|
hi,
i need help to configurate the MAC based authentication. I use freeradius 1.0.1 and openldap 2.0.27-17. The config from the HP Switch to the Radius is ok. In the LDAP there are the MAC Adresses from all my Laptops like "macAdress". LDAP:
ldapsearch -LL -x -H ldap://atmacldapsr01 -D cn=Manager,o=wuestenrot,c=at -w secret -b ou=workstation,o=wuestenrot,c=at macAddress=00:1E:37:1C:5F:D4 wueroRechnername: ATTSBGVARR40
macAddress: 00:06:1B:CA:53:64 I only want that radius check at the LDAP, if the
MAC Address
exists. IF the MAC exists go to VLAN 5 else go to VLAN 10. Have anyone an idea were my problem is??? or an good Howto?? Is it right to make this with the checkval? users File? Have anyone an example? Next step, I want to make checks over an extern
script? Where to I
activate this feature? Please help me.
thanks a lot andi RADIUS:
[root@atmacradsr01 raddb]# radiusd -Xf Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "yes" main: lower_pass = "yes" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded LDAP ldap: server = "atmacldapsr01" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=Manager,o=wuestenrot,c=at" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "secret" ldap: basedn = "ou=workstation,o=wuestenrot,c=at" ldap: filter = "(macAddress=%{User-Name})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames) (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP macAddress mapped to RADIUS User-Name rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed- AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed- AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed- AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x8bb05a8 Module: Instantiated ldap (ldap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/ auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded checkval checkval: item-name = "User-Name" checkval: check-name = "macAddress" checkval: data-type = "string" checkval: notfound-reject = no rlm_checkval: Registered name macAddress for attribute 1671 Module: Instantiated checkval (checkval) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/ detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. Now I connect an Laptop on the switch and this is
shown on the radius:
rad_recv: Access-Request packet from host 192.168.10.1:1024, id=241,length=183 Framed-MTU = 9178 NAS-IP-Address = 192.168.10.1 NAS-Identifier = "MAC-VAR" User-Name = "00:06:1b:ca:53:64" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-18-fe-e6-36-ef" Calling-Station-Id = "00-06-1b-ca-53-64" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" CHAP-Password = 0x50eec0218f3e8b36308a4c070b9eca0267 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.10.1/auth-detail-20080328' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth- detail-%Y%m%d expands to /var/log/radius/radacct/192.168.10.1/auth- detail-20080328 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:06:1b:ca:53:64 radius_xlat: '(macAddress=00:06:1b:ca:53:64)' radius_xlat: 'ou=workstation,o=wuestenrot,c=at' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to atmacldapsr01:389, authentication 0 rlm_ldap: bind as cn=Manager,o=wuestenrot,c=at/secret to atmacldapsr01:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=workstation,o=wuestenrot,c=at, with filter (macAddress=00:06:1b:ca:53:64) rlm_ldap: looking for check items in directory... rlm_ldap: Adding macAddress as User-Name, value 00:06:1B:CA:53:64 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 00:06:1b:ca:53:64 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: User-Name, Value: 00:06:1b:ca:53:64 rlm_checkval: Could not find attribute named macAddress in check pairs modcall[authorize]: module "checkval" returns notfound for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [00:06:1b:ca:53:64] (from client private-network-1 port 17 cli 00-06-1b-ca-53-64) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 241 to 192.168.10.1:1024 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 241 with timestamp 47eca277 Nothing to do. Sleeping until we see a request. This are my config Files:
cat ldap.attrmap checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem checkItem
User-Name
macAddress
checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password sambaLMPassword checkItem NT-Password sambaNTPassword checkItem SMB-Account-CTRL-TEXT sambaAcctFlags checkItem Expiration radiusExpiration replyItem
Service-Type
radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask replyItem Framed-Route radiusFramedRoute replyItem Framed-Routing radiusFramedRouting replyItem Filter-Id radiusFilterId replyItem Framed-MTU radiusFramedMTU replyItem Framed-Compression radiusFramedCompression replyItem Login-IP-Host radiusLoginIPHost replyItem Login-Service radiusLoginService replyItem Login-TCP-Port radiusLoginTCPPort replyItem Callback-Number radiusCallbackNumber replyItem Callback-Id radiusCallbackId replyItem Framed-IPX-Network radiusFramedIPXNetwork replyItem Class radiusClass replyItem Session-Timeout radiusSessionTimeout replyItem Idle-Timeout radiusIdleTimeout replyItem Termination-Action radiusTerminationAction replyItem Login-LAT-Service radiusLoginLATService replyItem Login-LAT-Node radiusLoginLATNode replyItem Login-LAT-Group radiusLoginLATGroup replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone replyItem Port-Limit radiusPortLimit replyItem Login-LAT-Port radiusLoginLATPort file: clients.conf: only add my segment
client 192.168.10.0/24 { secret = testing123-1 shortname = private-network-1 } file: users: only add LDAP as Auth-Type
# First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = LDAP Fall-Through = 1 #
# Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. file: radius.conf
prefix = /usr
exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid user = radiusd
group = radiusd max_request_time = 30 delete_blocked_requests = no
cleanup_delay = 5 max_requests = 1024
bind_address = *
port = 0
#listen {
# IP address on which to listen. # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) # wildcard (*) # ipaddr = * # Port on which to
listen.
# Allowed values are: # integer port number (1812) # 0 means "use /etc/services for the proper port" # port = 0 # Type of packets to listen
for.
# Allowed values are: # auth listen for authentication packets # acct listen for accounting packets # # type = auth #} # hostname_lookups: Log the names of clients
or just their IP addresses
# allowed values: {no, yes} # hostname_lookups = no # Core dumps are a bad thing. This
should only be set to 'yes'
# if you're debugging a problem with the server. # allowed values: {no, yes} allow_core_dumps = no regular_expressions = yes
extended_expressions = yes # Log the full User-Name attribute, as it was
found in the request.
# # allowed values: {no, yes} # log_stripped_names = no # Log authentication requests to the log
file.
# # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication
requests.
# log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no # usercollide: Turn "username collision" code
on and off. See the
# "doc/duplicate-users" file usercollide = no # Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no" # #lower_user = no #lower_pass = no lower_user = yes
lower_pass = yes # nospace_user / nospace_pass:
# Some users like to enter spaces in their username or password # incorrectly. To save yourself the tech support call, you can # eliminate those spaces here: # Default is 'no' (don't remove spaces) # Valid values = "before" / "after" / "no" (explanation above) nospace_user = no nospace_pass = no # The program to execute to do concurrency
checks.
checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION
# security { # max_attributes = 200 reject_delay = 1
status_server = no
} # PROXY CONFIGURATION
# proxy_requests: Turns proxying of RADIUS requests on or off. # allowed values: {no, yes} proxy_requests = yes $INCLUDE ${confdir}/proxy.conf # CLIENTS CONFIGURATION
# The 'clients.conf' file contains all of the information from the old # 'clients' and 'naslist' configuration files. We recommend that you # do NOT use 'client's or 'naslist', although they are still # supported. # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION
# 'snmp' attribute to 'yes' snmp = no $INCLUDE ${confdir}/snmp.conf # THREAD POOL CONFIGURATION
# The thread pool is a long-lived group of threads which # take turns (round-robin) handling any incoming requests. # thread pool { # Number of servers to start initially --- should be a reasonable # ballpark figure. start_servers = 5 # Limit on the total number of servers
running.
# max_servers = 32 # Server-pool size regulation.
Rather than making you guess
min_spare_servers = 3 max_spare_servers = 10 # '0' is a special value meaning
'infinity', or 'the servers never
# exit' max_requests_per_server = 0 } # MODULE CONFIGURATION
# modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt # md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt #auskommentiert #pap { # encryption_scheme = crypt #} # CHAP module
# # To authenticate requests containing a CHAP-Password attribute. # #aukommentiert #chap { # authtype = CHAP #} # Pluggable Authentication
Modules
# # For Linux, see: # http://www.kernel.org/pub/linux/libs/pam/index.html # # WARNING: On many systems, the system PAM libraries have # memory leaks! We STRONGLY SUGGEST that you do not # use PAM for authentication, due to those memory leaks. # #pam { # #} #
$INCLUDE ${confdir}/eap.conf # Lightweight Directory Access Protocol
(LDAP)
# # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = "atmacldapsr01" identity = "cn=Manager,o=wuestenrot,c=at" password = secret basedn = "ou=workstation,o=wuestenrot,c=at" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" filter = "(macAddress=%{User-Name})" #filter = "(macAddress=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile =
/path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn" #aukommendiert #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to
LDAP
# directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5
#
# password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames) (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } #
'realm/username'
# # Using this entry, IPASS users have their realm set to "IPASS". realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # 'username@realm'
# realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } #
'username%realm'
# realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } #
# 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } # A simple value checking
module
# # # Regular expressions in the check attribute value are allowed # as long as the operator is '=~' # checkval { # The attribute to look for in the request #item-name = Calling-Station-Id item-name = User-Name # The attribute to look for in check items. Can be multi valued #check-name = Calling-Station-Id check-name = macAddress # The data type. Can be
# string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the
item-name attribute in the
# request then we send back a reject # DEFAULT is no #notfound-reject = no #notfound-reject = no } # rewrite arbitrary packets. Useful in accounting and authorization. # Backreferences are supported: %{0} will contain the string the whole match # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses # # If max_matches is greater than one the backreferences will correspond to the # first match #
#attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be "packet", "reply", "proxy", "proxy_reply" or "config" # searchin = packet # searchfor = "[+ ]" # replacewith = "" # ignore_case = no # new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended to the original string # append = no #} # Preprocess the incoming RADIUS request,
before handing it off
# to other modules. # preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints # This hack changes Ascend's wierd port
numberings
# to standard 0-??? port numbers so that the "+" works # for IP address assignments. with_ascend_hack = no ascend_channels_per_line = 23 # Windows NT machines often authenticate
themselves as
with_ntdomain_hack = no # # If you're not running a Cisco NAS, you don't need # this hack. with_cisco_vsa_hack = no } # Livingston-style 'users'
file
# files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users # If you want to use the old Cistron
'users' file
# with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # Write a detailed log of all accounting
records received.
# detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d #
# This MUST be 0600, otherwise anyone can read # the users passwords! # detailperm = 0600 } # Create a unique accounting session
Id. Many NASes re-use or # repeat values for Acct-Session-Id, causing no end of # confusion. acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP- Address, NAS-Port" } radutmp {
# Where the file is stored. It's not a log file, # so it doesn't need rotating. # filename = ${logdir}/radutmp #
# You may want instead: %{Stripped-User-Name:-%{User-Name}} username = %{User-Name} #
case_sensitive = yes #
check_with_nas = yes # Set the file permissions, as the contents
of this file
# are usually private. perm = 0600 callerid = "yes"
} # "Safe" radutmp - does not contain caller
ID, so it can be
# world-readable, and radwho can work for normal users, without # exposing any information that isn't already exposed by who(1). # # This is another 'instance' of the radutmp module, but it is given # then name "sradutmp" to identify it later in the "accounting" # section. radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } # attr_filter - filters the attributes
received in replies from
# proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. attr_filter { attrsfile = ${confdir}/attrs } # counter module:
# DEFAULT Max-Daily-Session := 36000 # Fall-Through = 1 # # 'check-name' attribute. # counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } # The "ALways" module is here for debugging
purposes. Each
# instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } #
# The '_expression_' module currently has no configuration. # # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}` # # The value of the attribute will be replaced with the output # of the program which is executed. Due to RADIUS protocol # limitations, any output over 253 bytes will be ignored. expr { } #
# The 'digest' module currently has no configuration. # # "Digest" authentication against a Cisco SIP server. # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details # on performing digest authentication for Cisco SIP servers. # digest { } #
# Execute external programs # exec { wait = yes programm = "/bin/echo %{User-Name}" input_pairs = request } execok {
rcode = ok } # # This is a more general example of the execute module. # exec echo { # # Wait for the program to finish. # # If we do NOT wait, then the program is "fire and # forget", and any output attributes from it are ignored. # # If we are looking for the program to output # attributes, and want to add those attributes to the # request, then we MUST wait for the program to # finish, and therefore set 'wait=yes' # # allowed values: {no, yes} wait = yes #
# The name of the program to execute, and it's # arguments. Dynamic translation is done on this # field, so things like the following example will # work. # program = "/bin/echo %{User-Name}" #
# The attributes which are placed into the # environment variables for the program. # input_pairs = request #
# Where to place the output attributes (if any) from # output_pairs = reply #
# #packet_type = Access-Accept } # Do server side ip pool management.
Should be added in post-auth and
# accounting sections. ********* # ippool main_pool { # range-start,range-stop: The start
and end ip
# addresses for the ip pool range-start = 192.168.1.1 range-stop = 192.168.3.254 # netmask: The network mask used for
the ip's
netmask = 255.255.255.0 # cache-size: The gdbm cache size for
the db
# files. Should be equal to the number of ip's # available in the ip pool cache-size = 800 # session-db: The main db file used to
allocate ip's to clients
session-db = ${raddbdir}/db.ippool # ip-index: Helper db index file used in
multilink
ip-index = ${raddbdir}/db.ipindex # override: Will this ippool override a
Framed-IP-Address already set
override = no # maximum-timeout: If not zero specifies the
maximum time in seconds an
# entry may be active. Default: 0 maximum-timeout = 0 } # ANSI X9.9 token support. Not included
by default.
# $INCLUDE ${confdir}/x99.conf }
# Instantiation
# # This section orders the loading of the modules. Modules # listed here will get loaded BEFORE the later sections like # authorize, authenticate, etc. get examined. # instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec #
# The _expression_ module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # # expr #
# We add the counter module here so that it registers # the check-name attribute before any module which sets # it # daily } # Authorization. First preprocess (hints and
huntgroups files),
# then realms, and finally look in the "users" file. authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds the %{Client-IP-Address} attribute to the request. preprocess #
# If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. auth_log # attr_filter #
# The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set #chap #
# If the users are logging in with an MS-CHAP-Challenge #mschap #
# If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. # digest #
# Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS #
# If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # # suffIx # ntdomain #
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. #auskommentiert #eap #
# Read the 'users' file #auskommentiert #files #
# The ldap module will set Auth-Type to LDAP if it has not # already been set ldap # # Enforce daily limits on time spent logged in. # daily #
# Use the checkval module ##auskommentiert checkval } # Authentication.
# # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user, or forcibly accept him. # authenticate { Auth-Type LDAP { #exec ldap } }
#
# Pre-accounting. Decide which accounting type to use. # preacct { preprocess #
# Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique # IPASS
suffix # ntdomain #
# Read the 'acct_users' file files } #
# Accounting. Log the accounting data. # accounting { # detail # daily radutmp # sradutmp # Return an address to the IP Pool when
we see a stop record.
# main_pool # Cisco VoIP specific bulk accounting
# pgsql-voip }
# Session database, used for checking
Simultaneous-Use. Either the radutmp
# The rlm_sql module is *much* faster session { radutmp #
# See "Simultaneous Use Checking Querie" in sql.conf # sql } # Post-Authentication
# Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # Get an address from the IP Pool. # main_pool #
# If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. # reply_log #
# After authenticating the user, do another SQL qeury. # # See "Authentication Logging Queries" in sql.conf # sql #
# Access-Reject packets are sent through the REJECT sub-section # of the post-auth section. # # Post-Auth-Type REJECT { # insert-module-name-here # } }
#
# # Only a few modules currently have this method. # pre-proxy { # attr_rewrite # pre_proxy_log
} #
post-proxy { # post_proxy_log # attr_rewrite
# Uncomment the following line if you
want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file. # attr_filter
#
# If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # eap } |