.


Secondly, there's not much point in going for a "super cheap" public CA. 
You only need one cert, and don't need very esoteric options like EV or 
multiple subjectAltNames. This keeps the cost reasonably sane, and 
therefore you might as well shell out for a Verisign (or similar) one.


Doing that gives you a slightly better chance the CA will not hand out 
random crap to attackers, and *much* better probability the CA will be 
present on clients already.


You mention "most sites use a deployment tool". I'd be interested to see 
numbers on that, but it's probably OT for the list.


As I've said previously - people thinking of using a public CA should be 
very sure they understand and accept the risks. I agree the safe default 
is to use a private CA.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Dhiraj Gaur]

HI Alan
Thanks for the reply. I already followed your site and was able to make
ntlm_auth work. For MS-CHAP the AD page of your site says

"Start the server and use a test client to send an MS-CHAP authentication
request. The radclient cannot currently be used to send this request,
unfortunately, which makes testing a little difficult If everything goes
well, you should see the server returning an
Access-Acceptmessage
as above."

Hence I was of the view radtest cannot work for MS-CHAP authentication.
Request you to point me to the right link and way to do the MS-CHAP
procedure and testing the same thorugh radtest. I could not understand
"There's no User-Password in MS-CHAP."

Regards
Dhiraj Gaur

On Fri, Jan 20, 2012 at 9:15 PM, Alan DeKok wrote:

> Dhiraj Gaur wrote:
> > I have been trying to implement radius authetication server at my
> > workplace. The idea is to have all wifi access points authenticate
> > against a radius server.
>
>   That is a common deployment, and should be easy to do.
>
> > The radius server needs to pass authentication to a backend Active
> > Directory server. I have been sucessful in authenticating wifi users
> > against file based and SQL based authentication in radius. NTLM_AUTH
> > using PAP also works fine, wherein plaintext password is sucessfully
> > authenticated against the AD and I get an "Access-Accept". However when
> > I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is
> > not working and I end up in a "Access-Reject".
>
>   CHAP will *not* work with AD.  See my web site:
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> > Seems like that the
> > ntlm_auth program is not parsing the received encrypted password hence
> > the authetication fails. MSCHAP is a requirement as wifi clients at my
> > place mostly have eap supplicant. (Read in freeradius documentation that
> > eap and ldap doesnt go hand in hand, I may be wrong at interpreting the
> > same)
>
>   You've misconfigured the server.  You have it trying to do ntlm_auth
> using the User-Password, and then sending it an MS-CHAP authentication.
>  There's no User-Password in MS-CHAP.
>
>  Follow the instructions on my web site for configuring ntlm_auth:
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
>  And then follow the other instructions for getting EAP to work.
>
> > The freeradius logs for all the cases is listed below. Radius gurus
> > please point me to the right direction as to make MS_CHAP authentication
> > owrk over ntlm_auth or ldap(if possible).
> >
> > PS: I did all the testing using JRadius simulator.
>
>   FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP.
>  That should be all you need.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Regards

Dhiraj Gaur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Microsoft PEAP-EAP-TLS support (certificate auth with SoH)? - works!

[Matthew Newton]

Hi,

It's working!

On Fri, Jan 20, 2012 at 08:28:49AM +0100, Alan DeKok wrote:
> Matthew Newton wrote:
> > Does anyone know if FreeRADIUS now supports Microsoft
> > PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in
> 
> It's not a widely used feature.

Obviously :-) SoH is the only reasonably sane(?) reason I can
think of for doing EAP-TLS inside PEAP.

>   You'll need to set up *two* instances of the EAP module.  One for the
> outer PEAP session, and a separate one for the inner EAP.

Gotcha - thanks. That wasn't the only thing, but without doing that
it wasn't possible for it to work. Reasoning:

Ultimately, the problem was down to the fact that fragment_size in
the inner TLS (EAP-TLS) must be smaller than that of the outer
(TLS for PEAP).

With two different instances of eap, and a difference of about 50
bytes between the inner and outer fragment sizes, it all works.
I've currently set the inner to the default of 1024, and the outer
to 1200.

Apart from the tls fragment size, the rest of the eap configuration
can be literally identical. Won't do that as it's very untidy, but
it does work.


On Fri, Jan 20, 2012 at 10:50:28AM +, Phil Mayers wrote:
> On 01/20/2012 01:08 AM, Matthew Newton wrote:
> >Is it actually possible to do SoH with certificate-based
> >authentication, or do I have to look towards DHCP for this?
> 
> SoH is a PEAP TLV. If the PEAP module is running, it should support
> SoH regardless of the type of inner-auth.

Yes, thanks - it's working fine. So I now have a stack of cards
that resembles:

PEAP (TLS comes up using main "eap" instantiation)
SoH (happens over PEAP, calls "soh-server" virtual server)
PEAP calls "inner-tunnel" virtual server
-> EAP-TLS (uses secondary "innereap" instantiation of eap)
-> OCSP (checks inner certificate)

For reference, setting

  EAP-TLS-Require-Client-Cert = Yes

just breaks things, as the client refuses to send a certificate at
the PEAP stage.

Thanks for the help!

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Alan DeKok]

Dhiraj Gaur wrote:
> I have been trying to implement radius authetication server at my
> workplace. The idea is to have all wifi access points authenticate
> against a radius server.

  That is a common deployment, and should be easy to do.

> The radius server needs to pass authentication to a backend Active
> Directory server. I have been sucessful in authenticating wifi users
> against file based and SQL based authentication in radius. NTLM_AUTH
> using PAP also works fine, wherein plaintext password is sucessfully
> authenticated against the AD and I get an "Access-Accept". However when
> I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is
> not working and I end up in a "Access-Reject".

  CHAP will *not* work with AD.  See my web site:

http://deployingradius.com/documents/protocols/compatibility.html

> Seems like that the
> ntlm_auth program is not parsing the received encrypted password hence
> the authetication fails. MSCHAP is a requirement as wifi clients at my
> place mostly have eap supplicant. (Read in freeradius documentation that
> eap and ldap doesnt go hand in hand, I may be wrong at interpreting the
> same)

  You've misconfigured the server.  You have it trying to do ntlm_auth
using the User-Password, and then sending it an MS-CHAP authentication.
 There's no User-Password in MS-CHAP.

  Follow the instructions on my web site for configuring ntlm_auth:

http://deployingradius.com/documents/configuration/active_directory.html

  And then follow the other instructions for getting EAP to work.

> The freeradius logs for all the cases is listed below. Radius gurus
> please point me to the right direction as to make MS_CHAP authentication
> owrk over ntlm_auth or ldap(if possible).
> 
> PS: I did all the testing using JRadius simulator.

  FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP.
 That should be all you need.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with MSCHAP and Freeradius authentication

[Dhiraj Gaur]

Hi

I have been trying to implement radius authetication server at my
workplace. The idea is to have all wifi access points authenticate against
a radius server.
The radius server needs to pass authentication to a backend Active
Directory server. I have been sucessful in authenticating wifi users
against file based and SQL based authentication in radius. NTLM_AUTH using
PAP also works fine, wherein plaintext password is sucessfully
authenticated against the AD and I get an "Access-Accept". However when I
pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not
working and I end up in a "Access-Reject". Seems like that the ntlm_auth
program is not parsing the received encrypted password hence the
authetication fails. MSCHAP is a requirement as wifi clients at my place
mostly have eap supplicant. (Read in freeradius documentation that eap and
ldap doesnt go hand in hand, I may be wrong at interpreting the same)

The freeradius logs for all the cases is listed below. Radius gurus please
point me to the right direction as to make MS_CHAP authentication owrk over
ntlm_auth or ldap(if possible).

PS: I did all the testing using JRadius simulator.

Regards
Dhiraj Gaur

-- LOGS --
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22,
length=69
User-Name = "01546"
User-Password = "xxx" --> (Plian Text password)
NAS-IP-Address = 192.168.0.199
Message-Authenticator = 0x008294e58343b74ea977c228f5b5
ec5d
Fri Jan 20 18:28:42 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:28:42 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:28:42 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:28:42 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:28:42 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:28:42 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:28:42 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]expand:
--password=%{User-Password} -> --password=x --> (We can see the
password in plaintext)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[expiration] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++[logintime] returns noop
Fri Jan 20 18:28:42 2012 : Info: [pap] WARNING! No "known good" password
found for the user.  Authentication may fail because of this.
Fri Jan 20 18:28:42 2012 : Info: ++[pap] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type)
Fri Jan 20 18:28:42 2012 : Info: ? Evaluating !(control:Auth-Type) -> TRUE
Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) -> TRUE
Fri Jan 20 18:28:42 2012 : Info: ++- entering if (!control:Auth-Type) {...}
Fri Jan 20 18:28:42 2012 : Info: +++[control] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++- if (!control:Auth-Type) returns noop
Fri Jan 20 18:28:42 2012 : Info: Found Auth-Type = ntlm_auth
Fri Jan 20 18:28:42 2012 : Info: +- entering group NTLM_AUTH {...}
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]expand:
--password=%{User-Password} -> --password=
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: +- entering group post-auth {...}
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]expand:
--password=%{User-Password} -> --password=
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[exec] returns noop
Sending Access-Accept of id 22 to 192.168.3.210 port 32854

JRADIUS CLINET LOG

Sending RADIUS Packet:
--

Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
User-Password := [Encrypted String]

NAS-IP-Address := 192.168.0.199
 Message-Authenticator := [Bin

Re: Distributing Certificates

[Alan Buxey]

Hi,

> If you're using a private CA for signing the radius server certs, which 
> is generally cited as best practice because it provides belt & braces; 
> in the event a client does not learn & subsequently re-check the cert 
> CN, a public CA would allow an attacker to impersonate your SSID. A 
> private CA does not.
> 
> Some people (us included) choose to use a public CA and accept the risk, 
> in return for significantly easier deployment.


private CA

pros 

-under full control of organisation
-the organisation only can sign servers
-for 802.1X your clients only need to trust your server - closed loop. so why 
use public?

cons

-CA management - skillset, can someone do the same in X years?
-distribution of the CA to the client


Public CA

pros

-most clients have the CA already present
-no need to learn about CA/PKI to such low level

cons
-under whims of the CA and their issues (recall the dutch CAs now revoked and 
now invalid)
-under whims of the remote CA policy (changing from being a root to 
intermediate)
-anyone can buy a certificate from a CA
-distribution - some CAs arent on clients..so you need to distribute it anyway


personal opinion

CA distribution was always the issue for private CA - but most sites now go for
using a deployment tool of some kind to get clients set up - and all of them 
can deal with
installing a CA, so thats a problem gone.  the system is closed-loop, visitors 
never need to
trust your RADIUS server cert...only your own folk do - so why use public in 
this space?


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Blackberry disabled server certificates query

[Alan Buxey]

Hi,

>   The reason it's failing is probably because you didn't put the correct
> certificate on the blackberry.  You need to do that.  See my EAP guide:

like others we have mixes results with blackberrys - not sure if its related
to particular handsets on the same carrier - i dont get that close to the 
1st level support when they're looking at them.but we do seem to have
more cases recently with the latest blackberry curve.  nasty devices.  i might
get hold of one to see if i can squeeze it until it screams and tells me whats
wrong  ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS & Billing MVTS Pro

[Mohamed Daif]

Hello,

I have installed two servers with MVTS PRO installed on both servers ,
supports 600 concurrent calls.
and i installed one server with FreeRADIUS to manage both servers and
billing "with daloRADIUS".
and i have some needs must to be in the FreeRADIUS to manage the calls .

all calls must be checked firstly from two tables then go to Specific
Gateways like below :

1 - BlackList : to block calls to numbers from the BlackList table ,
2 - WhiteList : to send calls to numbers from the WhiteList table to White
Gateways
3 - Other calls not stored in both tables must be send to Checking Gateways
.
4 - if calls have a good CDR must be storing in WhiteList .
5 - other calls have a bad CDR must be storing in BlackList .

I want to have free choice for activate checking from both tables or one of
both tables or don't check any tables for each client individually.

how can i add both tables to FreeRADIUS and make configuration to check
before sending calls to MVTS Servers.



-- 
*Best Regards

Mohamed Daif*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Blackberry disabled server certificates query

[Bruce Nunn]

One of the annoying features of Blackberry devices is that the descriptions of 
the same CA certificate varies from device to device. Some devices, like my 
Storm2, seem to validate the CA even when that checkbox is selected. Since 
there are lots of CAs installed on Blackberry phones, setting up EAP can take a 
while as you go through the several certs which match your CA.

"Palmer J.D.F."  wrote:

>We have endless amounts of trouble connecting Blackberrys, they are
>hateful things.
>Some devices will use the certificate, some won't connect unless cert
>validation is disabled.  Some don't have the option to disable cert
>checking, and some won't connect at all.
>For a essentially single vendor device they have the most varied and
>random configuration idiosyncrasies between devices, even of the same
>model. Due to this variance we no longer try to offer online support for
>them, users are asked to bring them in to be looked at (and hacked at)
>to connect them.
>
>But yes, if possible you want to be enforcing cert validation, but in
>practice it's not always possible.
>
>> -Original Message-
>> From: freeradius-users-
>> bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org
>> [mailto:freeradius-users-
>> bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of
>> Garber, Neal
>> Sent: 20 January 2012 11:13
>> To: 'FreeRadius users mailing list'
>> Subject: RE: Blackberry disabled server certificates query
>> 
>> > if you leave the box unchecked "disable server certificate
>> validation"
>> > then the blackberry connects fine if you uncheck connection fails
>> > "failed to connect".
>> 
>> You wrote, "...if you leave it unchecked... (it)... connects fine if
>> you uncheck (it the) connection fails"???
>> 
>> Did you mean to say "if you leave it *checked* it connects fine"??  If
>> so, checking the box is telling your Blackberry NOT to validate the
>> RADIUS server's certificate.  If you don't validate the certificate,
>> there's a risk that you could be passing your credentials to an
>> untrusted RADIUS server (if someone impersonates your wireless network
>> name).
>> 
>> Best practice, for RADIUS, is to use a cert generated from a private
>CA
>> that you control, or at least trust.  In this case, you would need to
>> configure your Blackberry's to validate that the certificate is signed
>> by the CA you expect (which means they would need the CA's cert
>> installed - I assume this is possible with Blackberry's, but I don't
>> own one and I don't know how difficult it is to distribute a cert to
>> the Blackberry's or how many you have).
>> 
>> You need to decide whether to accept the risk or not.
>> 
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: huntgroup check problems

[Oscar Remírez de Ganuza Satrústegui]

On Fri, Jan 20, 2012 at 12:18 PM, Alan DeKok wrote:

> Oscar Remírez de Ganuza Satrústegui wrote:
>
> > I am having some problems using huntgroups to identified the origin of a
> > request.
> > I have simplified the test trying to find out the problem, but I do not
> > understand what it is happening:
>
> > (The "notworking log" is appended at the end of the message. I had to
> > trim it to make it shorter)
>
>   It would have been better to follow the instruction in the FAQ,
> README, "man" page, web pages, and daily on this list: "radiusd -X".
> Using "radiusd -xX" produces 2x the output, and is NOT needed.
>

My bad. Sorry about that.


>
> > I can see in the "not working log" that on the first requests the
> > huntgroup is been recognised ok. I just do not understand why it tries
> > again to check it, until it fails (request #9).
>
>   Because it's checking the user *inside* of the TLS tunnel.  Go read
> raddb/sites-available/inner-tunnel.  You will probably need to modify
> your huntgroup check.
>

Ok, I will have a look at it and try to make it checking at the correct
order.


>
> > I also do not understand why it needs so many requests (12!) to work ok.
>
>   That's how 802.1X works.  It sends lots of packets.
>

Thank you very much for your fast answer, I really appreciate it.


>
>  Alan DeKok.
>  
>

*Oscar Remírez de Ganuza Satrústegui*
Servicios Informáticos (Área de Infraestructuras)
Universidad de Navarra
Tel. +34 948425600 x3130
http://www.unav.es/SI/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Blackberry disabled server certificates query

[Palmer J.D.F.]

We have endless amounts of trouble connecting Blackberrys, they are
hateful things.
Some devices will use the certificate, some won't connect unless cert
validation is disabled.  Some don't have the option to disable cert
checking, and some won't connect at all.
For a essentially single vendor device they have the most varied and
random configuration idiosyncrasies between devices, even of the same
model. Due to this variance we no longer try to offer online support for
them, users are asked to bring them in to be looked at (and hacked at)
to connect them.

But yes, if possible you want to be enforcing cert validation, but in
practice it's not always possible.

> -Original Message-
> From: freeradius-users-
> bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of
> Garber, Neal
> Sent: 20 January 2012 11:13
> To: 'FreeRadius users mailing list'
> Subject: RE: Blackberry disabled server certificates query
> 
> > if you leave the box unchecked "disable server certificate
> validation"
> > then the blackberry connects fine if you uncheck connection fails
> > "failed to connect".
> 
> You wrote, "...if you leave it unchecked... (it)... connects fine if
> you uncheck (it the) connection fails"???
> 
> Did you mean to say "if you leave it *checked* it connects fine"??  If
> so, checking the box is telling your Blackberry NOT to validate the
> RADIUS server's certificate.  If you don't validate the certificate,
> there's a risk that you could be passing your credentials to an
> untrusted RADIUS server (if someone impersonates your wireless network
> name).
> 
> Best practice, for RADIUS, is to use a cert generated from a private
CA
> that you control, or at least trust.  In this case, you would need to
> configure your Blackberry's to validate that the certificate is signed
> by the CA you expect (which means they would need the CA's cert
> installed - I assume this is possible with Blackberry's, but I don't
> own one and I don't know how difficult it is to distribute a cert to
> the Blackberry's or how many you have).
> 
> You need to decide whether to accept the risk or not.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Blackberry disabled server certificates query

[Alan DeKok]

lmgo5991 wrote:
> We are testing various deivces with our new eduroam wirelss and so far so
> good.  However, an issue cropped up with blackberrys where during the setup,
> if you leave the box unchecked "disable server certificate validation" then
> the blackberry connects fine if you uncheck connection fails "failed to
> connect".  I have checked other institutions and they have conflicting
> guides some say leave it checked others say uncheck.  
> 
> Can anyone advise the status - to check or uncheck?

  It should always validate the server certificate.

  The reason it's failing is probably because you didn't put the correct
certificate on the blackberry.  You need to do that.  See my EAP guide:

http://deployingradius.com

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: huntgroup check problems

[Alan DeKok]

Oscar Remírez de Ganuza Satrústegui wrote:
> We are using freeradius (Version 2.1.9) to serve access requests for
> 802.1x, using PEAP/EAP/MSCHAPv2 (windows7). We use LDAP for
> authentication (user accounts) and authorization (Ldap-Groups).
> We also tunneled the request to the same radius for our realm "unav.es

  That is a fairly common setup.

> I am having some problems using huntgroups to identified the origin of a
> request.
> I have simplified the test trying to find out the problem, but I do not
> understand what it is happening:



> (The "notworking log" is appended at the end of the message. I had to
> trim it to make it shorter)

  It would have been better to follow the instruction in the FAQ,
README, "man" page, web pages, and daily on this list: "radiusd -X".
Using "radiusd -xX" produces 2x the output, and is NOT needed.

> I can see in the "not working log" that on the first requests the
> huntgroup is been recognised ok. I just do not understand why it tries
> again to check it, until it fails (request #9).

  Because it's checking the user *inside* of the TLS tunnel.  Go read
raddb/sites-available/inner-tunnel.  You will probably need to modify
your huntgroup check.

> I also do not understand why it needs so many requests (12!) to work ok.

  That's how 802.1X works.  It sends lots of packets.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Blackberry disabled server certificates query

[Garber, Neal]

> if you leave the box unchecked "disable server certificate validation"
> then the blackberry connects fine if you uncheck connection fails 
> "failed to connect". 

You wrote, "...if you leave it unchecked... (it)... connects fine if you 
uncheck (it the) connection fails"???

Did you mean to say "if you leave it *checked* it connects fine"??  If so, 
checking the box is telling your Blackberry NOT to validate the RADIUS server's 
certificate.  If you don't validate the certificate, there's a risk that you 
could be passing your credentials to an untrusted RADIUS server (if someone 
impersonates your wireless network name).  

Best practice, for RADIUS, is to use a cert generated from a private CA that 
you control, or at least trust.  In this case, you would need to configure your 
Blackberry's to validate that the certificate is signed by the CA you expect 
(which means they would need the CA's cert installed - I assume this is 
possible with Blackberry's, but I don't own one and I don't know how difficult 
it is to distribute a cert to the Blackberry's or how many you have).

You need to decide whether to accept the risk or not.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[Phil Mayers]

On 01/20/2012 10:30 AM, NdK wrote:

Il 19/01/2012 13:01, Phil Mayers ha scritto:


I'm not sure what the problem is then. From your original post, the
authentication is failing at the *client*, in the inner EAP section.
This normally means the final MSCHAP response is invalid, which only
happens if some crypto has gone wrong somewhere.

But then it should fail immediately, not after a timeout!


Not so.


And an immediate failure is the result when I *disable*
'with_ntdomain_hack=yes' line in mschap.


That's a different failure mode.

EAP/MS-CHAP works as follows:

server: send random challenge bytes to client
client: send response=crypto(password,challenge) to server
server: send crypto(response,password) to client

If validation of the 2nd item fails, you'll see an immediate failure at 
the FreeRADIUS end, because FreeRADIUS is doing the validation.


If validation of the 3rd item fails, the client just stops - it gives 
up, and sends no further packets, because it thinks the server is fake / 
impersonating.


That's why there's a timeout at the FreeRADIUS end.



That's exactly what I've done till now. The failures start when I enable
the auth I need. The problem w/ CP is just an "issue scheduled for later
examination" -- nothing configured yet to fix it.

That's my 'hg diff' output (w/o the certs part) from the base config
(from the tutorial):


If that's really all you've changed, there must be something wrong with 
Samba; it's getting the final crypto blob wrong, and the client is 
dropping the packets. You'll need to investigate and fix this.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Microsoft PEAP-EAP-TLS support (certificate auth with SoH)?

[Phil Mayers]

On 01/20/2012 01:08 AM, Matthew Newton wrote:


The 'normal' PEAP with MS-CHAPv2 works fine giving the SoH
details, but has to be "user authentication" on the client.
EAP-TLS works fine presenting the certificate to connect to the
network (Microsoft's so-called "computer auth"), but doesn't, as
far as I can tell, do SoH.


Correct.



Is it actually possible to do SoH with certificate-based
authentication, or do I have to look towards DHCP for this?


SoH is a PEAP TLV. If the PEAP module is running, it should support SoH 
regardless of the type of inner-auth.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Distributing Certificates

[Phil Mayers]

On 01/20/2012 08:16 AM, Mark Holmes wrote:

Your problem is going to be>distributing the server cert to
the>clients NOT distributing client


Maybe I've missed something here, but why will he need to distribute
a cert to clients?


If you're using a private CA for signing the radius server certs, which 
is generally cited as best practice because it provides belt & braces; 
in the event a client does not learn & subsequently re-check the cert 
CN, a public CA would allow an attacker to impersonate your SSID. A 
private CA does not.


Some people (us included) choose to use a public CA and accept the risk, 
in return for significantly easier deployment.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[NdK]

Il 19/01/2012 13:01, Phil Mayers ha scritto:

> I'm not sure what the problem is then. From your original post, the
> authentication is failing at the *client*, in the inner EAP section.
> This normally means the final MSCHAP response is invalid, which only
> happens if some crypto has gone wrong somewhere.
But then it should fail immediately, not after a timeout!
And an immediate failure is the result when I *disable*
'with_ntdomain_hack=yes' line in mschap.

No changes even enabling "ntdomain" lines in 'default' and
'inner-tunnel' sites (IIUC those should only detect the domain,
regardless of it being prefix or suffix).

>> Another problem I should fix is the fact that ZS's captive portal passes
>> user@realm credentials instead of realm\user ... rewriting w/ a simple
>> rule in hints file seems to block the rest, so I left it behind, for now.
> You can't alter usernames in EAP. They are usually mixed into the
> challenge/response data, and altering them in-flight means the
> challenge/response will fail.
Ok. I'm not going to change 'em.

> To be honest, there's too much going on in your setup; my advice would
> be to create a new server (running 2.1.12) and use the default setup.
> Test your EAP with eapol_test. Make small changes, storing the config
> into version control at each step. Identify exactly which point the
> failures start happening at.
That's exactly what I've done till now. The failures start when I enable
the auth I need. The problem w/ CP is just an "issue scheduled for later
examination" -- nothing configured yet to fix it.

That's my 'hg diff' output (w/o the certs part) from the base config
(from the tutorial):

diff -r 434b2b3ededc clients.conf
--- a/clients.conf  Mon Jan 16 15:17:07 2012 +0100
+++ b/clients.conf  Fri Jan 20 11:22:45 2012 +0100
@@ -232,3 +232,10 @@
 #  secret = testing123
 #}
 #}
+
+client 137.204.65.161 {
+   secret = testing123qaz
+}
+client 137.204.65.96 {
+   secret = testing123qaz
+}
diff -r 434b2b3ededc modules/mschap
--- a/modules/mschapMon Jan 16 15:17:07 2012 +0100
+++ b/modules/mschapFri Jan 20 11:22:45 2012 +0100
@@ -34,6 +34,7 @@
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no
+   #with_ntdomain_hack = yes

# The module can perform authentication itself, OR
# use a Windows Domain Controller.  This configuration
@@ -63,4 +64,7 @@
# the "best" user name for the request.
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+   ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+#  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{Stripped-User-Name}:-%{User-Name}}
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+#  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
 }
diff -r 434b2b3ededc modules/ntlm_auth
--- a/modules/ntlm_auth Mon Jan 16 15:17:07 2012 +0100
+++ b/modules/ntlm_auth Fri Jan 20 11:22:45 2012 +0100
@@ -8,5 +8,6 @@
 #
 exec ntlm_auth {
wait = yes
-   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
+#  program = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--username=%{mschap:User-Name} --password=%{User-Password}"
+   program = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
 }
diff -r 434b2b3ededc sites-available/default
--- a/sites-available/default   Mon Jan 16 15:17:07 2012 +0100
+++ b/sites-available/default   Fri Jan 20 11:22:45 2012 +0100
@@ -116,7 +116,7 @@
#  the other styles won't be checked.
#
suffix
-#  ntdomain
+   ntdomain

#
#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
@@ -306,6 +306,8 @@
 #  handled  # override the "updated" code from
attr_filter
 #  }
 #  }
+
+#  ntlm_auth
 }


@@ -347,7 +349,7 @@
#  home server as authentication requests.
 #  IPASS
suffix
-#  ntdomain
+   ntdomain

#
#  Read the 'acct_users' file
diff -r 434b2b3ededc sites-available/inner-tunnel

Blackberry disabled server certificates query

[lmgo5991]

Hi 

We are testing various deivces with our new eduroam wirelss and so far so
good.  However, an issue cropped up with blackberrys where during the setup,
if you leave the box unchecked "disable server certificate validation" then
the blackberry connects fine if you uncheck connection fails "failed to
connect".  I have checked other institutions and they have conflicting
guides some say leave it checked others say uncheck.  

Can anyone advise the status - to check or uncheck?

Thanks 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Blackberry-disabled-server-certificates-query-tp5159946p5159946.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Distributing Certificates

[Mark Holmes]

>Your problem is going to be >distributing the server cert to the >clients NOT 
>distributing client

Maybe I've missed something here, but why will he need to distribute a cert to 
clients?

If the certificate you use on your RADIUS server is signed by a known CA-in 
which case the client should already have the relevant root certificate and so 
will trust the certificate presented by the server.

This is assuming he is using certificates for confirming identity of the 
server, not for EAP-TLS etc.

Cheers,

Mark



On 6 Jan 2012, at 21:43, "Sallee, Stephen (Jake)"  wrote:

> It may be a misunderstanding on my part but I believe any encrypted protocol 
> would need a cert of some sort.  PEAP is an encrypted tunnel thus you will 
> need a cert.  FR will generate its own certs for testing but for production 
> you should generate your own.  We are making the move to 802.1x in the next 
> few months and will be using a self-signed cert on the FR server and 
> deploying it to the users' machines via a third party tool from a company 
> called cloud path.
>
> Suffice it to say that windows Vista and beyond MUST have the server cert 
> installed or be configured to ignore server certs before you can use any 
> encrypted protocol (such as, PEAP).  It WILL NOT work out-of-the-box!  XP 
> would show you a dialogue box with a warning but that functionality is gone 
> in Vista and 7.
>
> MAC OS and Linux will still allow you to download the cert and install it on 
> first use, windows will not.
>
> Your problem is going to be distributing the server cert to the clients NOT 
> distributing client certs (unless you are using EAP/TLS or the like), as 
> mentioned before AD makes this easy via GPO / login scripts.  However if you 
> clients are not part of your domain then you have very few choices.
>
> 1) Roll your own program to install the cert for them
> 2) Buy a solution to install the cert (like cloud path)
> 3) issue instructions to the clients and have them install the certs manually
> 4) go around and install all the certs your self
>
> There a pros and cons for each.  BTW for security reasons you should use a 
> self-signed cert, that being the case you can make the cert valid for 99 
> years, then revoke it when you have time to redistribute them ; )
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> 900 College St.
> Belton, Texas
> 76513
> Fone: 254-295-4658
> Phax: 254-295-4221
>
>
> -Original Message-
> From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
> [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] 
> On Behalf Of McSparin, Joe
> Sent: Friday, January 06, 2012 3:07 PM
> To: FreeRadius users mailing list
> Subject: RE: Distributing Certificates
>
> I don't have any particular desire to use certificates thus far in testing 
> mode have been using PEAP and just ignoring the warning that tells me there 
> is a certificate on the server that doesn't match.  I assumed in deployment I 
> would have to install certificates so the users wouldn't be confused when 
> they saw that message.  I thought that FreeRadius had to have certificates 
> set up even if they were just example ones.  Radiusd -X runs bootstrap which 
> creates example certificates automatically.  This led me to believe that 
> certificates were somehow integral to 802.1x.  Is that not the case?  If so 
> how can you take certificates completely out of the equation?
>
>
> Joseph R. McSparin
> Network Administrator
> Hill Country Memorial Hospital
> 830 990 6638 phone
> 830 990 6623 fax
> jmcspa...@hillcountrymemorial.org
>
> -Original Message-
> From: 
> freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org
>  
> [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org]
>  On Behalf Of David Mitton
> Sent: Friday, January 06, 2012 12:44 PM
> To: freeradius-users@lists.freeradius.org
> Subject: RE: Distributing Certificates
>
> You can do such things as suggested... but you haven't articulated what your 
> goal is and what you will be using the certificates for?
> 802.1X doesn't "require" certificates... but you may want to use them 
> depending on what you are trying to do.
>
> Dave.
>
>
> Quoting "Danner, Mearl" :
>
>> If you are using AD and have a CA set up you can create
>> autoenrollment gpo's for domain attached machines. You can issue
>> either user or computer certs. Can also configure the Windows
>> wireless supplicant via gpo.
>>
>> Mearl
>>
>> From:
>> freeradius-users-bounces+jmdanner=samford@lists.freeradius.org
>> [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org]
>> On Behalf Of McSparin, Joe
>> Sent: Friday, January 06, 2012 10:18 AM
>> To: FreeRadius users mailing list
>> Subject: Distributing Certificates
>>
>> Now that I have my Radius server configured I need to begin
>> implementation I have 600 computers that will be using it. 

Re: 'Logout for NAS CP port 76, but no Login record' && 'Login entry for NAS CP port 76 wrong order' Error

[Fajar A. Nugraha]

On Fri, Jan 20, 2012 at 2:54 PM, Zlyzwy  wrote:
> I am newbie to FreeRadius. Now I am trying to set up a Hotspot with PFsense
> (FreeRadius + MySQL + Captive Portal).

Is this a wireless hotspot or wired?

> Basically the Hotspot is working properly, FreeRadius is doing the auth and
> writing the log to MySQL.

>
> There is one client running VMware Workstaion inside wiondow2003. And a
> virtual Debian is running in VM. Debian's network is bridged on host.I am
> receiving the error log:

It shouldn't matter whether it's a VM or not. What matters is the
network setup (e.g. bridged vs NAT vs routed)

>
> ==
> Jan 20 11:15:07 radiusd[55144]:rlm_radutmp: Logout for NAS CP port 76, but
> no Login record

If you don't use radutmp, simply mark-out all references to it on
sites-avaialbe/default (and perhaps also on
sites-available/inner-tunnel)

> And the situation is, for VM_Debian and win2003, ONLY ONE can access the
> Internet.
>
> Does anyone have any idea why it will happen? or you have the same
> experience using VM like this?

You'd have to ask pfsense guys about that.

Basically:
- you can't bridge wireless interface (which is why I asked the first question)
- for wired interface, bridging will work fine IF there's no MAC
masquarade/rewrite. That is, the captive portal can recognize both the
VM and the host using their own MAC address.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

'Logout for NAS CP port 76, but no Login record' && 'Login entry for NAS CP port 76 wrong order' Error

[Zlyzwy]

Hi all,

I am newbie to FreeRadius. Now I am trying to set up a Hotspot with 
PFsense (FreeRadius + MySQL + Captive Portal).
(pfSense is a free, open source customized distribution of FreeBSD 
tailored for use as a firewall and router.FreeRadius is a package of it.

see more information on their website: http://www.pfsense.org/)

Basically the Hotspot is working properly, FreeRadius is doing the auth 
and writing the log to MySQL.


There is one client running VMware Workstaion inside wiondow2003. And a 
virtual Debian is running in VM. Debian's network is bridged on host.I 
am receiving the error log:


==
Jan 20 11:15:07 radiusd[55144]:rlm_radutmp: Logout for NAS CP port 76, 
but no Login record
Jan 20 11:15:07 radiusd[55144]: rlm_radutmp: Logout for NAS CP port 76, 
but no Login record
Jan 20 11:14:06 radiusd[55144]: rlm_radutmp: Login entry for NAS CP 
port 76 wrong order
Jan 20 11:14:06 radiusd[55144]: rlm_radutmp: Login entry for NAS CP 
port 76 wrong order

==

And the situation is, for VM_Debian and win2003, ONLY ONE can access 
the Internet.


Does anyone have any idea why it will happen? or you have the same 
experience using VM like this?


Any reply will be appreciated.


The following is my Radiusd -X
==
# radiusd -X
FreeRADIUS Version 2.1.12, for host i386-portbld-freebsd8.1, built on 
Jan  3 2012 at 23:44:16

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file 
/usr/local/etc/raddb/modules/detail.example.com

including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file 
/usr/local/etc/raddb/modules/dynamic_clients

including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file 
/u