1
|
(0) Received Access-Request Id 52 from 127.0.0.1:10007 to 127.0.0.1:1812 length 138
|
2
|
(0) Service-Type = Login-User
|
3
|
(0) User-Name = "otpuser1"
|
4
|
(0) User-Password = "23ace5"
|
5
|
(0) NAS-IP-Address = 192.168.122.179
|
6
|
(0) NAS-Identifier = "openVPN"
|
7
|
(0) Calling-Station-Id = "192.168.122.179:1195"
|
8
|
(0) Called-Station-Id = "0c:c5:49:1e:f0:01:pf4.spb-lab.int"
|
9
|
(0) NAS-Port-Type = Virtual
|
10
|
(0) NAS-Port = 1195
|
11
|
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
|
12
|
(0) authorize {
|
13
|
(0) [preprocess] = ok
|
14
|
(0) [chap] = noop
|
15
|
(0) [mschap] = noop
|
16
|
(0) [digest] = noop
|
17
|
(0) suffix: Checking for suffix after "@"
|
18
|
(0) suffix: No '@' in User-Name = "otpuser1", skipping NULL due to config.
|
19
|
(0) [suffix] = noop
|
20
|
(0) ntdomain: Checking for prefix before "\"
|
21
|
(0) ntdomain: No '\' in User-Name = "otpuser1", skipping NULL due to config.
|
22
|
(0) [ntdomain] = noop
|
23
|
(0) eap: No EAP-Message, not doing EAP
|
24
|
(0) [eap] = noop
|
25
|
(0) files: users: Matched entry otpuser1 at line 9
|
26
|
(0) [files] = ok
|
27
|
(0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
|
28
|
(0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> FALSE
|
29
|
rlm_counter: Entering module authorize code
|
30
|
rlm_counter: Could not find Check item value pair
|
31
|
(0) [daily] = noop
|
32
|
rlm_counter: Entering module authorize code
|
33
|
rlm_counter: Could not find Check item value pair
|
34
|
(0) [weekly] = noop
|
35
|
rlm_counter: Entering module authorize code
|
36
|
rlm_counter: Could not find Check item value pair
|
37
|
(0) [monthly] = noop
|
38
|
rlm_counter: Entering module authorize code
|
39
|
rlm_counter: Could not find Check item value pair
|
40
|
(0) [forever] = noop
|
41
|
(0) if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
|
42
|
(0) ERROR: Failed retrieving values required to evaluate condition
|
43
|
(0) [expiration] = noop
|
44
|
(0) [logintime] = noop
|
45
|
Not doing PAP as Auth-Type is already set.
|
46
|
(0) [pap] = noop
|
47
|
(0) } # authorize = ok
|
48
|
(0) Found Auth-Type = MOTP
|
49
|
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
|
50
|
(0) Auth-Type MOTP {
|
51
|
(0) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}:
|
52
|
(0) motp: EXPAND %{request:User-Name}
|
53
|
(0) motp: --> otpuser1
|
54
|
(0) motp: EXPAND %{request:User-Password}
|
55
|
(0) motp: --> 23ace5
|
56
|
(0) motp: EXPAND %{reply:MOTP-Init-Secret}
|
57
|
(0) motp: --> 8abe2f27456f801a
|
58
|
(0) motp: EXPAND %{reply:MOTP-PIN}
|
59
|
(0) motp: --> 1234
|
60
|
(0) motp: EXPAND %{reply:MOTP-Offset}
|
61
|
(0) motp: --> 0
|
62
|
(0) motp: Program returned code (0) and output 'ACCEPT'
|
63
|
(0) motp: Program executed successfully
|
64
|
(0) [motp] = ok
|
65
|
(0) } # Auth-Type MOTP = ok
|
66
|
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
|
67
|
(0) post-auth {
|
68
|
(0) update {
|
69
|
(0) No attributes updated for RHS &session-state:
|
70
|
(0) } # update = noop
|
71
|
(0) [exec] = noop
|
72
|
(0) policy remove_reply_message_if_eap {
|
73
|
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
|
74
|
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
|
75
|
(0) else {
|
76
|
(0) [noop] = noop
|
77
|
(0) } # else = noop
|
78
|
(0) } # policy remove_reply_message_if_eap = noop
|
79
|
(0) } # post-auth = noop
|
80
|
(0) Login OK: [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195)
|
81
|
(0) Sent Access-Accept Id 52 from 127.0.0.1:1812 to 127.0.0.1:10007 length 0
|
82
|
(0) Finished request
|
83
|
Waking up in 4.9 seconds.
|
84
|
(0) Cleaning up request packet ID 52 with timestamp +19
|
85
|
Ready to process requests
|
86
|
(1) Received Access-Request Id 27 from 127.0.0.1:7638 to 127.0.0.1:1812 length 138
|
87
|
(1) Service-Type = Login-User
|
88
|
(1) User-Name = "otpuser1"
|
89
|
(1) User-Password = "23ace5"
|
90
|
(1) NAS-IP-Address = 192.168.122.179
|
91
|
(1) NAS-Identifier = "openVPN"
|
92
|
(1) Calling-Station-Id = "192.168.122.179:1195"
|
93
|
(1) Called-Station-Id = "0c:c5:49:1e:f0:01:pf4.spb-lab.int"
|
94
|
(1) NAS-Port-Type = Virtual
|
95
|
(1) NAS-Port = 1195
|
96
|
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
|
97
|
(1) authorize {
|
98
|
(1) [preprocess] = ok
|
99
|
(1) [chap] = noop
|
100
|
(1) [mschap] = noop
|
101
|
(1) [digest] = noop
|
102
|
(1) suffix: Checking for suffix after "@"
|
103
|
(1) suffix: No '@' in User-Name = "otpuser1", skipping NULL due to config.
|
104
|
(1) [suffix] = noop
|
105
|
(1) ntdomain: Checking for prefix before "\"
|
106
|
(1) ntdomain: No '\' in User-Name = "otpuser1", skipping NULL due to config.
|
107
|
(1) [ntdomain] = noop
|
108
|
(1) eap: No EAP-Message, not doing EAP
|
109
|
(1) [eap] = noop
|
110
|
(1) files: users: Matched entry otpuser1 at line 9
|
111
|
(1) [files] = ok
|
112
|
(1) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
|
113
|
(1) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> FALSE
|
114
|
rlm_counter: Entering module authorize code
|
115
|
rlm_counter: Could not find Check item value pair
|
116
|
(1) [daily] = noop
|
117
|
rlm_counter: Entering module authorize code
|
118
|
rlm_counter: Could not find Check item value pair
|
119
|
(1) [weekly] = noop
|
120
|
rlm_counter: Entering module authorize code
|
121
|
rlm_counter: Could not find Check item value pair
|
122
|
(1) [monthly] = noop
|
123
|
rlm_counter: Entering module authorize code
|
124
|
rlm_counter: Could not find Check item value pair
|
125
|
(1) [forever] = noop
|
126
|
(1) if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
|
127
|
(1) ERROR: Failed retrieving values required to evaluate condition
|
128
|
(1) [expiration] = noop
|
129
|
(1) [logintime] = noop
|
130
|
Not doing PAP as Auth-Type is already set.
|
131
|
(1) [pap] = noop
|
132
|
(1) } # authorize = ok
|
133
|
(1) Found Auth-Type = MOTP
|
134
|
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
|
135
|
(1) Auth-Type MOTP {
|
136
|
(1) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}:
|
137
|
(1) motp: EXPAND %{request:User-Name}
|
138
|
(1) motp: --> otpuser1
|
139
|
(1) motp: EXPAND %{request:User-Password}
|
140
|
(1) motp: --> 23ace5
|
141
|
(1) motp: EXPAND %{reply:MOTP-Init-Secret}
|
142
|
(1) motp: --> 8abe2f27456f801a
|
143
|
(1) motp: EXPAND %{reply:MOTP-PIN}
|
144
|
(1) motp: --> 1234
|
145
|
(1) motp: EXPAND %{reply:MOTP-Offset}
|
146
|
(1) motp: --> 0
|
147
|
(1) motp: ERROR: Program returned code (11) and output 'FAIL'
|
148
|
(1) motp: ERROR: Program returned invalid code (greater than max rcode) (11 > 9): FAIL
|
149
|
(1) [motp] = fail
|
150
|
(1) } # Auth-Type MOTP = fail
|
151
|
(1) Failed to authenticate the user
|
152
|
(1) Using Post-Auth-Type Reject
|
153
|
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
|
154
|
(1) Post-Auth-Type REJECT {
|
155
|
(1) attr_filter.access_reject: EXPAND %{User-Name}
|
156
|
(1) attr_filter.access_reject: --> otpuser1
|
157
|
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
|
158
|
(1) [attr_filter.access_reject] = updated
|
159
|
(1) [eap] = noop
|
160
|
(1) policy remove_reply_message_if_eap {
|
161
|
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
|
162
|
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
|
163
|
(1) else {
|
164
|
(1) [noop] = noop
|
165
|
(1) } # else = noop
|
166
|
(1) } # policy remove_reply_message_if_eap = noop
|
167
|
(1) } # Post-Auth-Type REJECT = updated
|
168
|
(1) Login incorrect (Failed retrieving values required to evaluate condition): [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195)
|
169
|
(1) Delaying response for 1.000000 seconds
|
170
|
Waking up in 0.2 seconds.
|
171
|
Waking up in 0.7 seconds.
|
172
|
(1) Sending delayed response
|
173
|
(1) Sent Access-Reject Id 27 from 127.0.0.1:1812 to 127.0.0.1:7638 length 20
|
174
|
Waking up in 3.9 seconds.
|
175
|
(1) Cleaning up request packet ID 27 with timestamp +3345
|
176
|
Ready to process requests
|
177
|
(2) Received Access-Request Id 215 from 127.0.0.1:54875 to 127.0.0.1:1812 length 138
|
178
|
(2) Service-Type = Login-User
|
179
|
(2) User-Name = "otpuser1"
|
180
|
(2) User-Password = "23ace5"
|
181
|
(2) NAS-IP-Address = 192.168.122.179
|
182
|
(2) NAS-Identifier = "openVPN"
|
183
|
(2) Calling-Station-Id = "192.168.122.179:1195"
|
184
|
(2) Called-Station-Id = "0c:c5:49:1e:f0:01:pf4.spb-lab.int"
|
185
|
(2) NAS-Port-Type = Virtual
|
186
|
(2) NAS-Port = 1195
|
187
|
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
|
188
|
(2) authorize {
|
189
|
(2) [preprocess] = ok
|
190
|
(2) [chap] = noop
|
191
|
(2) [mschap] = noop
|
192
|
(2) [digest] = noop
|
193
|
(2) suffix: Checking for suffix after "@"
|
194
|
(2) suffix: No '@' in User-Name = "otpuser1", skipping NULL due to config.
|
195
|
(2) [suffix] = noop
|
196
|
(2) ntdomain: Checking for prefix before "\"
|
197
|
(2) ntdomain: No '\' in User-Name = "otpuser1", skipping NULL due to config.
|
198
|
(2) [ntdomain] = noop
|
199
|
(2) eap: No EAP-Message, not doing EAP
|
200
|
(2) [eap] = noop
|
201
|
(2) files: users: Matched entry otpuser1 at line 9
|
202
|
(2) [files] = ok
|
203
|
(2) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
|
204
|
(2) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> FALSE
|
205
|
rlm_counter: Entering module authorize code
|
206
|
rlm_counter: Could not find Check item value pair
|
207
|
(2) [daily] = noop
|
208
|
rlm_counter: Entering module authorize code
|
209
|
rlm_counter: Could not find Check item value pair
|
210
|
(2) [weekly] = noop
|
211
|
rlm_counter: Entering module authorize code
|
212
|
rlm_counter: Could not find Check item value pair
|
213
|
(2) [monthly] = noop
|
214
|
rlm_counter: Entering module authorize code
|
215
|
rlm_counter: Could not find Check item value pair
|
216
|
(2) [forever] = noop
|
217
|
(2) if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
|
218
|
(2) ERROR: Failed retrieving values required to evaluate condition
|
219
|
(2) [expiration] = noop
|
220
|
(2) [logintime] = noop
|
221
|
Not doing PAP as Auth-Type is already set.
|
222
|
(2) [pap] = noop
|
223
|
(2) } # authorize = ok
|
224
|
(2) Found Auth-Type = MOTP
|
225
|
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
|
226
|
(2) Auth-Type MOTP {
|
227
|
(2) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}:
|
228
|
(2) motp: EXPAND %{request:User-Name}
|
229
|
(2) motp: --> otpuser1
|
230
|
(2) motp: EXPAND %{request:User-Password}
|
231
|
(2) motp: --> 23ace5
|
232
|
(2) motp: EXPAND %{reply:MOTP-Init-Secret}
|
233
|
(2) motp: --> 8abe2f27456f801a
|
234
|
(2) motp: EXPAND %{reply:MOTP-PIN}
|
235
|
(2) motp: --> 1234
|
236
|
(2) motp: EXPAND %{reply:MOTP-Offset}
|
237
|
(2) motp: --> 0
|
238
|
(2) motp: ERROR: Program returned code (11) and output 'FAIL'
|
239
|
(2) motp: ERROR: Program returned invalid code (greater than max rcode) (11 > 9): FAIL
|
240
|
(2) [motp] = fail
|
241
|
(2) } # Auth-Type MOTP = fail
|
242
|
(2) Failed to authenticate the user
|
243
|
(2) Using Post-Auth-Type Reject
|
244
|
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
|
245
|
(2) Post-Auth-Type REJECT {
|
246
|
(2) attr_filter.access_reject: EXPAND %{User-Name}
|
247
|
(2) attr_filter.access_reject: --> otpuser1
|
248
|
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
|
249
|
(2) [attr_filter.access_reject] = updated
|
250
|
(2) [eap] = noop
|
251
|
(2) policy remove_reply_message_if_eap {
|
252
|
(2) if (&reply:EAP-Message && &reply:Reply-Message) {
|
253
|
(2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
|
254
|
(2) else {
|
255
|
(2) [noop] = noop
|
256
|
(2) } # else = noop
|
257
|
(2) } # policy remove_reply_message_if_eap = noop
|
258
|
(2) } # Post-Auth-Type REJECT = updated
|
259
|
(2) Login incorrect (Failed retrieving values required to evaluate condition): [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195)
|
260
|
(2) Delaying response for 1.000000 seconds
|
261
|
Waking up in 0.2 seconds.
|
262
|
Waking up in 0.7 seconds.
|
263
|
(2) Sending delayed response
|
264
|
(2) Sent Access-Reject Id 215 from 127.0.0.1:1812 to 127.0.0.1:54875 length 20
|