How can I get the system to work with MSCHAPV2?

Alexander,

Currently I am working on a project to authenticate users on eduroam-wifi using their Office 365 >credentials. I found your oauth2-perl scripts on github and implemented it on my freeradius server.
This works great for iOS devices but not for Windows devices. Information on this is sparse and I am by >no means a master in configuring radius. I thought that maybe you can give me a pointer.

I traced the problem to the authentication section of the inner tunnel. MS insist on using Auth-Type ms->chapv2 where my iPad uses gtc. I have added oauth2-perl to the MS-CHAP section. The perl-script >connects to Azure but returns the error: "rlm_perl: Added pair Reply-Message = AADSTS90014: The >request body must contain the following parameter: 'password'."

Any help is greatly appreciated.

With kind regards,
Met vriendelijke groet,

Maxim van Luttikhuizen
Dienst- en productontwikkeling

Alexander,

Thanks for the quick response, I missed the sentence about ttls/pap. I use Windows 8.1 and can configure to use pap. This will then succesfully authorize but not authenticate because there is no auth-type after the oauth2-perl module has finished. (using the iPad auth-type= EAP).
I solved this by adding the following to the authorize section of the inner-tunnel:

            if (!control:Auth-Type) {
              update control {
              Auth-Type := oauth2-perl
           }

can now authenticate with both iOS and windows 8.1 based computers.

Met vriendelijke groet,

Maxim van Luttikhuizen
Dienst- en productontwikkeling

I'm integrating AzureAD via Radius in PFSense as authentication mechanism for VPNs and PFsense too.

In the latter case, user groups can be mapped to PFSense groups via Class attribute, and I've managed to forward OAuth2-Groups.
But when using Cache (2nd login) the OAuth2-Groups is not available and thus no decisions can be made.

Current workaround is to disable password cache, but I'd like to use that feature.

The change should be trivial by adding reply:OAuth2-Group to cache policy. If it is correct, I can provide a PR.

hi,
thank you for this knowledge sharing.

i follow the steps but when i try to do the first restarst after configuring the AAA part with the code provide i got this:

May 15 21:18:51 FreeRadius freeradius[7033]: FreeRADIUS Version 3.2.2 May 15 21:18:51 FreeRadius freeradius[7033]: Copyright (C) 1999-2022 The FreeRADIUS server project and contributors May 15 21:18:51 FreeRadius freeradius[7033]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A May 15 21:18:51 FreeRadius freeradius[7033]: PARTICULAR PURPOSE May 15 21:18:51 FreeRadius freeradius[7033]: You may redistribute copies of FreeRADIUS under the terms of the May 15 21:18:51 FreeRadius freeradius[7033]: GNU General Public License May 15 21:18:51 FreeRadius freeradius[7033]: For more information about these matters, see the file named COPYRIGHT May 15 21:18:51 FreeRadius freeradius[7033]: Starting - reading configuration files ... May 15 21:18:51 FreeRadius freeradius[7033]: Errors reading /etc/freeradius/dictionary: dict_init: /etc/freeradius/dictionary[51]: Couldn't open dictionary "/opt/freeradius-oauth2-perl/dictionary": No such file or directory

i first start by copy the project https://github.com/jimdigriz/freeradius-oauth2-perl.git then i see that someone has the same type of issue than me. so restart from scratch but that time i copy from here https://github.com/FreeRADIUS/freeradius-server.git, but same error.

can you help me please ?

Best Regards
thank you

https://docs.microsoft.com/en-us/graph/best-practices-concept#reliability-and-support

Hello,

Thank you for your great work.

Everything is working as it should be - exept with accounts that has MFA enabled,

I am getting this error :

rlm_perl: oauth2 authenticate
(17) oauth2_perl: EXPAND realm[].oauth2.client_id
(17) oauth2_perl: --> realm[].oauth2.client_id
(17) oauth2_perl: EXPAND %{config:realm[].oauth2.client_id}
(17) oauth2_perl: --> ....
(17) oauth2_perl: EXPAND realm[].oauth2.client_secret
(17) oauth2_perl: --> realm[].oauth2.client_secret
(17) oauth2_perl: EXPAND %{config:realm[].oauth2.client_secret}
(17) oauth2_perl: --> .....
rlm_perl: oauth2 token
rlm_perl: oauth2 token failed: 400 Bad Request
(17) oauth2_perl: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x851f448ab20001c86c51854d7abac511'
(17) oauth2_perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '10.0.0.4'
(17) oauth2_perl: &request:OAuth2-Group += $RAD_REQUEST{'OAuth2-Group'} -> '....'
(17) oauth2_perl: &request:OAuth2-Group += $RAD_REQUEST{'OAuth2-Group'} -> '.....'
(17) oauth2_perl: &request:OAuth2-Group += $RAD_REQUEST{'OAuth2-Group'} -> '....'
(17) oauth2_perl: &request:OAuth2-Group += $RAD_REQUEST{'OAuth2-Group'} -> '.....'
(17) oauth2_perl: &request:Stripped-User-Name = $RAD_REQUEST{'Stripped-User-Name'} -> '.....'
(17) oauth2_perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'test@....'
(17) oauth2_perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(17) oauth2_perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> '.....'
(17) oauth2_perl: &request:Realm = $RAD_REQUEST{'Realm'} -> '.....'
(17) oauth2_perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Mar 24 2023 07:22:10 UTC'
(17) oauth2_perl: &reply:Reply-Message += $RAD_REPLY{'Reply-Message'} -> 'Error: invalid_grant'
(17) oauth2_perl: &reply:Reply-Message += $RAD_REPLY{'Reply-Message'} -> 'AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.'
(17) oauth2_perl: &reply:Reply-Message += $RAD_REPLY{'Reply-Message'} -> 'Trace ID: 721415c2-5b50-4185-8af7-76124bda1900'
(17) oauth2_perl: &reply:Reply-Message += $RAD_REPLY{'Reply-Message'} -> 'Correlation ID: ced3a7a9-44c3-4e0e-a51c-27ff6bf56451'
(17) oauth2_perl: &reply:Reply-Message += $RAD_REPLY{'Reply-Message'} -> 'Timestamp: 2023-03-24 07:22:11Z'
(17) oauth2_perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'oauth2'
(17) oauth2_perl: &control:OAuth2-Password-Last-Modified = $RAD_CHECK{'OAuth2-Password-Last-Modified'} -> 'Mar 24 2023 07:20:59 UTC'
(17) [oauth2_perl] = reject
(17) } # policy oauth2.authenticate = reject
(17) } # Auth-Type oauth2 = reject
(17) Failed to authenticate the user

Any idea how i can fix that?

This is a great little package, I got it up and running today in no time with your instructions and now have several applications authenticating via my on-prem RADIUS server to O365, including 802.1x. Well done!

One problem I've found though is that our org runs multiple domains in O365, in the one tenant. Using our "primary domain" (as far as Azure AD is concerned), no problems at all. Any user that uses a non-primary domain as their login though cannot use this RADIUS server for auth. We basically see this in RADIUS logs:

++[oauth2-perl] = notfound
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop

I've added the domain as a realm in the module's config file and also added to RADIUS's proxy.conf file, hasn't made a difference. Any thoughts what else I need to check? Obviously it's the same client ID with the same client secret as it's the same Azure AD, it's just not the primary domain.

Thanks!

Brett

Probably something to fix whilst dealing with #13

On Mon, 18 Sep 2023, at 19:34, J R wrote:

I was setting up your code for authentication against Azure AD, but I received an error "Thread 2 terminated abnormally: Error parsing time at /usr/lib/x86_64-linux-gnu/perl/5.34/Time/Piece.pm line 598." when researching this. I found that changing from "Time::Piece" to "DateTime" solved the issue.

Here is the code change I made to successfully authenticate against azure.

File: main.pm

Added:

• use DateTime;
• use DateTime::Format::Strptime;

Commented out:
if ($^V ge v5.28) {
Time::Piece->use_locale();
} else {
warn "old version of Perl (pre-5.28) detected, non-English locale users must run FreeRADIUS with LC_ALL=C";
}
use constant RADTIME_FMT => '%b %e %Y %H:%M:%S %Z';
sub to_radtime {
my ($s) = @_;
return Time::Piece->strptime($s, '%Y-%m-%dT%H:%M:%SZ')->strftime(RADTIME_FMT);
}

Replaced the commented out section with the following:
if ($^V ge v5.28) {
# No need for any specific action for DateTime
} else {
warn "old version of Perl (pre-5.28) detected, non-English locale users must run FreeRADIUS with LC_ALL=C";
}

use constant RADTIME_FMT => '%b %e %Y %H:%M:%S %Z';

my $strp = DateTime::Format::Strptime->new(
pattern => '%Y-%m-%dT%H:%M:%SZ',
time_zone => 'UTC',
);

sub to_radtime {
my ($s) = @_;
my $dt = $strp->parse_datetime($s);
return $dt->strftime(RADTIME_FMT);
}

and then everything worked. credit goes to OpenAI for the new code.

Following documentation and hitting a brick wall with the following commands and errors:

Command:

printf '\n$INCLUDE /opt/freeradius-oauth2-perl/dictionary\n' >> /etc/freeradius/dictionary
ln -s /opt/freeradius-oauth2-perl/module /etc/freeradius/mods-enabled/oauth2
ln -s /opt/freeradius-oauth2-perl/policy /etc/freeradius/policy.d/oauth2

Error:

ln: failed to create symbolic link '/etc/freeradius/mods-enabled/oauth2': No such file or directory
ln: failed to create symbolic link '/etc/freeradius/policy.d/oauth2': No such file or directory

Any ideas at all?

Hi

Is it possible to assign a specific VLAN to users based on their group membership in AzureAD?

Kind regards
Jonas

It seems there is some kind of issue if token unexpectedly expires.

rlm_perl: oauth2 worker (domain.com): sync users
rlm_perl: oauth2 worker (domain.com): users page
rlm_perl: oauth2 worker (domain.com): sync groups
rlm_perl: oauth2 worker (domain.com): groups page
rlm_perl: oauth2 worker (domain.com): apply
rlm_perl: oauth2 worker (domain.com): syncing in 35 seconds
rlm_perl: oauth2 worker (domain.com): sync
rlm_perl: oauth2 worker (domain.com): sync users
rlm_perl: oauth2 worker (domain.com): users page
rlm_perl: oauth2 worker (domain.com): users failed: 500 read timeout
Thread 4 terminated abnormally: token (domain.com): 500 read timeout at /opt/freeradius-oauth2-perl/main.pm line 179.
rlm_perl: oauth2 worker (domain.com): died, sleeping for 4 seconds
rlm_perl: oauth2 worker (domain.com): started (tid=5)
rlm_perl: oauth2 worker (domain.com): sync
rlm_perl: oauth2 worker (domain.com): sync users
rlm_perl: oauth2 worker (domain.com): users page
rlm_perl: oauth2 worker (domain.com): fetching token
Segmentation fault

Debian 11 , Running freeradius from recommended repo.

Hello,

First thank's a lot for this freeradius module which will be very interesting for futur use.

Unfortunately I've got no chance to make it work with google or facebook. I've understand that if oauth provider does not provide Resource Owner Password Credentials Grant, this is not going to work.

I've read your ISSUE/TODO but I haven't understand well how to do with goole.

This is the freeradius/module log i've got :

++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Realm = gmail.com
rlm_perl: Added pair User-Name = [email protected]
rlm_perl: Added pair Stripped-User-Name = user
rlm_perl: Added pair NAS-IP-Address = 192.168.2.11
rlm_perl: Added pair Message-Authenticator = 0x41f8236edf2403f213990dca445ff2a7
rlm_perl: Added pair User-Password = password
rlm_perl: Added pair Auth-Type = oauth2-perl
++[oauth2-perl] = ok
[oauth_files] users: Matched entry DEFAULT at line 210
++[oauth_files] = ok
+} # group authorize = ok
Found Auth-Type = oauth2-perl

Executing group from file /usr/local/etc/raddb/sites-enabled/portal

+group oauth2-perl {
rlm_perl: GET https://accounts.google.com/.well-known/openid-configuration
rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2
rlm_perl: From: [email protected]
rlm_perl: User-Agent: freeradius-oauth2-perl/0.1 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.13)
rlm_perl: X-Cache-Key: gmail.com
rlm_perl:
rlm_perl: (no content)
rlm_perl: HTTP/1.1 200 OK
rlm_perl: Cache-Control: public, max-age=604800
rlm_perl: Connection: close
rlm_perl: Date: Thu, 19 Mar 2015 18:46:06 GMT
rlm_perl: Server: GSE
rlm_perl: Content-Length: 712
rlm_perl: Content-Type: application/json
rlm_perl: Expires: Thu, 26 Mar 2015 18:46:06 GMT
rlm_perl: Last-Modified: Fri, 05 Dec 2014 04:03:03 GMT
rlm_perl: Alternate-Protocol: 443:quic,p=0.5
rlm_perl: Client-Date: Thu, 19 Mar 2015 18:46:06 GMT
rlm_perl: Client-Peer: 2a00:1450:4007:80d::200d:443
rlm_perl: Client-Response-Num: 1
rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=accounts.google.com
rlm_perl: Client-SSL-Cipher: ECDHE-RSA-AES128-SHA
rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL
rlm_perl: X-Cache-Expires: 1426792721
rlm_perl: X-Content-Type-Options: nosniff
rlm_perl: X-XSS-Protection: 1; mode=block
rlm_perl:
rlm_perl: {
rlm_perl: "issuer": "accounts.google.com",
rlm_perl: "authorization_endpoint": "https://accounts.google.com/o/oauth2/auth",
rlm_perl: "token_endpoint": "https://www.googleapis.com/oauth2/v3/token",
rlm_perl: "userinfo_endpoint": "https://www.googleapis.com/plus/v1/people/me/openIdConnect",
rlm_perl: "revocation_endpoint": "https://accounts.google.com/o/oauth2/revoke",
rlm_perl: "jwks_uri": "https://www.googleapis.com/oauth2/v2/certs",
rlm_perl: "response_types_supported": [
rlm_perl: "code",
rlm_perl: "token",
rlm_perl: "id_token",
rlm_perl: "code token",
rlm_perl: "code id_token",
rlm_perl: "token id_token",
rlm_perl: "c...
rlm_perl: (+ 200 more bytes not shown)
rlm_perl: POST https://www.googleapis.com/oauth2/v3/token
rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2
rlm_perl: From: [email protected]
rlm_perl: User-Agent: freeradius-oauth2-perl/0.1 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.13)
rlm_perl: Content-Length: 193
rlm_perl: Content-Type: application/x-www-form-urlencoded
rlm_perl:
rlm_perl: scope=openid&username=user%40gmail.com&password=password&grant_type=password&client_id=115158283190-ha33milannvb28vphm7j7uu9leeaptoq.apps.googleusercontent.com&client_secret=notasecret
rlm_perl: HTTP/1.1 400 Bad Request
rlm_perl: Cache-Control: private, max-age=0
rlm_perl: Connection: close
rlm_perl: Date: Thu, 19 Mar 2015 18:46:06 GMT
rlm_perl: Server: GSE
rlm_perl: Vary: Origin
rlm_perl: Vary: X-Origin
rlm_perl: Content-Encoding: gzip
rlm_perl: Content-Type: application/json; charset=UTF-8
rlm_perl: Expires: Thu, 19 Mar 2015 18:46:06 GMT
rlm_perl: Alternate-Protocol: 443:quic,p=0.5
rlm_perl: Client-Date: Thu, 19 Mar 2015 18:46:06 GMT
rlm_perl: Client-Peer: 2a00:1450:4007:80e::200a:443
rlm_perl: Client-Response-Num: 1
rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=.storage.googleapis.com
rlm_perl: Client-SSL-Cipher: ECDHE-RSA-AES128-SHA
rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL
rlm_perl: Client-Transfer-Encoding: chunked
rlm_perl: X-Content-Type-Options: nosniff
rlm_perl: X-Frame-Options: SAMEORIGIN
rlm_perl: X-XSS-Protection: 1; mode=block
rlm_perl:
rlm_perl: \37\x8B\10\0\0\0\0\0\0\0\xAB\xE6RPJ-\xCA/R\xB2RP\xCA\xCC+K\xCC\xC9L\x89/J-,M-.Q\xD2\x81I\xC6\xA7\xA4\26'\27e\26\x94d\xE6\xE7\x81\24zB\24*\xF8;\x96\x96d(\30)\xA4\27%\xE6\x95(\x94T\26\xA4Z)\x048\6\7\x87\xFB\7\xB9(q\xD5r\1\0-o<\1^\0\0\0
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Realm = gmail.com
rlm_perl: Added pair User-Name = [email protected]
rlm_perl: Added pair NAS-IP-Address = 192.168.2.11
rlm_perl: Added pair Stripped-User-Name = user
rlm_perl: Added pair Stripped-User-Name = user@
rlm_perl: Added pair User-Password = password
rlm_perl: Added pair Message-Authenticator = 0x41f8236edf2403f213990dca445ff2a7
rlm_perl: Added pair Reply-Message = Error: invalid_request
rlm_perl: Added pair Reply-Message = Invalid OAuth 2 grant type: PASSWORD
rlm_perl: Added pair Auth-Type = oauth2-perl
++[oauth2-perl] = reject
+} # group oauth2-perl = reject
Failed to authenticate the user.
Login incorrect: [[email protected]/password](from client localhost port 0)
} # server portal
Using Post-Auth-Type REJECT

Executing group from file /usr/local/etc/raddb/sites-enabled/portal

+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> [email protected]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.3 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 200 to 127.0.0.1 port 42856
Reply-Message += "Error: invalid_request"
Reply-Message += "Invalid OAuth 2 grant type: PASSWORD"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 200 with timestamp +3

Could you help ?

Thanks

Regards

Thomas

Morning all,

I have followed this documentation down to the letter and when running a RADTEST i get the following error:

Sent Access-Request Id 59 from 0.0.0.0:53094 to 127.0.0.1:1812 length 109
User-Name = "nicki.urwin@co.uk"
User-Password = ""
NAS-IP-Address = ...
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "********"
(0) No reply from server for ID 59 socket 3

Guessing its the link between AzureAD and the EC2 instance.

Any ideas please?

Our Office365 tenant has a onmicrosoft.com primary domain and a number of vanity (secondary) domains.
Authenticating with an account with the domain.onmicrosoft.com upn-suffix works fine after the rather extensive list of users and groups is synced.

When we try to authenticate with an account [email protected], authentication fails with:
Invalid value for shared scalar at /opt/freeradius-oauth2-perl/main.pm line 362.

I can get authentication to work for a while by changing %{Realm} in proxy.conf to domain.onmicrosoft.com restarting freeradius, change it back and restart again. Authentication then works for somewhere between an hour and a day after the lists ar synced. I haven't pinpointed the exact timeframe.

Before updating to the latest version of freeradius-oauth2-perl I had the same problem but then in the authorization section (line 334 in the latest release).

The value for $realm seems to be in order (log shows domain.tld when I place a line to output the value in main.pm) but %{$realms{$reams}} throws the error.

My proxy.conf (the lines starting with # are alternatives I tried):

realm domain.tld {
oauth2 {
discovery = "https://login.microsoftonline.com/%{Realm}/v2.0"
#discovery = "https://login.microsoftonline.com/domain.onmicrosoft.com/v2.0"
client_id = "My-clientID"
client_secret = "My-clientSecret"
cache_password = yes
#cache_password = no
}
}

realm domain.onmicrosoft.com {
oauth2 {
discovery = "https://login.microsoftonline.com/%{Realm}/v2.0"
client_id = "My-clientID"
client_secret = "My-clientSecret"
cache_password = yes
}
}

Hi,

This is my first time playing with this plugin and I managed to get it working beautifully using the domain "mydomain.com.au" , it authenticates ok. Now when I add a new REALM with my subdomain any authentication with @mydomain.com.au works great but student.mydomain.com.au doesn't

I've tried to compare both and I've noticed the oauth2_pearl = not found. Which is very weird. The full image of the error message below.

I'm attaching two logs attached, one is trying to authenticate using mydomain.com.au and another one using student.mydomain.com.au

I've tried to get only the subdomain as a realm or using REGEX and got the same result. Can anyone shed a light?
Realm student.mydomain.com.au.pdf
Login realm mydomain.com.au.pdf

Hi

When I try to test my setup with the radtest-command i always receive 'Received access-reject id ....'. When I try to debug this error with the given sudo freeradius -X command. I see the following log:
rlm_perl: oauth2 worker (x.be): sync
rlm_perl: oauth2 worker (x.be): sync users
rlm_perl: oauth2 worker (x.be): users page
rlm_perl: oauth2 worker (x.be): fetching token
rlm_perl: oauth2 worker (x.be): users failed: 403 Forbidden
rlm_perl: oauth2 worker (x.be): sync groups
rlm_perl: oauth2 worker (x.be): groups page
rlm_perl: oauth2 worker (x.be): groups failed: 403 Forbidden
rlm_perl: oauth2 worker (x.be): apply

How can this be 403 Forbidden after I followed the repo exactly
-> Directory.Read.all
-> Users.read

The token is new, so not expired or anything.

Any help? Thx!

The README states that only Azure AD supports the Resource Owner Password Credentials Grant, but at least keycloak also supports it. Other IDP's might also support it by now. It might be slightly misleading to state that only Azure AD supports it for that reason.

Hi!

I'm trying to authentificate wireless users using EAP-TTLS/PAP via freeradius-oauth2-perl.

radtest [email protected] mypassword 127.0.0.1 0 RadiusSecret works fine and results with Access-Accept

When trying to autheniticate wireless user the request is routed to inner-tunnell where it fails

(5) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(5) Auth-Type oauth2 {
(5) policy oauth2.authenticate {
(5) oauth2_perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> '[email protected]'
(5) oauth2_perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'mypassword'
(5) oauth2_perl: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = &request:FreeRADIUS-Proxied-To -> '127.0.0.1'
(5) oauth2_perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'oauth2'
(5) oauth2_perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'oauth2'
rlm_perl: oauth2 authenticate
Use of uninitialized value $realm in hash element at /opt/freeradius-oauth2-perl/main.pm line 361.
Use of uninitialized value $realm in hash element at /opt/freeradius-oauth2-perl/main.pm line 361.
Use of uninitialized value $realm in hash element at /opt/freeradius-oauth2-perl/main.pm line 361.
(5) oauth2_perl: perl_embed:: module = /opt/freeradius-oauth2-perl/main.pm , func = authenticate exit status= Invalid value for shared scalar at /opt/freeradius-oauth2-perl/main.pm line 361.
(5) oauth2_perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'mypassword'
(5) oauth2_perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> '[email protected]'
(5) oauth2_perl: &request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(5) oauth2_perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'oauth2'
(5) [oauth2_perl] = fail
(5) } # policy oauth2.authenticate = fail
(5) } # Auth-Type oauth2 = fail
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(5) Login incorrect: [[email protected]] (from client andis1 port 0 via TLS tunnel)
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) eap_ttls: Got tunneled Access-Reject
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 6 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject

I believe the problem is that $realm uninitialized but dont know why:
Use of uninitialized value $realm in hash element at /opt/freeradius-oauth2-perl/main.pm line 361

here is my /etc/freeradius/sites-enabled/inner-tunnel

server inner-tunnel {
listen {
type = auth
ipaddr = *
port = 18120
}

authorize {

if (!control:Auth-Type) {
update control { Auth-Type := oauth2 }
}
}

authenticate {

Auth-Type oauth2 {
oauth2
}
}

post-auth {
}
}

Hello,

I get the follwing error:
rlm_perl: oauth2 worker (test.co): supervisor started (tid=1)
rlm_perl: oauth2 worker (test.co): fetching discovery document
rlm_perl: oauth2 worker (test.co): discovery failed: 404 Not Found
Thread 1 terminated abnormally: discovery (test.co): 404 Not Found at /opt/freeradius-oauth2-perl/main.pm line 123.

my proxy.conf

realm test.co {
oauth2 {
discovery = "https://login.microsoftonline.com/8935a2f4-928c-4a2e-8997-686dbdf9047e/oauth2/v2.0/authorize"
client_id = "...."
client_secret = "..."
cache_password = yes
}
}

Can someone help me please

thanks

Andreas

Hi, just curious: is the 30seconds azure syncing all about checking out which azure users are still available? In case we find out early that user's account is expired then we don't bother with azure login (becaue we know it will fail) and this is why we are syncing?

From https://lists.freeradius.org/pipermail/freeradius-users/2022-March/101576.html by @drthiruna

rlm_perl: oauth2 worker (tanuvas.edu.in): supervisor started (tid=1)
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching discovery document
Waking up in 0.4 seconds.
rlm_perl: oauth2 worker (tanuvas.edu.in): started (tid=2)
rlm_perl: oauth2 worker (tanuvas.edu.in): sync
rlm_perl: oauth2 worker (tanuvas.edu.in): sync users
rlm_perl: oauth2 worker (tanuvas.edu.in): users page
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token
rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized
Waking up in 0.7 seconds.
Use of uninitialized value $v in concatenation (.) or string at
/usr/local/pf/lib_perl/lib/perl5/Net/HTTP/Methods.pm line 167.
rlm_perl: oauth2 worker (tanuvas.edu.in): users failed: 400 Bad Request
rlm_perl: oauth2 worker (tanuvas.edu.in): sync groups
rlm_perl: oauth2 worker (tanuvas.edu.in): groups page
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token
rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized
rlm_perl: oauth2 worker (tanuvas.edu.in): groups failed: 500 Can't connect
to graph.microsoft.com:443 (SSL connect attempt failed error:27069065:OCSP
routines:OCSP_basic_verify:certificate verify error)
Thread 2 terminated abnormally: token (tanuvas.edu.in): 500 Can't connect
to graph.microsoft.com:443 (SSL connect attempt failed error:27069065:OCSP
routines:OCSP_basic_verify:certificate verify error) at
/usr/local/pf/raddb/mods-config/perl/oauth2.pm line 191.
rlm_perl: oauth2 worker (tanuvas.edu.in): died, sleeping for 0 seconds
rlm_perl: oauth2 worker (tanuvas.edu.in): started (tid=3)
rlm_perl: oauth2 worker (tanuvas.edu.in): sync
rlm_perl: oauth2 worker (tanuvas.edu.in): sync users
rlm_perl: oauth2 worker (tanuvas.edu.in): users page
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token

...also fix passing junk to Net::HTTP.

Hello,

Configured Free Radius and the oauth2 authentication - everything is working fine.

When i do :

root@VM-AUTH:/etc/freeradius/sites-available# radtest [email protected] Og@2023! 20.19.x.y 0 ***
Sent Access-Request Id 143 from 0.0.0.0:42117 to 20.19.x.y:1812 length 85
User-Name = "[email protected]"
User-Password = "xxxx!"
NAS-IP-Address = 10.0.0.4
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "xxxx"
Received Access-Accept Id 143 from 20.19.x.y:1812 to 10.0.0.4:42117 length 20
root@VM-AUTH:/etc/freeradius/sites-available#

It works.

Knowing that 20.19.x.y is my freeradius server IP address.

....

Now, when i do the test from my Access Point

It gives me this message :

Executing section authorize from file /etc/freeradius/sites-enabled/default

(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]@/ ) {
(0) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(0) if (&User-Name =~ /../ ) {
(0) if (&User-Name =~ /../ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(0) if (&User-Name =~ /.$/) {
(0) if (&User-Name =~ /.$/) -> FALSE
(0) if (&User-Name =~ /@./) {
(0) if (&User-Name =~ /@./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "accelis.fr" for User-Name = "[email protected]"
(0) suffix: Found realm "xxx.fr"
(0) suffix: Adding Stripped-User-Name = "test"
(0) suffix: Adding Realm = "xxx.fr"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap: Peer sent EAP Response (code 2) ID 1 length 20
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x45814ee245834a5c
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 46 from 10.0.0.4:1812 to 62.129.14.123:53671 length 80
(0) EAP-Message = 0x010200160410a42e880bb89199f1678efbb23b0052f1
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x45814ee245834a5c20cd516ecc6512c1
(0) Finished request

In my default file i noticed i have this :

    eap {
            ok = return
            #updated = return
    }
    #eap

I think freeradius is skipping the oauth authentication with my Azure AD once it sees that its an EAP.

Any idea how i can fix this ?

I know this project is quite old, but it works well and thus I thought of contributing with a couple small hints to make it work with the current version of AzureAD.

The setup information kinda works. The recent AzureAD UI is slightly different from the previous one, but there is a document from Microsoft explaining the differences here and is pretty straightforward.

The perl code needs some tweakings.

There are a couple lines rising errors in json decoding:
This one:
my $j = decode_json $r->decoded_content;
Needs to be changed to this:
my $j = JSON->new->allow_nonref->decode($r->decoded_content);

Then, when a successful authentication has happened, microsoft AD apparently does NOT respond with a full JSON with all the fields required by this module, but only with the auth token.
Therefore, the following lines need to be commented out because the received json simply does not contain token_type and access_token, but just token_id:
unless (defined($j->{'token_type'} && $j->{'access_token'})) { &radiusd::radlog(RADIUS_LOG_ERROR, 'missing token_type/access_token in JSON response'); return RLM_MODULE_REJECT; }
It should not be an issue because in case of unsuccessful auth the received JSON is completely different and only includes error codes. It is just a quick fix, probably needs some more exception handling, but so far worked for me.

Is there other any attributes we can query from Azure AD with freeradius-oauth2-perl?
i like to get other user / company info from Azure AD beside the OAuth2-Password-Last-Modified and OAuth2-Group?

Hi,

I managed to set up the Azure AD application and did all the configuration for the RADIUS server which I am running in a Ubuntu VM just for testing purposes for now.
Thing is, my Azure AD freeradius app is showing successful sign-ins for the radtests I tried, but nevertheless radtest is returning:
"Expected Access-Accept got Access-Reject"

One peculiar behaviour:
When I restart radius and run a radtest, it gets a "No reply" message ONLY THE FIRST TRY, and the debug from freeradius -X says "Sent Access-Accept ID 119 from ... to...".
When I try a second radtest, I get a Access-Reject from radtest and debug from freeradius -X also says a reject was sent.

No other error messages appear in the freeradius -X debug log, it seems like it just can't authorize for some reason.

Other noteworthy point: we have MFA enabled for our directory users, so radtests with MFA protected accounts fail with a message saying that MFA is preventing authorization, so I tested with a service account which does not have MFA enabled. This produces the above described scenario.

Any ideas here? Any other info you need?

MFA does not work with this project.

Turns out if you are using Azure AD Premium you can use a Conditional Access policy to apply an application exclusion (as pointed to in #11 (comment)) to disable MFA for our application use case..

This ticket is to make it a TODO to explore and document this process; seems to be an AD Premium only feature but that is for the end use to decide.

I have followed the instructions very carefully. I thought I had the application configured correctly but it keeps returning notfound for my user. I am sure I messed up something simple but I can't seem to figure it out.

Any guidance on a direction would be a big help.

radiusd.log

i config the 802.1X to my ac ; freeradius-oauth2-perl radtest access success , when i connect to wifi , it reported failed, I don't know how to solve it . Hope your reply , thanks ~

log:
(14) Received Access-Request Id 34 from 192.168.9.2:62196 to 192.168.8.199:1812 length 387
(14) User-Name = "[email protected]"
(14) NAS-Port = 10
(14) Service-Type = Framed-User
(14) Framed-Protocol = PPP
(14) Calling-Station-Id = "a078-1791-c1b2"
(14) NAS-Identifier = "AirEngine9700S-S"
(14) NAS-Port-Type = Wireless-802.11
(14) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=10;interfaceName=Wlan-Dbss17551"
(14) State = 0x478426ac44123f627d1e79a3a59d6e07
(14) EAP-Message = 0x029600061900
(14) Message-Authenticator = 0xf5c592c6ff3998233531ad627b0e99a6
(14) Called-Station-Id = "44-22-7C-4A-C5-00:vesoft-radius-test"
(14) NAS-IP-Address = 192.168.8.199
(14) Framed-MTU = 1500
(14) Acct-Session-Id = "AirEngi000000000000106f1e300100057"
(14) Huawei-Startup-Stamp = 1691862620
(14) Huawei-IPHost-Addr = "255.255.255.255 a0::17:91:c1:b2"
(14) Huawei-Connect-ID = 4183
(14) Huawei-Version = "V200R022C00"
(14) Huawei-Product-ID = "AC"
(14) Huawei-Loopback-Address = "*********"
(14) Huawei-User-Mac = "\000\000\000\001"
(14) Restoring &session-state
(14) &session-state:Framed-MTU = 994
(14) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(14) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]@/ ) {
(14) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(14) if (&User-Name =~ /../ ) {
(14) if (&User-Name =~ /../ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(14) if (&User-Name =~ /.$/) {
(14) if (&User-Name =~ /.$/) -> FALSE
(14) if (&User-Name =~ /@./) {
(14) if (&User-Name =~ /@./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: Looking up realm "test.com" for User-Name = "[email protected]"
(14) suffix: Found realm "test.com"
(14) suffix: Adding Stripped-User-Name = "ph"
(14) suffix: Adding Realm = "test.com"
(14) suffix: Authentication realm is LOCAL
(14) [suffix] = ok
(14) eap: Peer sent EAP Response (code 2) ID 150 length 6
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/freeradius/sites-enabled/default
(14) authenticate {
(14) eap: Expiring EAP session with state 0x478426ac44123f62
(14) eap: Finished EAP session with state 0x478426ac44123f62
(14) eap: Previous EAP request found for state 0x478426ac44123f62, released from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: (TLS) Peer ACKed our handshake fragment
(14) eap: Sending EAP Request (code 1) ID 151 length 743
(14) eap: EAP session adding &reply:State = 0x478426ac43133f62
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /etc/freeradius/sites-enabled/default
(14) Challenge { ... } # empty sub-section is ignored
(14) session-state: Saving cached attributes
(14) Framed-MTU = 994
(14) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(14) Sent Access-Challenge Id 34 from 192.168.8.199:1812 to 192.168.9.2:62196 length 805
(14) EAP-Message = 0x019702e7190072746966696361746520417574686f72697479821417f40863d17bcb92d6d78ed5c3ca55579325c3f3300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100434e53b44ae9c2263bab2c813d6d89498f99ef451bc7d489ffc9d69d82c74c08238bc6ecb4137bc1f869494f80c5c60c32002343080b4c48b2dc30de212cc02ae10a2e7afa50d7605bab6655c7e56d0c4c4729d57dccd3e5520847e42e53f17e314e5d3d8b70577c39de5e3090e4e32db45ea293d7c16b465a9f787e2db46d925bd51e10fad1f93328803986dcff00f16955c44b85dff5983cc66207158dce7f814e31c2f32cbbbea0019cbb433bf176968822c03957347c3a795b0957594e9a1da9e527c6590a684ee758444128242e3283c7dc7adddbc610d3fd3f86384d64f1ca175a2ad3354dfecb5a
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x478426ac43133f627d1e79a3a59d6e07
(14) Finished request
Waking up in 4.8 seconds.
(10) Cleaning up request packet ID 30 with timestamp +471 due to cleanup_delay was reached
(11) Cleaning up request packet ID 31 with timestamp +471 due to cleanup_delay was reached
(12) Cleaning up request packet ID 32 with timestamp +471 due to cleanup_delay was reached
(13) Cleaning up request packet ID 33 with timestamp +471 due to cleanup_delay was reached
(14) Cleaning up request packet ID 34 with timestamp +471 due to cleanup_delay was reached

Hello all. I setup freeradius + oauth2 with Microsoft and works great. I have issue with unifi wifi router, because they support only MSCHAP protocol, but freeradius-oauth2 use EAP-TTLS/PAP . Can you help how can connect unifi to use freeradius-oauth2 for authentication ? Any suggestions are welcome.

Hi,
first thanks for your help on my next issue ^^.

i succeed to perform a simple radtest with:
radtest [email protected] MyPassword 127.0.0.1 0 testing123
it return:
Sent Access-Request Id 127 from 0.0.0.0:46304 to 127.0.0.1:1812 length 96 User-Name = "[email protected]" User-Password = "MyPassword" NAS-IP-Address = AnIpAddress NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "MyPassword" Received Access-Accept Id 127 from 127.0.0.1:1812 to 127.0.0.1:46304 length 34 Class = 0x4649444f325f416363657373

i then would like to try with "NTRadPing Test Utility" to see if it works
it look like this:

i added a client that you will be able to find with the name "clientName" using the Freeradius public ip address.
and when trying send my request i get this error:
ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

Can you help figured it out what i do wrong please ?

what i got with debug mode, i do a radtest and then i try to send the request with NTRadPing Test Utility:
DebugModeResults.txt

To avoid the polling and instead get more instant/live data, we can look to use webhooks instead.

I have only not implemented it as this is very site specific (you need to expose an HTTP server that can talk to your RADIUS server(s) and prompt them to reload) and I would rather have any implementation guided by an actual deployment rather than what I would do.

For those reading this, some of the 'reload' work is in place in the form of the $SIG{'HUP'} hooks throughout the code but we would need to trigger this via radtest as rlm_perl masks out signals.

One user reported the following (though it looks like they are using old/unknown distro provided packaging):

  # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
[snipped]
rlm_perl: oauth2 worker (domain.com): supervisor started (tid=1)
rlm_perl: oauth2 worker (domain.com): fetching discovery document
rlm_perl: oauth2 worker (domain.com): started (tid=2)
rlm_perl: oauth2 worker (domain.com): sync
rlm_perl: oauth2 worker (domain.com): sync users
rlm_perl: oauth2 worker (domain.com): users page
rlm_perl: oauth2 worker (domain.com): fetching token
rlm_perl: oauth2 worker (domain.com): users page
... many times ...
rlm_perl: oauth2 worker (domain.com): groups page
... many times ...
rlm_perl: oauth2 worker (domain.com): users failed: 500 read timeout
Thread 4 terminated abnormally: token (domain.com): 500 read timeout at /opt/freeradius-oauth2-perl/main.pm line 179.
rlm_perl: oauth2 worker (domain.com): died, sleeping for 4 seconds
rlm_perl: oauth2 worker (domain.com): started (tid=5)
rlm_perl: oauth2 worker (domain.com): sync
rlm_perl: oauth2 worker (domain.com): sync users
rlm_perl: oauth2 worker (domain.com): users page
rlm_perl: oauth2 worker (domain.com): fetching token
Segmentation fault (core dumped)

Need to see if I can replicate this in 3.0.22...I suspect I need to drop network packets mid-flight to do this.

Trying to get started with this. Is there a changelog for the relevant freeradius API?

Hello,
I hope you are well. Thank you very much for the work you have done on this project.

I set up a freeradius that uses azure ad as an authentication source to connect my users on my meraki kiosk. I followed your support to the letter but at the time of testing on my dasbord meraki the radius server does not enter the OAuth2 strategy, and then it proxing in a second request by removing my domain, and then it finds eap as the auth type

I attach an output from my freeradius -X :

Received Access-Request Id 0 from 192.168.0.254:45310 to 192.168.0.10:1812 length 218
(24) User-Name = "[email protected]"
(24) NAS-IP-Address = 6.143.88.166
(24) Calling-Station-Id = "02-00-00-00-00-01"
(24) Called-Station-Id = "E0-CB-BC-8F-58-A6:***"
(24) Framed-MTU = 1400
(24) NAS-Port-Type = Wireless-802.11
(24) Service-Type = Framed-User
(24) Connect-Info = "CONNECT 11Mbps 802.11b"
(24) EAP-Message = 0x02a1002a017469656d6f6b6f2e6b65697461406974736577616e2e6f6e6d6963726f736f66742e636f6d
(24) Message-Authenticator = 0x058ba52fec943be5b03cb656d98859e3
(24) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(24) authorize {
(24) policy filter_username {
(24) if (&User-Name) {
(24) if (&User-Name) -> TRUE
(24) if (&User-Name) {
(24) if (&User-Name =~ / /) {
(24) if (&User-Name =~ / /) -> FALSE
(24) if (&User-Name =~ /@[^@]@/ ) {
(24) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(24) if (&User-Name =~ /../ ) {
(24) if (&User-Name =~ /../ ) -> FALSE
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(24) if (&User-Name =~ /.$/) {
(24) if (&User-Name =~ /.$/) -> FALSE
(24) if (&User-Name =~ /@./) {
(24) if (&User-Name =~ /@./) -> FALSE
(24) } # if (&User-Name) = notfound
(24) } # policy filter_username = notfound
(24) policy filter_password {
(24) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(24) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(24) } # policy filter_password = notfound
(24) [preprocess] = ok
(24) [chap] = noop
(24) [mschap] = noop
(24) [digest] = noop
(24) suffix: Checking for suffix after "@"
(24) suffix: Looking up realm "********" for User-Name = "[email protected]"
(24) suffix: Found realm "XXXXXXX.com"
(24) suffix: Adding Stripped-User-Name = "xxxxxx"
(24) suffix: Adding Realm = "XXXXXXX.com"
(24) suffix: Proxying request from user xxxxx to realm XXXXXXXX.com
(24) suffix: Preparing to proxy authentication request to realm "XXXXXX.com"
(24) [suffix] = updated
(24) eap: Request is supposed to be proxied to Realm XXXXXXX.com. Not doing EAP.
(24) [eap] = noop
(24) files: users: Matched entry DEFAULT at line 172
(24) [files] = ok
(24) policy oauth2.authorize {
(24) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") {
(24) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") -> FALSE
(24) else {
(24) [noop] = noop
(24) } # else = noop
(24) } # policy oauth2.authorize = noop
(24) [expiration] = noop
(24) [logintime] = noop
(24) [pap] = noop
(24) } # authorize = updated
(24) Starting proxy to home server 127.0.0.1 port 1812
(24) server default {
(24) }
(24) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000
(24) Sent Access-Request Id 57 from 0.0.0.0:45018 to 127.0.0.1:1812 length 203
(24) User-Name = "xxxxxx"
(24) NAS-IP-Address = 6.143.88.166
(24) Calling-Station-Id = "02-00-00-00-00-01"
(24) Called-Station-Id = "E0-CB-BC-8F-58-A6:xxxxxx"
(24) Framed-MTU = 1400
(24) NAS-Port-Type = Wireless-802.11
(24) Service-Type = Framed-User
(24) Connect-Info = "CONNECT 11Mbps 802.11b"
(24) EAP-Message = 0x02a1002a017469656d6f6b6f2e6b65697461406974736577616e2e6f6e6d6963726f736f66742e636f6d
(24) Message-Authenticator = 0x058ba52fec943be5b03cb656d98859e3
(24) Event-Timestamp = "May 16 2023 12:07:30 CEST"
(24) Proxy-State = 0x30
Waking up in 0.3 seconds.
(25) Received Access-Request Id 57 from 127.0.0.1:45018 to 127.0.0.1:1812 length 203
(25) User-Name = "xxxxxx"
(25) NAS-IP-Address = 6.143.88.166
(25) Calling-Station-Id = "02-00-00-00-00-01"
(25) Called-Station-Id = "E0-CB-BC-8F-58-A6:xxxxxx"
(25) Framed-MTU = 1400
(25) NAS-Port-Type = Wireless-802.11
(25) Service-Type = Framed-User
(25) Connect-Info = "CONNECT 11Mbps 802.11b"
(25) EAP-Message = 0x02a1002a017469656d6f6b6f2e6b65697461406974736577616e2e6f6e6d6963726f736f66742e636f6d
(25) Message-Authenticator = 0x712997e8c4c6b1f9bb8b25915165550c
(25) Event-Timestamp = "May 16 2023 12:07:30 CEST"
(25) Proxy-State = 0x30
(25) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(25) authorize {
(25) policy filter_username {
(25) if (&User-Name) {
(25) if (&User-Name) -> TRUE
(25) if (&User-Name) {
(25) if (&User-Name =~ / /) {
(25) if (&User-Name =~ / /) -> FALSE
(25) if (&User-Name =~ /@[^@]@/ ) {
(25) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(25) if (&User-Name =~ /../ ) {
(25) if (&User-Name =~ /../ ) -> FALSE
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(25) if (&User-Name =~ /.$/) {
(25) if (&User-Name =~ /.$/) -> FALSE
(25) if (&User-Name =~ /@./) {
(25) if (&User-Name =~ /@./) -> FALSE
(25) } # if (&User-Name) = notfound
(25) } # policy filter_username = notfound
(25) policy filter_password {
(25) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(25) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(25) } # policy filter_password = notfound
(25) [preprocess] = ok
(25) [chap] = noop
(25) [mschap] = noop
(25) [digest] = noop
(25) suffix: Checking for suffix after "@"
(25) suffix: No '@' in User-Name = "xxxxxxx", looking up realm NULL
(25) suffix: No such realm "NULL"
(25) [suffix] = noop
(25) eap: Peer sent EAP Response (code 2) ID 161 length 42
(25) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(25) [eap] = ok
(25) } # authorize = ok
(25) Found Auth-Type = eap
(25) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(25) authenticate {
(25) eap: Identity does not match User-Name, setting from EAP Identity
(25) eap: Failed in handler
(25) [eap] = invalid
(25) } # authenticate = invalid
(25) Failed to authenticate the user
(25) Using Post-Auth-Type Reject
(25) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(25) Post-Auth-Type REJECT {
(25) attr_filter.access_reject: EXPAND %{User-Name}
(25) attr_filter.access_reject: -->xxxxxx
(25) attr_filter.access_reject: Matched entry DEFAULT at line 11
(25) [attr_filter.access_reject] = updated
(25) eap: Identity does not match User-Name, setting from EAP Identity
(25) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
(25) [eap] = noop
(25) policy remove_reply_message_if_eap {
(25) if (&reply:EAP-Message && &reply:Reply-Message) {
(25) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(25) else {
(25) [noop] = noop
(25) } # else = noop
(25) } # policy remove_reply_message_if_eap = noop
(25) } # Post-Auth-Type REJECT = updated
(25) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(24) Expecting proxy response no later than 19.666687 seconds from now
Waking up in 0.6 seconds.
Suppressing duplicate proxied request (too fast) to home server 127.0.0.1 port 1812 proto TCP - ID: 57
(25) Sending delayed response
(25) Sent Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:45018 length 23
(25) Proxy-State = 0x30
Waking up in 3.9 seconds.
(24) Clearing existing &reply: attributes
(24) Received Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:45018 length 23
(24) Proxy-State = 0x30
(24) server default {
(24) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(24) post-proxy {
(24) eap: No pre-existing handler found
(24) [eap] = noop
(24) } # post-proxy = noop
(24) }
(24) Login incorrect (Home Server says so): [[email protected]] (from client xxxxxxx port 0 cli 02-00-00-00-00-01)
(24) Using Post-Auth-Type Reject
(24) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(24) Post-Auth-Type REJECT {
(24) attr_filter.access_reject: EXPAND %{User-Name}
(24) attr_filter.access_reject: --> [email protected]
(24) attr_filter.access_reject: Matched entry DEFAULT at line 11
(24) [attr_filter.access_reject] = updated
(24) eap: Request was previously rejected, inserting EAP-Failure
(24) eap: Sending EAP Failure (code 4) ID 161 length 4
(24) [eap] = updated
(24) policy remove_reply_message_if_eap {
(24) if (&reply:EAP-Message && &reply:Reply-Message) {
(24) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(24) else {
(24) [noop] = noop
(24) } # else = noop
(24) } # policy remove_reply_message_if_eap = noop
(24) } # Post-Auth-Type REJECT = updated
(24) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(24) Sending delayed response
(24) Sent Access-Reject Id 0 from 192.168.0.10:1812 to 192.168.0.254:45310 length 44
(24) EAP-Message = 0x04a10004
(24) Message-Authenticator = 0x00000000000000000000000000000000

can you help me please?
Thank you in advance for your help.

Some may find driving a web UI problematic...though we have to provide this anyway for those who prefer it

Hi,
I don't think this is a bug, but I can't understand why the module doesn't seem to take into account my "realm" with the freeradius 3.0.22 used in the NAC Alcasar (https://alcasar.net /).
In debug mode, the module seems to be loaded:

/usr/sbin/radiusd -Xd /etc/raddb/ | grep oauth2
including configuration file /etc/raddb//mods-enabled/oauth2
including configuration file /etc/raddb//policy.d/oauth2
  # Creating Auth-Type = oauth2
   # Loading module "oauth2_perl" from file /etc/raddb//mods-enabled/oauth2
   perl oauth2_perl {
         filename = "/opt/freeradius-oauth2-perl/main.pm"
   # Loading module "oauth2_cache" from file /etc/raddb//mods-enabled/oauth2
   cache oauth2_cache {
   # Instantiating module "oauth2_perl" from file /etc/raddb//mods-enabled/oauth2
rlm_perl:********************************************* oauth2 global* ************************************************** *
   # Instantiating module "oauth2_cache" from file /etc/raddb//mods-enabled/oauth2
rlm_cache (oauth2_cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
Compiling Auth-Type oauth2 for attr Auth-Type

But at the time of the test, here is what it gives:

> (0) policy oauth2.authorize {
> (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") {
> (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") -> FALSE
> (0) } # policy oauth2.authorize = noop

I tested the installation of the module on a Debian 11 machine with freeradius, it works well, I authenticate well with an email and a password on Office365!
I took the same configurations in the Alcasar freeradius but it doesn't seem to "hang" my "realm"!
Help please!

I noticed that the corresponding login record can be found in Azure, so how to change the code so that Azure can receive the login device ID or operating system? Looking forward to your reply, thanks

i configure it azure ad authentication but when a run radtest command with a azure ad user i get this error in the logs, and the result is : got accept-reject

Hi jimdigriz,

I really love the work you did on this project and I am actually using it :)
I know my way around a radius server and implemented the way you explained. It worked, but not anymore unfortunatly. I keep getting the following error response:

AADSTS90014: The request body must contain the following parameter: 'password'.

As I look at the body, everything works nicely, but after &password= comes immidiatly &grant_type=password.

&password=&grant_type=password&client_id=

Can you tell me what to look for or point me in the correct direction?

Regards,

Jim van den Haak

Hello,

I keeps getting the following errors when running radiusd -X on AlmaLinux(It's the distro I as IT-admin primarly use in production) and then running radtest:

rlm_perl: oauth2 worker (brain-plus.com): token failed: 400 Bad Request
Use of uninitialized value $v in concatenation (.) or string at /usr/share/perl5/vendor_perl/Net/HTTP/Methods.pm line 161.
rlm_perl: oauth2 worker (****-***.com): users failed: 400 Bad Request
rlm_perl: oauth2 worker (****-***.com): sync groups
rlm_perl: oauth2 worker (****-***.com): groups page
rlm_perl: oauth2 worker (****-***.com): fetching token
rlm_perl: oauth2 worker (****-***.com): token failed: 400 Bad Request
Use of uninitialized value $v in concatenation (.) or string at /usr/share/perl5/vendor_perl/Net/HTTP/Methods.pm line 161.
rlm_perl: oauth2 worker (****-***.com): groups failed: 400 Bad Request

What to do?

So it turns out my fix for locale massaging does not properly work:

(23) oauth2_perl:   $RAD_CONFIG{'OAuth2-Password-Last-Modified'} = &control:OAuth2-Password-Last-Modified -> 'Nov  5 2020 11:31:56 UTC' rlm_perl: oauth2 authorize
(23) oauth2_perl: perl_embed:: module = /opt/freeradius-oauth2-perl/main.pm , func = authorize exit status= Error parsing time at /usr/lib/x86_64-linux-gnu/perl/5.26/Time/Piece.pm line 481.

This might be moot with a newer (currently unreleased) version of FreeRADIUS so lets test that, and decide if I just need to to poke the NR team to cut a new release or do I need to fix my horrific use of Time::Piece.

Same error than described in #27 .
We've this perfectly working for a year, but this issue appeared after an unexpected reboot (power issue).

radius log:

FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/oauth2
including configuration file /etc/freeradius/3.0/mods-enabled/service_type_parser
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/oauth2
including configuration file /etc/freeradius/3.0/policy.d/filter_service_type
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
 security {
 	allow_core_dumps = no
 }
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
}
main {
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
	libdir = "/usr/lib"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 16384
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
 	stripped_names = no
 	auth = yes
 	auth_badpass = no
 	auth_goodpass = no
 	msg_denied = " You are already logged in - access denied"
 }
 resources {
 }
 security {
 	max_attributes = 200
 	reject_delay = 1.000000
 	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 home_server localhost {
 	ipaddr = 127.0.0.1
 	port = 1912
 	type = "auth"
 	secret = <<< secret >>>
 	response_window = 20.000000
 	response_timeouts = 1
 	max_outstanding = 65536
 	zombie_period = 40
 	status_check = "status-server"
 	ping_interval = 30
 	check_interval = 30
 	check_timeout = 4
 	num_answers_to_alive = 3
 	revive_interval = 120
  limit {
  	max_connections = 16
  	max_requests = 0
  	lifetime = 0
  	idle_timeout = 0
  }
  coa {
  	irt = 2
  	mrt = 16
  	mrc = 5
  	mrd = 30
  }
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
 realm naudit.es {
 }
 realm externo.naudit.es {
 }
radiusd: #### Loading Clients ####
 client client-client-600ee7ac3687ce05252b07ec {
 	ipaddr = 10.0.0.0/8
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	proto = "*"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
Debugger not attached
systemd watchdog is disabled
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  always reject {
  	rcode = "reject"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  always fail {
  	rcode = "fail"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  always ok {
  	rcode = "ok"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  always invalid {
  	rcode = "invalid"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  always userlock {
  	rcode = "userlock"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  always notfound {
  	rcode = "notfound"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  always noop {
  	rcode = "noop"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  always updated {
  	rcode = "updated"
  	simulcount = 0
  	mpp = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
  cache cache_eap {
  	driver = "rlm_cache_rbtree"
  	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  	ttl = 15
  	max_entries = 0
  	epoch = 0
  	add_stats = no
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
  # Loaded module rlm_detail
  # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  detail {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail auth_log {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail reply_log {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail pre_proxy_log {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail post_proxy_log {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
  eap {
  	default_eap_type = "md5"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 16384
  }
  # Loaded module rlm_exec
  # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
  exec echo {
  	wait = yes
  	program = "/bin/echo %{User-Name}"
  	input_pairs = "request"
  	output_pairs = "reply"
  	shell_escape = yes
  }
  # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
  expr {
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
  files {
  	filename = "/etc/freeradius/3.0/mods-config/files/authorize"
  	acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
  	preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog {
  	filename = "/var/log/radius/linelog"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = "This is a log message for %{User-Name}"
  	reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog log_accounting {
  	filename = "/var/log/radius/linelog-accounting"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = ""
  	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  logintime {
  	minimum_timeout = 60
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
  mschap {
  	use_mppe = yes
  	require_encryption = no
  	require_strong = no
  	with_ntdomain_hack = yes
   passchange {
   }
  	allow_retry = yes
  	winbind_retry_with_normalised_username = no
  }
  # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
  exec ntlm_auth {
  	wait = yes
  	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  	shell_escape = yes
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  pap {
  	normalise = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
  passwd etc_passwd {
  	filename = "/etc/passwd"
  	format = "*User-Name:Crypt-Password:"
  	delimiter = ":"
  	ignore_nislike = no
  	ignore_empty = yes
  	allow_multiple_keys = no
  	hash_size = 100
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
  preprocess {
  	huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
  	hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
  	with_ascend_hack = no
  	ascend_channels_per_line = 23
  	with_ntdomain_hack = no
  	with_specialix_jetstream_hack = no
  	with_cisco_vsa_hack = no
  	with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_radutmp
  # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
  radutmp {
  	filename = "/var/log/radius/radutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 384
  	caller_id = yes
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  realm IPASS {
  	format = "prefix"
  	delimiter = "/"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
  realm bangpath {
  	format = "prefix"
  	delimiter = "!"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  realm realmpercent {
  	format = "suffix"
  	delimiter = "%"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  realm ntdomain {
  	format = "prefix"
  	delimiter = "\\"
  	ignore_default = no
  	ignore_null = no
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
  soh {
  	dhcp = yes
  }
  # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
  radutmp sradutmp {
  	filename = "/var/log/radius/sradutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 420
  	caller_id = no
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
  unix {
  	radwtmp = "/var/log/radius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
  # Loaded module rlm_perl
  # Loading module "oauth2_perl" from file /etc/freeradius/3.0/mods-enabled/oauth2
  perl oauth2_perl {
  	filename = "/opt/freeradius-oauth2-perl/main.pm"
  	func_authorize = "authorize"
  	func_authenticate = "authenticate"
  	func_post_auth = "post_auth"
  	func_accounting = "accounting"
  	func_preacct = "preacct"
  	func_checksimul = "checksimul"
  	func_detach = "detach"
  	func_xlat = "xlat"
  	func_pre_proxy = "pre_proxy"
  	func_post_proxy = "post_proxy"
  	func_recv_coa = "recv_coa"
  	func_send_coa = "send_coa"
  }
  # Loading module "oauth2_cache" from file /etc/freeradius/3.0/mods-enabled/oauth2
  cache oauth2_cache {
  	driver = "rlm_cache_rbtree"
  	key = "%{User-Name}"
  	ttl = 864000
  	max_entries = 0
  	epoch = 0
  	add_stats = no
  }
  # Loading module "service_type_parser" from file /etc/freeradius/3.0/mods-enabled/service_type_parser
  passwd service_type_parser {
  	filename = "/etc//freeradius/3.0/service_types.conf"
  	format = "Allowed-Service-Type:Any-Service-Type:*,User-Name"
  	delimiter = ":"
  	ignore_nislike = yes
  	ignore_empty = yes
  	allow_multiple_keys = yes
  	hash_size = 50
  }
  instantiate {
  }
  # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
  # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
   	challenge = "Password: "
   	auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
   	tls = "tls-common"
   }
   tls-config tls-common {
   	verify_depth = 0
   	ca_path = "/etc//freeradius/3.0/certs"
   	pem_file_type = yes
   	private_key_file = "/etc//freeradius/3.0/certs/server-key.pem"
   	certificate_file = "/etc//freeradius/3.0/certs/server.pem"
   	ca_file = "/etc//freeradius/3.0/certs/ca.pem"
   	dh_file = "/etc//freeradius/3.0/certs/dh"
   	fragment_size = 1024
   	include_length = yes
   	auto_chain = yes
   	check_crl = no
   	check_all_crl = no
   	cipher_list = "DEFAULT"
   	cipher_server_preference = no
   	ecdh_curve = "prime256v1"
   	tls_max_version = ""
   	tls_min_version = "1.0"
    cache {
    	enable = no
    	lifetime = 24
    	max_entries = 255
    }
    verify {
    	skip_if_ocsp_ok = no
    }
    ocsp {
    	enable = no
    	override_cert_url = yes
    	url = "http://127.0.0.1/ocsp/"
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
The configuration allows TLS 1.0 and/or TLS 1.1.  We STRONGLY recommned using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
   # Linked to sub-module rlm_eap_ttls
   ttls {
   	tls = "tls-common"
   	default_eap_type = "md5"
   	copy_request_to_tunnel = no
   	use_tunneled_reply = yes
   	virtual_server = "inner-tunnel"
   	include_length = yes
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
   	tls = "tls-common"
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = yes
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = no
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = no
   }
  # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
  # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
  # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "oauth2_perl" from file /etc/freeradius/3.0/mods-enabled/oauth2
    config {
    }
rlm_perl: oauth2 global
  # Instantiating module "oauth2_cache" from file /etc/freeradius/3.0/mods-enabled/oauth2
rlm_cache (oauth2_cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
/etc/freeradius/3.0/mods-enabled/oauth2[18]: Destination must be an attribute ref or a list
/etc/freeradius/3.0/mods-enabled/oauth2[12]: Instantiation failed for module "oauth2_cache"