EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level
TJ2718
tj2718 at aol.com
Thu Oct 20 23:40:43 CEST 2016
Background:
Originally I was using CentoOS 7 with Samba 4.2.10 and FreeRadius 3.0.4 on a Windows network that was on Server 2003 and Forest Functional Level.
We were using certificate base authentications for tablets and username and password for certain users.
We upgraded the functional level to 2012R2 Native and it broke everything.
Neither certificates or username and passwords would get any Accepts, only Rejects. I changed the config from
sites-enabled/default
post-auth {
if (!(Ldap-Group == "WiFi")) {
reject
}
to where the certificates authenticate and any Active Directory user can authenticate by using:
sites-enabled/default
post-auth {
# if (Ldap-Group == "WiFi") {
# noop
# }
Just to get people working again. This was confirmed with two test users using
radtest -t mschap mcyrus Password1 localhost 0 XXXXXX
and watching the radiusd -X debug.
Test user mcyrus is not in the WiFi group, test user nlegend is.
Currently:
I built another server on CentOS 7 but built Samba 4.5.0 and FreeRadius 4.0.x
from source to see if newer versions were more compatible,
again closely following the deployingfreeradius.com guides.
I edited the config files to try and get authorization working again.
I can get it doing the same thing where certificates and all AD users can get logged in or
only users in the WiFi group get Accepts but none of the certificates get Accepts.
The odd thing, or least what I don't understand is:
Why the certificates stop working even though the computer accounts are also in the WiFi security group.
Wrapping up:
I guess what it comes down to is a few of questions:
1. Is Samba 4.5.0/FreeRadius 4.0.x even compatible with a 2012R2 forest functional level (schema 69) as a member server?
I've seen some posts stating that it's experimental as a DC but not whether a member server is working/stable.
2. Is it compatible with a Windows Server 2016 forest functional level as we will be heading down that road soon?
3. Should it be possible to have certificate based authorizations AND LDAP group authorizations working on the same server.
If yes, I would greatly appreciate any tips or help in figuring out how to get it configured correctly and working again.
Thank you for any guidance you can provide,
Travis
radiusd -X
[root at radius ~]# systemctl stop radiusd && radiusd -X
Info : FreeRADIUS Version 4.0.0
Info : Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Info : Starting - reading configuration files ...
Debug : including dictionary file /opt/freeradius/share/freeradius/dictionary
Debug : including dictionary file /opt/freeradius/etc/raddb/dictionary
Debug : including configuration file /opt/freeradius/etc/raddb/radiusd.conf
Debug : including configuration file /opt/freeradius/etc/raddb/proxy.conf
Debug : including configuration file /opt/freeradius/etc/raddb/clients.conf
Debug : including files in directory /opt/freeradius/etc/raddb/mods-enabled/
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/always
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/cache_eap
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/chap
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail.log
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/digest
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/dhcp
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/dynamic_clients
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap_inner
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/echo
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/exec
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/expiration
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/expr
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/files
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/linelog
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/logintime
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/mschap
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/ntlm_auth
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/pap
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/passwd
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/preprocess
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/radutmp
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/realm
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/replicate
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/soh
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/sradutmp
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/unix
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/unpack
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/utf8
Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/ldap
Debug : including files in directory /opt/freeradius/etc/raddb/policy.d/
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/abfab-tr
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/accounting
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/canonicalization
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/control
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/cui
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/debug
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/dhcp
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/eap
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/filter
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/operator-name
Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/vendor
Debug : including files in directory /opt/freeradius/etc/raddb/sites-enabled/
Debug : including configuration file /opt/freeradius/etc/raddb/sites-enabled/default
Debug : including configuration file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel
Debug : main {
Debug : security {
Debug : allow_core_dumps = no
Debug : }
Debug : name = "radiusd"
Debug : prefix = "/opt/freeradius"
Debug : localstatedir = "/opt/freeradius/var"
Debug : logdir = "/opt/freeradius/var/log/radius"
Debug : run_dir = "/opt/freeradius/var/run/radiusd"
Debug : }
Debug : main {
Debug : name = "radiusd"
Debug : prefix = "/opt/freeradius"
Debug : localstatedir = "/opt/freeradius/var"
Debug : sbindir = "/opt/freeradius/sbin"
Debug : logdir = "/opt/freeradius/var/log/radius"
Debug : run_dir = "/opt/freeradius/var/run/radiusd"
Debug : libdir = "/opt/freeradius/lib"
Debug : radacctdir = "/opt/freeradius/var/log/radius/radacct"
Debug : hostname_lookups = no
Debug : max_request_time = 30
Debug : cleanup_delay = 5
Debug : continuation_timeout = 15
Debug : max_requests = 16384
Debug : pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid"
Debug : checkrad = "/opt/freeradius/sbin/checkrad"
Debug : debug_level = 0
Debug : proxy_requests = yes
Debug : log {
Debug : stripped_names = no
Debug : auth = no
Debug : auth_badpass = no
Debug : auth_goodpass = no
Debug : colourise = yes
Debug : msg_denied = "You are already logged in - access denied"
Debug : }
Debug : resources {
Debug : }
Debug : security {
Debug : max_attributes = 200
Debug : reject_delay = 1.000000
Debug : status_server = yes
Debug : allow_vulnerable_openssl = "no"
Debug : }
Debug : }
Switching to configured log settings
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dynamic = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client Tracmor {
ipaddr = 10.10.0.151
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client LAK-Branch {
ipaddr = 10.10.2.131
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client LAK-IT {
ipaddr = 10.10.2.130
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client LAK-TC {
ipaddr = 10.10.2.4
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client LAK-TC-RF {
ipaddr = 10.10.2.65
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client LAK-Training {
ipaddr = 10.10.2.6
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client LAK-Upstairs {
ipaddr = 10.10.2.5
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 01-MPK {
ipaddr = 192.168.1.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 03-ELC {
ipaddr = 192.168.3.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 04-BKF {
ipaddr = 192.168.4.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 05-LAS {
ipaddr = 192.168.5.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 05-Training {
ipaddr = 192.168.5.251
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 06-RIV {
ipaddr = 192.168.6.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 07-PHX {
ipaddr = 192.168.7.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 08-FRN {
ipaddr = 192.168.8.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 09-ANA {
ipaddr = 192.168.9.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10-SAC {
ipaddr = 192.168.10.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 11-OAK {
ipaddr = 192.168.11.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 12-BUR {
ipaddr = 192.168.12.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 13-RNO {
ipaddr = 192.168.13.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 14-PRT {
ipaddr = 192.168.14.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 14-PRT-2 {
ipaddr = 192.168.14.251
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 15-SEA {
ipaddr = 192.168.15.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 16-SPK {
ipaddr = 192.168.16.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 17-EUG {
ipaddr = 192.168.17.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 17-EUG-2 {
ipaddr = 192.168.17.251
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 18-BOI {
ipaddr = 192.168.18.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 19-SLC {
ipaddr = 192.168.19.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 20-ORM {
ipaddr = 192.168.20.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 21-OGD {
ipaddr = 192.168.21.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 22-RED {
ipaddr = 192.168.22.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 24-POC {
ipaddr = 192.168.24.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 25-DGO {
ipaddr = 192.168.25.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 26-TAC {
ipaddr = 192.168.26.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 27-ANC {
ipaddr = 192.168.27.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 28-NOG {
ipaddr = 192.168.28.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 30-TUC {
ipaddr = 192.168.30.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 31-MES {
ipaddr = 192.168.31.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 32-PHO {
ipaddr = 192.168.32.251
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 33-BEL {
ipaddr = 192.168.33.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 34-MED {
ipaddr = 192.168.34.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 35-VIS {
ipaddr = 192.168.35.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 35-VIS-WH1 {
ipaddr = 192.168.35.251
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 35-VIS-WH2 {
ipaddr = 192.168.35.252
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 36-YUM {
ipaddr = 192.168.36.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 37-SLE {
ipaddr = 192.168.37.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 38-SJC {
ipaddr = 192.168.38.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 39-SFO {
ipaddr = 192.168.39.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 40-CCR {
ipaddr = 192.168.40.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 41-VNY {
ipaddr = 192.168.41.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 42-MOD {
ipaddr = 192.168.42.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 43-TLV {
ipaddr = 192.168.43.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 44-SNA {
ipaddr = 192.168.44.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 45-STS {
ipaddr = 192.168.45.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 46-POM {
ipaddr = 192.168.46.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 48-GAR {
ipaddr = 192.168.48.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 49-BPK {
ipaddr = 192.168.49.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 51-LVK {
ipaddr = 192.168.51.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 52-RSV {
ipaddr = 192.168.52.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 53-SAL {
ipaddr = 192.168.53.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 54-PHN {
ipaddr = 192.168.54.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 55-ONT {
ipaddr = 192.168.55.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 55-ONT-2 {
ipaddr = 192.168.55.251
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 56-WLA {
ipaddr = 192.168.56.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 57-BIL {
ipaddr = 192.168.57.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 58-GTF {
ipaddr = 192.168.58.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 59-RAN {
ipaddr = 192.168.59.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 60-TEM {
ipaddr = 192.168.60.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 61-NTL {
ipaddr = 192.168.61.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 62-PSP {
ipaddr = 192.168.62.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 63-STK {
ipaddr = 192.168.63.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 64-KRK {
ipaddr = 192.168.64.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 65-PEO {
ipaddr = 192.168.65.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 66-VIC {
ipaddr = 192.168.66.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 67-YAK {
ipaddr = 192.168.67.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 68-DRA {
ipaddr = 192.168.68.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 69-CHA {
ipaddr = 192.168.69.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 70-TIG {
ipaddr = 192.168.70.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 71-FRE {
ipaddr = 192.168.71.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 72-DEN {
ipaddr = 192.168.72.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 73-SIG {
ipaddr = 192.168.73.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 74-CEN {
ipaddr = 192.168.74.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 75-COR {
ipaddr = 192.168.75.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 82-PNS {
ipaddr = 192.168.82.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 183-PNS {
ipaddr = 192.168.183.250
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled.
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
queue_priority = "default"
auto_limit_acct = no
}
listen {
type = "auth"
ipaddr = *
port = 0
recv_buff = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
recv_buff = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
recv_buff = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
recv_buff = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = digest
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
recv_buff = 0
}
radiusd: #### Loading modules ####
modules {
# Loaded module "rlm_always"
# Loading module "reject" from file /opt/freeradius/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /opt/freeradius/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /opt/freeradius/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /opt/freeradius/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /opt/freeradius/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /opt/freeradius/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /opt/freeradius/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /opt/freeradius/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /opt/freeradius/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module "rlm_attr_filter"
# Loading module "attr_filter.post-proxy" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response"
relaxed = no
}
# Loaded module "rlm_cache"
# Loading module "cache_eap" from file /opt/freeradius/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module "rlm_chap"
# Loading module "chap" from file /opt/freeradius/etc/raddb/mods-enabled/chap
# Loaded module "rlm_detail"
# Loading module "detail" from file /opt/freeradius/etc/raddb/mods-enabled/detail
detail {
filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module "rlm_digest"
# Loading module "digest" from file /opt/freeradius/etc/raddb/mods-enabled/digest
# Loaded module "rlm_dhcp"
# Loading module "dhcp" from file /opt/freeradius/etc/raddb/mods-enabled/dhcp
# Loaded module "rlm_dynamic_clients"
# Loading module "dynamic_clients" from file /opt/freeradius/etc/raddb/mods-enabled/dynamic_clients
# Loaded module "rlm_eap"
# Loading module "eap" from file /opt/freeradius/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "tls"
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
# Loaded module "rlm_eap_md5"
# Loaded module "rlm_eap_leap"
# Loaded module "rlm_eap_gtc"
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Loaded module "rlm_eap_tls"
tls {
tls = "tls-common"
require_client_cert = yes
include_length = yes
}
tls-config tls-common {
verify_depth = 0
ca_path = "/opt/freeradius/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/opt/freeradius/etc/raddb/certs/server.pem"
certificate_file = "/opt/freeradius/etc/raddb/certs/server.pem"
ca_file = "/opt/freeradius/etc/raddb/certs/ca_and_crl.pem"
private_key_password = <<< secret >>>
dh_file = "/opt/freeradius/etc/raddb/certs/dh"
fragment_size = 1024
auto_chain = yes
check_crl = yes
cipher_list = "DEFAULT"
allow_renegotiation = no
ecdh_curve = "prime256v1"
disable_tlsv1_2 = no
cache {
lifetime = 86400
verify = no
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
staple {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Loaded module "rlm_eap_ttls"
ttls {
tls = "tls-common"
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
# Loaded module "rlm_eap_peap"
peap {
tls = "tls-common"
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
# Loaded module "rlm_eap_mschapv2"
mschapv2 {
with_ntdomain_hack = no
send_error = no
identity = "radius"
}
# Loading module "inner-eap" from file /opt/freeradius/etc/raddb/mods-enabled/eap_inner
eap inner-eap {
default_eap_type = "mschapv2"
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
gtc {
challenge = "Password: "
auth_type = "PAP"
}
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
tls {
tls = "tls-peer"
require_client_cert = yes
include_length = yes
}
tls-config tls-peer {
verify_depth = 0
ca_path = "/opt/freeradius/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/opt/freeradius/etc/raddb/certs/server.key"
certificate_file = "/opt/freeradius/etc/raddb/certs/server.pem"
ca_file = "/opt/freeradius/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/opt/freeradius/etc/raddb/certs/dh"
fragment_size = 16384
auto_chain = yes
check_crl = yes
allow_renegotiation = no
ecdh_curve = "prime256v1"
cache {
lifetime = 86400
verify = no
}
verify {
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
staple {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
# Loaded module "rlm_exec"
# Loading module "echo" from file /opt/freeradius/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /opt/freeradius/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module "rlm_expiration"
# Loading module "expiration" from file /opt/freeradius/etc/raddb/mods-enabled/expiration
# Loaded module "rlm_expr"
# Loading module "expr" from file /opt/freeradius/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module "rlm_files"
# Loading module "files" from file /opt/freeradius/etc/raddb/mods-enabled/files
files {
filename = "/opt/freeradius/etc/raddb/mods-config/files/authorize"
acctusersfile = "/opt/freeradius/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/opt/freeradius/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module "rlm_linelog"
# Loading module "linelog" from file /opt/freeradius/etc/raddb/mods-enabled/linelog
linelog {
destination = "file"
delimiter = " "
file {
filename = "/opt/freeradius/var/log/radius/linelog"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
port = 514
timeout = 2.000000
}
udp {
port = 514
timeout = 2.000000
}
}
# Loading module "log_accounting" from file /opt/freeradius/etc/raddb/mods-enabled/linelog
linelog log_accounting {
destination = "file"
delimiter = " "
file {
filename = "/opt/freeradius/var/log/radius/linelog-accounting"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loaded module "rlm_logintime"
# Loading module "logintime" from file /opt/freeradius/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module "rlm_mschap"
# Loading module "mschap" from file /opt/freeradius/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-RSDNET} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
ntlm_auth_timeout = 10
passchange {
}
allow_retry = yes
}
# Loading module "ntlm_auth" from file /opt/freeradius/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/opt/samba/bin/ntlm_auth --request-nt-key --domain=RSDNET --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module "rlm_pap"
# Loading module "pap" from file /opt/freeradius/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module "rlm_passwd"
# Loading module "etc_passwd" from file /opt/freeradius/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module "rlm_preprocess"
# Loading module "preprocess" from file /opt/freeradius/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/opt/freeradius/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/opt/freeradius/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module "rlm_radutmp"
# Loading module "radutmp" from file /opt/freeradius/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/opt/freeradius/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module "rlm_realm"
# Loading module "IPASS" from file /opt/freeradius/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /opt/freeradius/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /opt/freeradius/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /opt/freeradius/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module "rlm_replicate"
# Loading module "replicate" from file /opt/freeradius/etc/raddb/mods-enabled/replicate
# Loaded module "rlm_soh"
# Loading module "soh" from file /opt/freeradius/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /opt/freeradius/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/opt/freeradius/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module "rlm_unix"
# Loading module "unix" from file /opt/freeradius/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/opt/freeradius/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module "rlm_unpack"
# Loading module "unpack" from file /opt/freeradius/etc/raddb/mods-enabled/unpack
# Loaded module "rlm_utf8"
# Loading module "utf8" from file /opt/freeradius/etc/raddb/mods-enabled/utf8
rlm_ldap - libldap vendor: OpenLDAP, version: 20440
# Loaded module "rlm_ldap"
# Loading module "ldap" from file /opt/freeradius/etc/raddb/mods-enabled/ldap
ldap {
server = "dc12vm.rsdtc.com"
identity = "cn=radius,cn=users,dc=rsdtc,dc=com"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_attribute = "WiFi"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=rsdtc,dc=com"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
use_referral_credentials = no
rebind = yes
session_tracking = no
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
instantiate {
}
} # modules
# Instantiating module "reject" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /opt/freeradius/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject
[/opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /opt/freeradius/etc/raddb/mods-enabled/cache_eap
# Loaded module "rlm_cache_rbtree"
# Instantiating module "detail" from file /opt/freeradius/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file /opt/freeradius/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /opt/freeradius/etc/raddb/mods-enabled/files
reading file /opt/freeradius/etc/raddb/mods-config/files/authorize
reading file /opt/freeradius/etc/raddb/mods-config/files/accounting
reading file /opt/freeradius/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /opt/freeradius/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /opt/freeradius/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /opt/freeradius/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /opt/freeradius/etc/raddb/mods-enabled/mschap
mschap : authenticating by calling 'ntlm_auth'
# Instantiating module "pap" from file /opt/freeradius/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /opt/freeradius/etc/raddb/mods-enabled/passwd
# Instantiating module "preprocess" from file /opt/freeradius/etc/raddb/mods-enabled/preprocess
reading file /opt/freeradius/etc/raddb/mods-config/preprocess/huntgroups
reading file /opt/freeradius/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /opt/freeradius/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /opt/freeradius/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /opt/freeradius/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /opt/freeradius/etc/raddb/mods-enabled/realm
# Instantiating module "ldap" from file /opt/freeradius/etc/raddb/mods-enabled/ldap
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap) - Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_ldap (ldap) - Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
rlm_ldap (ldap) - Waiting for search result...
rlm_ldap (ldap) - Directory type: Active Directory
rlm_ldap (ldap) - Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
rlm_ldap (ldap) - Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
rlm_ldap (ldap) - Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
rlm_ldap (ldap) - Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
radiusd: #### Loading Virtual Servers ####
server default { # from file /opt/freeradius/etc/raddb/sites-enabled/default
} # server default
server inner-tunnel { # from file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 58700
Listening on proxy address :: port 53027
Ready to process requests
More information about the Freeradius-Users
mailing list