No More Handles Error after approximate 5500 transactions
g4-lisz at tonarchiv.ch
g4-lisz at tonarchiv.ch
Thu Apr 22 19:31:01 CEST 2021
Try to set `lifetime` to something else than 0 in the db pool. It seems
to me that for some reason the handles aren't closed and there is an
ulimit of filehandles in the system. See cat /proc/sys/fs/file-max.
On RHEL this issue could also be related to SELinux. See man sealert or
similar for finding related lines in the audit log.
Just my five cents...
On 22.04.21 18:57, Michael Wyatt wrote:
> Hello al�l,
>
> I am migrating some radius servers from RHEL6 with freeradius 3.0.16 to
> RHEL7 with freeradius 3.0.21. Our backend database is db2 using the
> rlm_sql_db2.so driver. On the RHEL6 nodes we were using the pre-built
> RedHat RPM packages for the freeradius and the rlm_sql_db2-3.0.0.so that
> came from an old installation but I'm not certain of its origins. With
> the move the RHEL7 I tried using the RedHat RPMs with the existing
> rlm_sql_db2-3.0.0.so but that failed miserably as expected. I built the
> rlm_sql_db2-3.0.0.so from source and tried that with the pre-built RPMs
> and that also failed miserably. Now I'm running with freeradius that was
> built from source code on a RHEL7 box. Freeradius and the rlm_sql_db2.so
> driver. This combination works and packets seem to run fine, db2 tables
> are updated as expected. Devices accepted/rejected as expected.
>
> However, when I run a load of test traffic through the radius devices I am
> getting db2 client errors after about 5500 transactions. The specific
> error message I see in the radius logs is this:
>
> Tue Apr 20 18:37:46 2021 : ERROR: (17291) ERROR: rlm_sql_db2:
> HY014: [IBM][CLI Driver] CLI0129E An attempt to allocate a handle failed
> because there are no more handles to allocate. SQLSTATE=HY014
>
>
> Below is the debug log with a few transactions that were fine at the
> beginning and then I cut out a lot of the log just because it was so
> large, and a few transactions at the end after they started failing. If
> there is a better way to include the full log please let me know. It is
> quite large since it takes a while for the problems to begin.
>
> Thanks in advance for any help,
> Michael
>
>
> FreeRADIUS Version 3.0.21
> Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/edr_raddb/dictionary
> including configuration file /etc/edr_raddb/radiusd.conf
> including configuration file /etc/edr_raddb/proxy.conf
> including configuration file /etc/edr_raddb/clients.conf
> including files in directory /etc/edr_raddb/mods-enabled/
> including configuration file /etc/edr_raddb/mods-enabled/files
> including configuration file /etc/edr_raddb/mods-enabled/sradutmp
> including configuration file /etc/edr_raddb/mods-enabled/radutmp
> including configuration file /etc/edr_raddb/mods-enabled/echo
> including configuration file /etc/edr_raddb/mods-enabled/expr
> including configuration file /etc/edr_raddb/mods-enabled/preprocess
> including configuration file /etc/edr_raddb/mods-enabled/soh
> including configuration file /etc/edr_raddb/mods-enabled/detail
> including configuration file /etc/edr_raddb/mods-enabled/unpack
> including configuration file /etc/edr_raddb/mods-enabled/replicate
> including configuration file /etc/edr_raddb/mods-enabled/mschap
> including configuration file /etc/edr_raddb/mods-enabled/digest
> including configuration file /etc/edr_raddb/mods-enabled/attr_filter
> including configuration file /etc/edr_raddb/mods-enabled/sql
> including configuration file
> /etc/edr_raddb/mods-config/sql/main/db2/queries.conf
> including configuration file /etc/edr_raddb/mods-enabled/detail.log
> including configuration file /etc/edr_raddb/mods-enabled/linelog
> including configuration file /etc/edr_raddb/mods-enabled/logintime
> including configuration file /etc/edr_raddb/mods-enabled/expiration
> including configuration file /etc/edr_raddb/mods-enabled/unix
> including configuration file /etc/edr_raddb/mods-enabled/date
> including configuration file /etc/edr_raddb/mods-enabled/chap
> including configuration file /etc/edr_raddb/mods-enabled/exec
> including configuration file /etc/edr_raddb/mods-enabled/utf8
> including configuration file /etc/edr_raddb/mods-enabled/ntlm_auth
> including configuration file /etc/edr_raddb/mods-enabled/passwd
> including configuration file /etc/edr_raddb/mods-enabled/cache_eap
> including configuration file /etc/edr_raddb/mods-enabled/realm
> including configuration file /etc/edr_raddb/mods-enabled/dynamic_clients
> including configuration file /etc/edr_raddb/mods-enabled/pap
> including configuration file /etc/edr_raddb/mods-enabled/always
> including files in directory /etc/edr_raddb/policy.d/
> including configuration file /etc/edr_raddb/policy.d/accounting
> including configuration file /etc/edr_raddb/policy.d/dhcp
> including configuration file /etc/edr_raddb/policy.d/edr
> including configuration file /etc/edr_raddb/policy.d/debug
> including configuration file /etc/edr_raddb/policy.d/filter
> including configuration file /etc/edr_raddb/policy.d/operator-name
> including configuration file /etc/edr_raddb/policy.d/eap
> including configuration file /etc/edr_raddb/policy.d/cui
> including configuration file /etc/edr_raddb/policy.d/rfc7542
> including configuration file /etc/edr_raddb/policy.d/abfab-tr
> including configuration file /etc/edr_raddb/policy.d/moonshot-targeted-ids
> including configuration file /etc/edr_raddb/policy.d/canonicalization
> including configuration file /etc/edr_raddb/policy.d/control
> including files in directory /etc/edr_raddb/sites-enabled/
> including configuration file /etc/edr_raddb/sites-enabled/default
> main {
> security {
> user = "radiusd"
> group = "radiusd"
> allow_core_dumps = no
> }
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var/log"
> logdir = "/var/log/radiusd"
> run_dir = "/var/log/run/radiusd"
> }
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var/log"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radiusd"
> run_dir = "/var/log/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radiusd/radacct"
> hostname_lookups = no
> max_request_time = 5
> cleanup_delay = 2
> max_requests = 16384
> pidfile = "/var/log/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = yes
> auth_badpass = yes
> auth_goodpass = yes
> msg_badpass = "%{&reply:Reply-Message}"
> msg_goodpass = "%{&reply:Reply-Message}"
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 0.000000
> status_server = yes
> allow_vulnerable_openssl = "CVE-2016-6304"
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> Ignoring "response_window = 20.000000", forcing to "response_window =
> 5.000000"
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client IBM-10client {
> ipaddr = 10.0.0.0
> netmask = 8
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client IBM-9client {
> ipaddr = 9.0.0.0
> netmask = 8
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Debugger not attached
> systemd watchdog is disabled
> radiusd: #### Instantiating modules ####
> modules {
> # Loaded module rlm_files
> # Loading module "files" from file /etc/edr_raddb/mods-enabled/files
> files {
> filename = "/etc/edr_raddb/mods-config/files/authorize"
> acctusersfile = "/etc/edr_raddb/mods-config/files/accounting"
> preproxy_usersfile = "/etc/edr_raddb/mods-config/files/pre-proxy"
> }
> # Loaded module rlm_radutmp
> # Loading module "sradutmp" from file
> /etc/edr_raddb/mods-enabled/sradutmp
> radutmp sradutmp {
> filename = "/var/log/radiusd/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loading module "radutmp" from file /etc/edr_raddb/mods-enabled/radutmp
> radutmp {
> filename = "/var/log/radiusd/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_exec
> # Loading module "echo" from file /etc/edr_raddb/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> timeout = 5
> }
> # Loaded module rlm_expr
> # Loading module "expr" from file /etc/edr_raddb/mods-enabled/expr
> expr {
> safe_characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
> /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
> }
> # Loaded module rlm_preprocess
> # Loading module "preprocess" from file
> /etc/edr_raddb/mods-enabled/preprocess
> preprocess {
> huntgroups = "/etc/edr_raddb/mods-config/preprocess/huntgroups"
> hints = "/etc/edr_raddb/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> # Loaded module rlm_soh
> # Loading module "soh" from file /etc/edr_raddb/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Loaded module rlm_detail
> # Loading module "detail" from file /etc/edr_raddb/mods-enabled/detail
> detail {
> filename =
> "/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_unpack
> # Loading module "unpack" from file /etc/edr_raddb/mods-enabled/unpack
> # Loaded module rlm_replicate
> # Loading module "replicate" from file
> /etc/edr_raddb/mods-enabled/replicate
> # Loaded module rlm_mschap
> # Loading module "mschap" from file /etc/edr_raddb/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> winbind_retry_with_normalised_username = no
> }
> # Loaded module rlm_digest
> # Loading module "digest" from file /etc/edr_raddb/mods-enabled/digest
> # Loaded module rlm_attr_filter
> # Loading module "attr_filter.post-proxy" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/edr_raddb/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.pre-proxy" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/edr_raddb/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.access_reject" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/edr_raddb/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.access_challenge" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename =
> "/etc/edr_raddb/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.accounting_response" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename =
> "/etc/edr_raddb/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loaded module rlm_sql
> # Loading module "sql" from file /etc/edr_raddb/mods-enabled/sql
> sql {
> driver = "rlm_sql_db2"
> server = "EDRRADIUS"
> port = 0
> login = "edribmus"
> password = <<< secret >>>
> radius_db = "edr"
> read_groups = yes
> read_profiles = yes
> read_clients = no
> delete_stale_sessions = yes
> sql_user_name = "%{User-Name}"
> logfile = ""
> default_user_profile = ""
> client_query = "SELECT id, nasname, shortname, type, secret,
> server FROM nas"
> authorize_check_query = "SELECT id, username, attribute, value, op
> FROM edr.runstatus WHERE username = '%{SQL-User-Name}' ORDER BY id"
> authorize_reply_query = "SELECT id, username, attribute, value, op
> FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
> authorize_group_check_query = "SELECT id, groupname, attribute,
> Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
> authorize_group_reply_query = "SELECT id, groupname, attribute,
> value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
> group_membership_query = "SELECT groupname FROM radusergroup WHERE
> username = '%{SQL-User-Name}' ORDER BY priority"
> simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username =
> '%{SQL-User-Name}' AND acctstoptime IS NULL"
> simul_verify_query = "SELECT radacctid, acctsessionid, username,
> nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol
> FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
> safe_characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
> auto_escape = no
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}.query}"
> type {
> accounting-on {
> query = "UPDATE radacct SET acctstoptime =
> FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
> '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
> acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
> acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
> acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
> }
> accounting-off {
> query = "UPDATE radacct SET acctstoptime =
> FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
> '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
> acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
> acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
> acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
> }
> start {
> query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
> username, realm, nasipaddress, nasportid,
> nasporttype, acctstarttime, acctupdatetime,
> acctstoptime, acctsessiontime, acctauthentic,
> connectinfo_start, connectinfo_stop, acctinputoctets,
> acctoutputoctets, calledstationid, callingstationid,
> acctterminatecause, servicetype, framedprotocol,
> framedipaddress) VALUES ('%{Acct-Session-Id}',
> '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
> '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}',
> FROM_UNIXTIME(%{integer:Event-Timestamp}),
> FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
> '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
> '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
> '%{Framed-IP-Address}')"
> }
> interim-update {
> query = "UPDATE radacct SET acctupdatetime =
> (@acctupdatetime_old:=acctupdatetime), acctupdatetime =
> FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval =
> %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old),
> framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
> %{%{Acct-Session-Time}:-NULL}, acctinputoctets =
> '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
> acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
> '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId =
> '%{Acct-Unique-Session-Id}'"
> }
> stop {
> query = "UPDATE radacct SET acctstoptime =
> FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
> %{%{Acct-Session-Time}:-NULL}, acctinputoctets =
> '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
> acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
> '%{%{Acct-Output-Octets}:-0}', acctterminatecause =
> '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE
> AcctUniqueId = '%{Acct-Unique-Session-Id}'"
> }
> }
> }
> post-auth {
> reference = ".query"
> query = "INSERT INTO radpostauth (username, pass, reply, authdate)
> VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
> '%{reply:Packet-Type}', '%S')"
> }
> }
> rlm_sql (sql): Driver rlm_sql_db2 (module rlm_sql_db2) loaded and linked
> Creating attribute SQL-Group
> # Loading module "auth_log" from file
> /etc/edr_raddb/mods-enabled/detail.log
> detail auth_log {
> filename =
> "/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "reply_log" from file
> /etc/edr_raddb/mods-enabled/detail.log
> detail reply_log {
> filename =
> "/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "pre_proxy_log" from file
> /etc/edr_raddb/mods-enabled/detail.log
> detail pre_proxy_log {
> filename =
> "/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "post_proxy_log" from file
> /etc/edr_raddb/mods-enabled/detail.log
> detail post_proxy_log {
> filename =
> "/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_linelog
> # Loading module "linelog" from file /etc/edr_raddb/mods-enabled/linelog
> linelog {
> filename = "/var/log/radiusd/linelog"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{reply:Packet-Type}:-default}"
> }
> # Loading module "log_accounting" from file
> /etc/edr_raddb/mods-enabled/linelog
> linelog log_accounting {
> filename = "/var/log/radiusd/linelog-accounting"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_logintime
> # Loading module "logintime" from file
> /etc/edr_raddb/mods-enabled/logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_expiration
> # Loading module "expiration" from file
> /etc/edr_raddb/mods-enabled/expiration
> # Loaded module rlm_unix
> # Loading module "unix" from file /etc/edr_raddb/mods-enabled/unix
> unix {
> radwtmp = "/var/log/radiusd/radwtmp"
> }
> Creating attribute Unix-Group
> # Loaded module rlm_date
> # Loading module "date" from file /etc/edr_raddb/mods-enabled/date
> date {
> format = "%b %e %Y %H:%M:%S %Z"
> utc = no
> }
> # Loading module "wispr2date" from file /etc/edr_raddb/mods-enabled/date
> date wispr2date {
> format = "%Y-%m-%dT%H:%M:%S"
> utc = no
> }
> # Loaded module rlm_chap
> # Loading module "chap" from file /etc/edr_raddb/mods-enabled/chap
> # Loading module "exec" from file /etc/edr_raddb/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 5
> }
> # Loaded module rlm_utf8
> # Loading module "utf8" from file /etc/edr_raddb/mods-enabled/utf8
> # Loading module "ntlm_auth" from file
> /etc/edr_raddb/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> timeout = 5
> }
> # Loaded module rlm_passwd
> # Loading module "etc_passwd" from file
> /etc/edr_raddb/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> # Loaded module rlm_cache
> # Loading module "cache_eap" from file
> /etc/edr_raddb/mods-enabled/cache_eap
> cache cache_eap {
> driver = "rlm_cache_rbtree"
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 0
> epoch = 0
> add_stats = no
> }
> # Loaded module rlm_realm
> # Loading module "IPASS" from file /etc/edr_raddb/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "suffix" from file /etc/edr_raddb/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "bangpath" from file /etc/edr_raddb/mods-enabled/realm
> realm bangpath {
> format = "prefix"
> delimiter = "!"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "realmpercent" from file
> /etc/edr_raddb/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "ntdomain" from file /etc/edr_raddb/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_dynamic_clients
> # Loading module "dynamic_clients" from file
> /etc/edr_raddb/mods-enabled/dynamic_clients
> # Loaded module rlm_pap
> # Loading module "pap" from file /etc/edr_raddb/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loaded module rlm_always
> # Loading module "reject" from file /etc/edr_raddb/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Loading module "fail" from file /etc/edr_raddb/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Loading module "ok" from file /etc/edr_raddb/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Loading module "handled" from file /etc/edr_raddb/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Loading module "invalid" from file /etc/edr_raddb/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Loading module "userlock" from file /etc/edr_raddb/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Loading module "notfound" from file /etc/edr_raddb/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Loading module "noop" from file /etc/edr_raddb/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Loading module "updated" from file /etc/edr_raddb/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> instantiate {
> }
> # Instantiating module "files" from file
> /etc/edr_raddb/mods-enabled/files
> reading pairlist file /etc/edr_raddb/mods-config/files/authorize
> reading pairlist file /etc/edr_raddb/mods-config/files/accounting
> reading pairlist file /etc/edr_raddb/mods-config/files/pre-proxy
> # Instantiating module "preprocess" from file
> /etc/edr_raddb/mods-enabled/preprocess
> reading pairlist file /etc/edr_raddb/mods-config/preprocess/huntgroups
> reading pairlist file /etc/edr_raddb/mods-config/preprocess/hints
> # Instantiating module "detail" from file
> /etc/edr_raddb/mods-enabled/detail
> # Instantiating module "mschap" from file
> /etc/edr_raddb/mods-enabled/mschap
> rlm_mschap (mschap): using internal authentication
> # Instantiating module "attr_filter.post-proxy" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> reading pairlist file /etc/edr_raddb/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> reading pairlist file /etc/edr_raddb/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> reading pairlist file /etc/edr_raddb/mods-config/attr_filter/access_reject
> # Instantiating module "attr_filter.access_challenge" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> reading pairlist file
> /etc/edr_raddb/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /etc/edr_raddb/mods-enabled/attr_filter
> reading pairlist file
> /etc/edr_raddb/mods-config/attr_filter/accounting_response
> # Instantiating module "sql" from file /etc/edr_raddb/mods-enabled/sql
> rlm_sql (sql): Attempting to connect to database "edr"
> rlm_sql (sql): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 128
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> spread = no
> }
> rlm_sql (sql): Opening additional connection (0), 1 of 128 pending slots
> used
> rlm_sql (sql): Opening additional connection (1), 1 of 127 pending slots
> used
> rlm_sql (sql): Opening additional connection (2), 1 of 126 pending slots
> used
> rlm_sql (sql): Opening additional connection (3), 1 of 125 pending slots
> used
> rlm_sql (sql): Opening additional connection (4), 1 of 124 pending slots
> used
> # Instantiating module "auth_log" from file
> /etc/edr_raddb/mods-enabled/detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
> # Instantiating module "reply_log" from file
> /etc/edr_raddb/mods-enabled/detail.log
> # Instantiating module "pre_proxy_log" from file
> /etc/edr_raddb/mods-enabled/detail.log
> # Instantiating module "post_proxy_log" from file
> /etc/edr_raddb/mods-enabled/detail.log
> # Instantiating module "linelog" from file
> /etc/edr_raddb/mods-enabled/linelog
> # Instantiating module "log_accounting" from file
> /etc/edr_raddb/mods-enabled/linelog
> # Instantiating module "logintime" from file
> /etc/edr_raddb/mods-enabled/logintime
> # Instantiating module "expiration" from file
> /etc/edr_raddb/mods-enabled/expiration
> # Instantiating module "etc_passwd" from file
> /etc/edr_raddb/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Instantiating module "cache_eap" from file
> /etc/edr_raddb/mods-enabled/cache_eap
> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
> loaded and linked
> # Instantiating module "IPASS" from file
> /etc/edr_raddb/mods-enabled/realm
> # Instantiating module "suffix" from file
> /etc/edr_raddb/mods-enabled/realm
> # Instantiating module "bangpath" from file
> /etc/edr_raddb/mods-enabled/realm
> # Instantiating module "realmpercent" from file
> /etc/edr_raddb/mods-enabled/realm
> # Instantiating module "ntdomain" from file
> /etc/edr_raddb/mods-enabled/realm
> # Instantiating module "pap" from file /etc/edr_raddb/mods-enabled/pap
> # Instantiating module "reject" from file
> /etc/edr_raddb/mods-enabled/always
> # Instantiating module "fail" from file
> /etc/edr_raddb/mods-enabled/always
> # Instantiating module "ok" from file /etc/edr_raddb/mods-enabled/always
> # Instantiating module "handled" from file
> /etc/edr_raddb/mods-enabled/always
> # Instantiating module "invalid" from file
> /etc/edr_raddb/mods-enabled/always
> # Instantiating module "userlock" from file
> /etc/edr_raddb/mods-enabled/always
> # Instantiating module "notfound" from file
> /etc/edr_raddb/mods-enabled/always
> # Instantiating module "noop" from file
> /etc/edr_raddb/mods-enabled/always
> # Instantiating module "updated" from file
> /etc/edr_raddb/mods-enabled/always
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/edr_raddb/radiusd.conf
> } # server
> server default { # from file /etc/edr_raddb/sites-enabled/default
> # Loading authorize {...}
> # Loading post-auth {...}
> } # server default
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Listening on auth address * port 1812 bound to server default
> Listening on acct address * port 1813 bound to server default
> Listening on auth address :: port 1812 bound to server default
> Listening on acct address :: port 1813 bound to server default
> Listening on proxy address * port 37769
> Listening on proxy address :: port 17802
> Ready to process requests
> (0) Received Access-Request Id 191 from 9.44.14.216:1953 to
> 9.44.14.148:1812 length 65
> (0) User-Name = "SI_radius_keepalive"
> (0) User-Password = "oԨW?\014\222\315>I2ꎯ\026\251"
> (0) Service-Type = Outbound-User
> (0) # Executing section authorize from file
> /etc/edr_raddb/sites-enabled/default
> (0) authorize {
> (0) [files] = noop
> (0) update control {
> (0) &Auth-Type := Accept
> (0) } # update control = noop
> (0) } # authorize = noop
> (0) Found Auth-Type = Accept
> (0) Auth-Type = Accept, accepting the user
> (0) # Executing section post-auth from file
> /etc/edr_raddb/sites-enabled/default
> (0) post-auth {
> (0) policy check_sql_status {
> (0) update control {
> (0) EXPAND %{User-Name}
> (0) --> SI_radius_keepalive
> (0) SQL-User-Name set to 'SI_radius_keepalive'
> rlm_sql (sql): Reserved connection (0)
> (0) Executing select query: SELECT COUNT(*) FROM edr.runstatus
> WHERE status='NORMALOP' WITH UR
> rlm_sql (sql): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (5), 1 of 123 pending slots
> used
> (0) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR}
> (0) --> 1
> (0) &Tmp-Integer-0 := 1
> (0) } # update control = noop
> (0) if (control:Tmp-Integer-0 < 1) {
> (0) if (control:Tmp-Integer-0 < 1) -> FALSE
> (0) } # policy check_sql_status = noop
> (0) check_for_cisco_AP { ... } # empty sub-section is ignored
> (0) policy check_for_bypassed_MAC {
> (0) if (User-Name == "SI_radius_keepalive") {
> (0) if (User-Name == "SI_radius_keepalive") -> TRUE
> (0) if (User-Name == "SI_radius_keepalive") {
> (0) update reply {
> (0) &Reply-Message += "EDR User SI_radius_keepalive bypassed,
> EDR Accept"
> (0) } # update reply = noop
> (0) update control {
> (0) &Auth-Type := Accept
> (0) } # update control = noop
> (0) [handled] = handled
> (0) } # if (User-Name == "SI_radius_keepalive") = handled
> (0) } # policy check_for_bypassed_MAC = handled
> (0) } # post-auth = handled
> (0) EXPAND %{&reply:Reply-Message}
> (0) --> EDR User SI_radius_keepalive bypassed, EDR Accept
> (0) Login OK: [SI_radius_keepalive/oԨW????>I2ꎯ??] (from client
> IBM-9client port 0) EDR User SI_radius_keepalive bypassed, EDR Accept
> (0) Sent Access-Accept Id 191 from 9.44.14.148:1812 to 9.44.14.216:1953
> length 0
> (0) Reply-Message += "EDR User SI_radius_keepalive bypassed, EDR Accept"
> (0) Finished request
> Waking up in 1.9 seconds.
> (1) Received Access-Request Id 143 from 9.44.14.217:2000 to
> 9.44.14.148:1812 length 65
> (1) User-Name = "SI_radius_keepalive"
> (1) User-Password = "k\037(#\356X\374e\024\334\371\240\365\212\024\262"
> (1) Service-Type = Outbound-User
> (1) # Executing section authorize from file
> /etc/edr_raddb/sites-enabled/default
> (1) authorize {
> (1) [files] = noop
> (1) update control {
> (1) &Auth-Type := Accept
> (1) } # update control = noop
> (1) } # authorize = noop
> (1) Found Auth-Type = Accept
> (1) Auth-Type = Accept, accepting the user
> (1) # Executing section post-auth from file
> /etc/edr_raddb/sites-enabled/default
> (1) post-auth {
> (1) policy check_sql_status {
> (1) update control {
> (1) EXPAND %{User-Name}
> (1) --> SI_radius_keepalive
> (1) SQL-User-Name set to 'SI_radius_keepalive'
> rlm_sql (sql): Reserved connection (1)
> (1) Executing select query: SELECT COUNT(*) FROM edr.runstatus
> WHERE status='NORMALOP' WITH UR
> rlm_sql (sql): Released connection (1)
> (1) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR}
> (1) --> 1
> (1) &Tmp-Integer-0 := 1
> (1) } # update control = noop
> (1) if (control:Tmp-Integer-0 < 1) {
> (1) if (control:Tmp-Integer-0 < 1) -> FALSE
> (1) } # policy check_sql_status = noop
> (1) check_for_cisco_AP { ... } # empty sub-section is ignored
> (1) policy check_for_bypassed_MAC {
> (1) if (User-Name == "SI_radius_keepalive") {
> (1) if (User-Name == "SI_radius_keepalive") -> TRUE
> (1) if (User-Name == "SI_radius_keepalive") {
> (1) update reply {
> (1) &Reply-Message += "EDR User SI_radius_keepalive bypassed,
> EDR Accept"
> (1) } # update reply = noop
> (1) update control {
> (1) &Auth-Type := Accept
> (1) } # update control = noop
> (1) [handled] = handled
> (1) } # if (User-Name == "SI_radius_keepalive") = handled
> (1) } # policy check_for_bypassed_MAC = handled
> (1) } # post-auth = handled
> (1) EXPAND %{&reply:Reply-Message}
> (1) --> EDR User SI_radius_keepalive bypassed, EDR Accept
> (1) Login OK: [SI_radius_keepalive/k?(#?X?e????????] (from client
> IBM-9client port 0) EDR User SI_radius_keepalive bypassed, EDR Accept
> (1) Sent Access-Accept Id 143 from 9.44.14.148:1812 to 9.44.14.217:2000
> length 0
> (1) Reply-Message += "EDR User SI_radius_keepalive bypassed, EDR Accept"
> (1) Finished request
> Waking up in 1.9 seconds.
> (0) Cleaning up request packet ID 191 with timestamp +4
> (1) Cleaning up request packet ID 143 with timestamp +4
> Ready to process requests
> (2) Received Access-Request Id 192 from 9.44.14.216:1101 to
> 9.44.14.148:1812 length 65
> (2) User-Name = "SI_radius_keepalive"
> (2) User-Password =
> "\343\022\035\323\355JA\032\232\367\242\026\266\035=\033"
> (2) Service-Type = Outbound-User
> (2) # Executing section authorize from file
> /etc/edr_raddb/sites-enabled/default
> (2) authorize {
> (2) [files] = noop
> (2) update control {
> (2) &Auth-Type := Accept
> (2) } # update control = noop
> (2) } # authorize = noop
> (2) Found Auth-Type = Accept
> (2) Auth-Type = Accept, accepting the user
> (2) # Executing section post-auth from file
> /etc/edr_raddb/sites-enabled/default
> (2) post-auth {
> (2) policy check_sql_status {
> (2) update control {
> (2) EXPAND %{User-Name}
> (2) --> SI_radius_keepalive
> (2) SQL-User-Name set to 'SI_radius_keepalive'
> rlm_sql (sql): Reserved connection (2)
> (2) Executing select query: SELECT COUNT(*) FROM edr.runstatus
> WHERE status='NORMALOP' WITH UR
> rlm_sql (sql): Released connection (2)
> Need 4 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (6), 1 of 122 pending slots
> used
> (2) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR}
> (2) --> 1
> (2) &Tmp-Integer-0 := 1
> (2) } # update control = noop
> (2) if (control:Tmp-Integer-0 < 1) {
> (2) if (control:Tmp-Integer-0 < 1) -> FALSE
> (2) } # policy check_sql_status = noop
> (2) check_for_cisco_AP { ... } # empty sub-section is ignored
> (2) policy check_for_bypassed_MAC {
> (2) if (User-Name == "SI_radius_keepalive") {
> (2) if (User-Name == "SI_radius_keepalive") -> TRUE
> (2) if (User-Name == "SI_radius_keepalive") {
> (2) update reply {
> (2) &Reply-Message += "EDR User SI_radius_keepalive bypassed,
> EDR Accept"
> (2) } # update reply = noop
> (2) update control {
> (2) &Auth-Type := Accept
> (2) } # update control = noop
> (2) [handled] = handled
> (2) } # if (User-Name == "SI_radius_keepalive") = handled
> (2) } # policy check_for_bypassed_MAC = handled
> (2) } # post-auth = handled
> (2) EXPAND %{&reply:Reply-Message}
> (2) --> EDR User SI_radius_keepalive bypassed, EDR Accept
> (2) Login OK: [SI_radius_keepalive/?????JA???????=?] (from client
> IBM-9client port 0) EDR User SI_radius_keepalive bypassed, EDR Accept
> (2) Sent Access-Accept Id 192 from 9.44.14.148:1812 to 9.44.14.216:1101
> length 0
> (2) Reply-Message += "EDR User SI_radius_keepalive bypassed, EDR Accept"
> (2) Finished request
> Waking up in 1.9 seconds.
> (2) Cleaning up request packet ID 192 with timestamp +9
> Ready to process requests
> (3) Received Access-Request Id 144 from 9.44.14.217:1245 to
> 9.44.14.148:1812 length 65
> (3) User-Name = "SI_radius_keepalive"
> (3) User-Password = "\345O|H\347\312`a\315\036.\210h\201]\232"
> (3) Service-Type = Outbound-User
> (3) # Executing section authorize from file
> /etc/edr_raddb/sites-enabled/default
> (3) authorize {
> (3) [files] = noop
> (3) update control {
> (3) &Auth-Type := Accept
> (3) } # update control = noop
> (3) } # authorize = noop
> (3) Found Auth-Type = Accept
> (3) Auth-Type = Accept, accepting the user
> (3) # Executing section post-auth from file
> /etc/edr_raddb/sites-enabled/default
> (3) post-auth {
> (3) policy check_sql_status {
> (3) update control {
> (3) EXPAND %{User-Name}
> (3) --> SI_radius_keepalive
> (3) SQL-User-Name set to 'SI_radius_keepalive'
> rlm_sql (sql): Reserved connection (3)
> (3) Executing select query: SELECT COUNT(*) FROM edr.runstatus
> WHERE status='NORMALOP' WITH UR
> rlm_sql (sql): Released connection (3)
> Need 3 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (7), 1 of 121 pending slots
> used
> (3) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR}
> (3) --> 1
> (3) &Tmp-Integer-0 := 1
> (3) } # update control = noop
> (3) if (control:Tmp-Integer-0 < 1) {
> (3) if (control:Tmp-Integer-0 < 1) -> FALSE
> (3) } # policy check_sql_status = noop
> (3) check_for_cisco_AP { ... } # empty sub-section is ignored
> (3) policy check_for_bypassed_MAC {
> (3) if (User-Name == "SI_radius_keepalive") {
> (3) if (User-Name == "SI_radius_keepalive") -> TRUE
> (3) if (User-Name == "SI_radius_keepalive") {
> (3) update reply {
> (3) &Reply-Message += "EDR User SI_radius_keepalive bypassed,
> EDR Accept"
> (3) } # update reply = noop
> (3) update control {
> (3) &Auth-Type := Accept
> (3) } # update control = noop
> (3) [handled] = handled
> (3) } # if (User-Name == "SI_radius_keepalive") = handled
> (3) } # policy check_for_bypassed_MAC = handled
> (3) } # post-auth = handled
> (3) EXPAND %{&reply:Reply-Message}
> (3) --> EDR User SI_radius_keepalive bypassed, EDR Accept
> (3) Login OK: [SI_radius_keepalive/?O|H??`a??.?h?]?] (from client
> IBM-9client port 0) EDR User SI_radius_keepalive bypassed, EDR Accept
> (3) Sent Access-Accept Id 144 from 9.44.14.148:1812 to 9.44.14.217:1245
> length 0
> (3) Reply-Message += "EDR User SI_radius_keepalive bypassed, EDR Accept"
> (3) Finished request
> Waking up in 1.9 seconds.
> (3) Cleaning up request packet ID 144 with timestamp +14
> Ready to process requests
> ....
> (5502) Cleaning up request packet ID 144 with timestamp +338
> (5538) Received Access-Request Id 189 from 127.0.0.1:24740 to
> 127.0.0.1:1812 length 64
> (5538) User-Name = "00000000000R"
> (5538) NAS-IP-Address = 9.44.14.137
> (5538) NAS-Port = 10
> (5538) Message-Authenticator = 0xda40c1552d213d34cc95f4298773670d
> (5538) # Executing section authorize from file
> /etc/edr_raddb/sites-enabled/default
> (5538) authorize {
> (5538) [files] = noop
> (5538) update control {
> (5538) &Auth-Type := Accept
> (5538) } # update control = noop
> (5538) } # authorize = noop
> (5538) Found Auth-Type = Accept
> (5538) Auth-Type = Accept, accepting the user
> (5538) # Executing section post-auth from file
> /etc/edr_raddb/sites-enabled/default
> (5538) post-auth {
> (5538) policy check_sql_status {
> (5538) update control {
> (5538) EXPAND %{User-Name}
> (5538) --> 00000000000R
> (5538) SQL-User-Name set to '00000000000R'
> rlm_sql (sql): Reserved connection (7)
> (5538) Executing select query: SELECT COUNT(*) FROM edr.runstatus
> WHERE status='NORMALOP' WITH UR
> rlm_sql (sql): Released connection (7)
> (5538) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR}
> (5538) --> 1
> (5538) &Tmp-Integer-0 := 1
> (5538) } # update control = noop
> (5538) if (control:Tmp-Integer-0 < 1) {
> (5538) if (control:Tmp-Integer-0 < 1) -> FALSE
> (5538) } # policy check_sql_status = noop
> (5538) check_for_cisco_AP { ... } # empty sub-section is ignored
> (5538) policy check_for_bypassed_MAC {
> (5538) if (User-Name == "SI_radius_keepalive") {
> (5538) if (User-Name == "SI_radius_keepalive") -> FALSE
> (5538) if (User-Name == "nessus") {
> (5538) if (User-Name == "nessus") -> FALSE
> (5538) elsif (User-Name == "00000000000R") {
> (5538) elsif (User-Name == "00000000000R") -> TRUE
> (5538) elsif (User-Name == "00000000000R") {
> (5538) update reply {
> (5538) &Reply-Message += "EDR 00000000000R bypassed for AOHCS
> Health Check, EDR Reject"
> (5538) } # update reply = noop
> (5538) update control {
> (5538) &Auth-Type := Reject
> (5538) } # update control = noop
> (5538) [reject] = reject
> (5538) } # elsif (User-Name == "00000000000R") = reject
> (5538) } # policy check_for_bypassed_MAC = reject
> (5538) } # post-auth = reject
> (5538) Using Post-Auth-Type Reject
> (5538) Post-Auth-Type sub-section not found. Ignoring.
> (5538) # Executing group from file /etc/edr_raddb/sites-enabled/default
> (5538) EXPAND %{&reply:Reply-Message}
> (5538) --> EDR 00000000000R bypassed for AOHCS Health Check, EDR Reject
> (5538) Rejected in post-auth: [00000000000R/<via Auth-Type = Reject>]
> (from client localhost port 10) EDR 00000000000R bypassed for AOHCS Health
> Check, EDR Reject
> (5538) EXPAND %{&reply:Reply-Message}
> (5538) --> EDR 00000000000R bypassed for AOHCS Health Check, EDR Reject
> (5538) Login incorrect: [00000000000R/<via Auth-Type = Reject>] (from
> client localhost port 10) EDR 00000000000R bypassed for AOHCS Health
> Check, EDR Reject
> (5538) Sent Access-Reject Id 189 from 127.0.0.1:1812 to 127.0.0.1:24740
> length 0
> (5538) Reply-Message += "EDR 00000000000R bypassed for AOHCS Health
> Check, EDR Reject"
> (5538) Finished request
> (5503) Cleaning up request packet ID 142 with timestamp +338
> (5539) Received Access-Request Id 118 from 127.0.0.1:40924 to
> 127.0.0.1:1812 length 64
> (5539) User-Name = "000000099999"
> (5539) NAS-IP-Address = 9.44.14.137
> (5539) NAS-Port = 10
> (5539) Message-Authenticator = 0x1bdead5678e95af1770b0b22d7ce5284
> (5539) # Executing section authorize from file
> /etc/edr_raddb/sites-enabled/default
> (5539) authorize {
> (5539) [files] = noop
> (5539) update control {
> (5539) &Auth-Type := Accept
> (5539) } # update control = noop
> (5539) } # authorize = noop
> (5539) Found Auth-Type = Accept
> (5539) Auth-Type = Accept, accepting the user
> (5539) # Executing section post-auth from file
> /etc/edr_raddb/sites-enabled/default
> (5539) post-auth {
> (5539) policy check_sql_status {
> (5539) update control {
> (5539) EXPAND %{User-Name}
> (5539) --> 000000099999
> (5539) SQL-User-Name set to '000000099999'
> rlm_sql (sql): Reserved connection (4)
> (5539) Executing select query: SELECT COUNT(*) FROM edr.runstatus
> WHERE status='NORMALOP' WITH UR
> Could not execute statement "SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR"
> (5539) ERROR: rlm_sql_db2: HY014: [IBM][CLI Driver] CLI0129E An
> attempt to allocate a handle failed because there are no more handles to
> allocate. SQLSTATE=HY014
> (5539) ERROR: SQL query failed: server error
> rlm_sql (sql): Released connection (4)
> (5539) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR}
> (5539) -->
> (5539) &Tmp-Integer-0 := 0
> (5539) } # update control = noop
> (5539) if (control:Tmp-Integer-0 < 1) {
> (5539) if (control:Tmp-Integer-0 < 1) -> TRUE
> (5539) if (control:Tmp-Integer-0 < 1) {
> (5539) policy fail_open {
> (5539) update reply {
> (5539) EXPAND EDR req_num:%n req_id:%I fail_open
> (5539) --> EDR req_num:5539 req_id:118 fail_open
> (5539) &Reply-Message += EDR req_num:5539 req_id:118 fail_open
> (5539) } # update reply = noop
> (5539) update control {
> (5539) &Auth-Type := Accept
> (5539) } # update control = noop
> (5539) [handled] = handled
> (5539) } # policy fail_open = handled
> (5539) } # if (control:Tmp-Integer-0 < 1) = handled
> (5539) } # policy check_sql_status = handled
> (5539) } # post-auth = handled
> (5539) EXPAND %{&reply:Reply-Message}
> (5539) --> EDR req_num:5539 req_id:118 fail_open
> (5539) Login OK: [000000099999/<via Auth-Type = Accept>] (from client
> localhost port 10) EDR req_num:5539 req_id:118 fail_open
> (5539) Sent Access-Accept Id 118 from 127.0.0.1:1812 to 127.0.0.1:40924
> length 0
> (5539) Reply-Message += "EDR req_num:5539 req_id:118 fail_open"
> (5539) Finished request
> (5504) Cleaning up request packet ID 135 with timestamp +338
> (5540) Received Access-Request Id 161 from 127.0.0.1:29338 to
> 127.0.0.1:1812 length 64
> (5540) User-Name = "000000000000"
> (5540) NAS-IP-Address = 9.44.14.137
> (5540) NAS-Port = 10
> (5540) Message-Authenticator = 0x7afd0d4c0f5f7f5939d4b862a7fe7c29
> (5540) # Executing section authorize from file
> /etc/edr_raddb/sites-enabled/default
> (5540) authorize {
> (5540) [files] = noop
> (5540) update control {
> (5540) &Auth-Type := Accept
> (5540) } # update control = noop
> (5540) } # authorize = noop
> (5540) Found Auth-Type = Accept
> (5540) Auth-Type = Accept, accepting the user
> (5540) # Executing section post-auth from file
> /etc/edr_raddb/sites-enabled/default
> (5540) post-auth {
> (5540) policy check_sql_status {
> (5540) update control {
> (5540) EXPAND %{User-Name}
> (5540) --> 000000000000
> (5540) SQL-User-Name set to '000000000000'
> rlm_sql (sql): Reserved connection (8)
> (5540) Executing select query: SELECT COUNT(*) FROM edr.runstatus
> WHERE status='NORMALOP' WITH UR
> rlm_sql (sql): Released connection (8)
> (5540) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR}
> (5540) --> 1
> (5540) &Tmp-Integer-0 := 1
> (5540) } # update control = noop
> (5540) if (control:Tmp-Integer-0 < 1) {
> (5540) if (control:Tmp-Integer-0 < 1) -> FALSE
> (5540) } # policy check_sql_status = noop
> (5540) check_for_cisco_AP { ... } # empty sub-section is ignored
> (5540) policy check_for_bypassed_MAC {
> (5540) if (User-Name == "SI_radius_keepalive") {
> (5540) if (User-Name == "SI_radius_keepalive") -> FALSE
> (5540) if (User-Name == "nessus") {
> (5540) if (User-Name == "nessus") -> FALSE
> (5540) elsif (User-Name == "00000000000R") {
> (5540) elsif (User-Name == "00000000000R") -> FALSE
> (5540) } # policy check_for_bypassed_MAC = noop
> (5540) policy check_for_ignore {
> (5540) update control {
> rlm_sql (sql): Reserved connection (0)
> rlm_sql (sql): Released connection (0)
> (5540) EXPAND %{User-Name}
> (5540) --> 000000000000
> (5540) SQL-User-Name set to '000000000000'
> rlm_sql (sql): Reserved connection (9)
> (5540) Executing select query: SELECT COUNT(*) FROM edr.failed
> WHERE username='000000000000' AND authdate >= (CURRENT TIMESTAMP - 1 DAYS)
> WITH UR
> rlm_sql (sql): Released connection (9)
> (5540) EXPAND %{sql:SELECT COUNT(*) FROM edr.failed WHERE
> username='%{User-Name}' AND authdate >= (CURRENT TIMESTAMP - 1 DAYS) WITH
> UR }
> (5540) --> 36
> (5540) &Tmp-Integer-0 := 36
> (5540) } # update control = noop
> (5540) if (control:Tmp-Integer-0 > 58) {
> (5540) if (control:Tmp-Integer-0 > 58) -> FALSE
> (5540) } # policy check_for_ignore = noop
> (5540) policy check_for_registered_MAC {
> (5540) update control {
> rlm_sql (sql): Reserved connection (5)
> rlm_sql (sql): Released connection (5)
> (5540) EXPAND %{User-Name}
> (5540) --> 000000000000
> (5540) SQL-User-Name set to '000000000000'
> rlm_sql (sql): Reserved connection (1)
> (5540) Executing select query: SELECT COUNT(*) FROM ldap.ldapsync
> WHERE mac='000000000000' WITH UR
> rlm_sql (sql): Released connection (1)
> (5540) EXPAND %{sql:SELECT COUNT(*) FROM ldap.ldapsync WHERE
> mac='%{User-Name}' WITH UR}
> (5540) --> 1
> (5540) &Tmp-Integer-0 := 1
> (5540) } # update control = noop
> (5540) if (control:Tmp-Integer-0 > 0) {
> (5540) if (control:Tmp-Integer-0 > 0) -> TRUE
> (5540) if (control:Tmp-Integer-0 > 0) {
> (5540) update reply {
> (5540) EXPAND EDR req_num:%n req_id:%I MAC %{User-Name} from
> relay %{Packet-Src-IP-Address} is registered, EDR accept
> (5540) --> EDR req_num:5540 req_id:161 MAC 000000000000 from
> relay 127.0.0.1 is registered, EDR accept
> (5540) &Reply-Message := EDR req_num:5540 req_id:161 MAC
> 000000000000 from relay 127.0.0.1 is registered, EDR accept
> (5540) } # update reply = noop
> (5540) update control {
> (5540) &Auth-Type := Accept
> (5540) } # update control = noop
> (5540) [handled] = handled
> (5540) } # if (control:Tmp-Integer-0 > 0) = handled
> (5540) } # policy check_for_registered_MAC = handled
> (5540) } # post-auth = handled
> (5540) EXPAND %{&reply:Reply-Message}
> (5540) --> EDR req_num:5540 req_id:161 MAC 000000000000 from relay
> 127.0.0.1 is registered, EDR accept
> (5540) Login OK: [000000000000/<via Auth-Type = Accept>] (from client
> localhost port 10) EDR req_num:5540 req_id:161 MAC 000000000000 from relay
> 127.0.0.1 is registered, EDR accept
> (5540) Sent Access-Accept Id 161 from 127.0.0.1:1812 to 127.0.0.1:29338
> length 0
> (5540) Reply-Message := "EDR req_num:5540 req_id:161 MAC 000000000000
> from relay 127.0.0.1 is registered, EDR accept"
> (5540) Finished request
> (5505) Cleaning up request packet ID 136 with timestamp +338
> (5541) Received Access-Request Id 151 from 127.0.0.1:30962 to
> 127.0.0.1:1812 length 64
> (5541) User-Name = "000000000001"
> (5541) NAS-IP-Address = 9.44.14.137
> (5541) NAS-Port = 10
> (5541) Message-Authenticator = 0x24c78b0147d18e8b4c975734b2daaf1d
> (5541) # Executing section authorize from file
> /etc/edr_raddb/sites-enabled/default
> (5541) authorize {
> (5541) [files] = noop
> (5541) update control {
> (5541) &Auth-Type := Accept
> (5541) } # update control = noop
> (5541) } # authorize = noop
> (5541) Found Auth-Type = Accept
> (5541) Auth-Type = Accept, accepting the user
> (5541) # Executing section post-auth from file
> /etc/edr_raddb/sites-enabled/default
> (5541) post-auth {
> (5541) policy check_sql_status {
> (5541) update control {
> (5541) EXPAND %{User-Name}
> (5541) --> 000000000001
> (5541) SQL-User-Name set to '000000000001'
> rlm_sql (sql): Reserved connection (2)
> (5541) Executing select query: SELECT COUNT(*) FROM edr.runstatus
> WHERE status='NORMALOP' WITH UR
> rlm_sql (sql): Released connection (2)
> (5541) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
> status='NORMALOP' WITH UR}
> (5541) --> 1
> (5541) &Tmp-Integer-0 := 1
> (5541) } # update control = noop
> (5541) if (control:Tmp-Integer-0 < 1) {
> (5541) if (control:Tmp-Integer-0 < 1) -> FALSE
> (5541) } # policy check_sql_status = noop
> (5541) check_for_cisco_AP { ... } # empty sub-section is ignored
> (5541) policy check_for_bypassed_MAC {
> (5541) if (User-Name == "SI_radius_keepalive") {
> (5541) if (User-Name == "SI_radius_keepalive") -> FALSE
> (5541) if (User-Name == "nessus") {
> (5541) if (User-Name == "nessus") -> FALSE
> (5541) elsif (User-Name == "00000000000R") {
> (5541) elsif (User-Name == "00000000000R") -> FALSE
> (5541) } # policy check_for_bypassed_MAC = noop
> (5541) policy check_for_ignore {
> (5541) update control {
> rlm_sql (sql): Reserved connection (6)
> rlm_sql (sql): Released connection (6)
> (5541) EXPAND %{User-Name}
> (5541) --> 000000000001
> (5541) SQL-User-Name set to '000000000001'
> rlm_sql (sql): Reserved connection (3)
> (5541) Executing select query: SELECT COUNT(*) FROM edr.failed
> WHERE username='000000000001' AND authdate >= (CURRENT TIMESTAMP - 1 DAYS)
> WITH UR
> rlm_sql (sql): Released connection (3)
> (5541) EXPAND %{sql:SELECT COUNT(*) FROM edr.failed WHERE
> username='%{User-Name}' AND authdate >= (CURRENT TIMESTAMP - 1 DAYS) WITH
> UR }
> (5541) --> 44
> (5541) &Tmp-Integer-0 := 44
> (5541) } # update control = noop
> (5541) if (control:Tmp-Integer-0 > 58) {
> (5541) if (control:Tmp-Integer-0 > 58) -> FALSE
> (5541) } # policy check_for_ignore = noop
> (5541) policy check_for_registered_MAC {
> (5541) update control {
> rlm_sql (sql): Reserved connection (7)
> rlm_sql (sql): Released connection (7)
> (5541) EXPAND %{User-Name}
> (5541) --> 000000000001
> (5541) SQL-User-Name set to '000000000001'
> rlm_sql (sql): Reserved connection (4)
> (5541) Executing select query: SELECT COUNT(*) FROM ldap.ldapsync
> WHERE mac='000000000001' WITH UR
> Could not execute statement "SELECT COUNT(*) FROM ldap.ldapsync WHERE
> mac='000000000001' WITH UR"
> (5541) ERROR: rlm_sql_db2: HY014: [IBM][CLI Driver] CLI0129E An
> attempt to allocate a handle failed because there are no more handles to
> allocate. SQLSTATE=HY014
> (5541) ERROR: SQL query failed: server error
> rlm_sql (sql): Released connection (4)
> (5541) EXPAND %{sql:SELECT COUNT(*) FROM ldap.ldapsync WHERE
> mac='%{User-Name}' WITH UR}
> (5541) -->
> (5541) &Tmp-Integer-0 := 0
> (5541) } # update control = noop
> (5541) if (control:Tmp-Integer-0 > 0) {
> (5541) if (control:Tmp-Integer-0 > 0) -> FALSE
> (5541) } # policy check_for_registered_MAC = noop
> (5541) policy edr_count_and_reject {
> (5541) if (Client-Shortname != "L2R") {
> (5541) EXPAND Client-Shortname
> (5541) --> localhost
> (5541) if (Client-Shortname != "L2R") -> TRUE
> (5541) if (Client-Shortname != "L2R") {
> (5541) update control {
> rlm_sql (sql): Reserved connection (8)
> rlm_sql (sql): Released connection (8)
> rlm_sql (sql): Reserved connection (0)
> rlm_sql (sql): Released connection (0)
> (5541) EXPAND %{User-Name}
> (5541) --> 000000000001
> (5541) SQL-User-Name set to '000000000001'
> rlm_sql (sql): Reserved connection (9)
> (5541) Executing query: INSERT INTO edr.failed
> (username,authdate,addr) VALUES ('000000000001', CURRENT TIMESTAMP,
> '127.0.0.1')
> rlm_sql (sql): Released connection (9)
> (5541) EXPAND %{sql:INSERT INTO edr.failed
> (username,authdate,addr) VALUES ('%{User-Name}', CURRENT TIMESTAMP,
> '%{Packet-Src-IP-Address}')}
> (5541) --> 1
> (5541) &Tmp-Integer-0 := 1
> rlm_sql (sql): Reserved connection (5)
> rlm_sql (sql): Released connection (5)
> (5541) EXPAND %{User-Name}
> (5541) --> 000000000001
> (5541) SQL-User-Name set to '000000000001'
> rlm_sql (sql): Reserved connection (1)
> (5541) Executing select query: SELECT COUNT(*) FROM edr.failed
> WHERE username = '000000000001'
> rlm_sql (sql): Released connection (1)
> (5541) EXPAND %{sql:SELECT COUNT(*) FROM edr.failed WHERE
> username = '%{User-Name}' }
> (5541) --> 45
> (5541) &Tmp-Integer-1 := 45
> (5541) EXPAND EDR req_num:%n req_id:%I MAC %{request:User-Name}
> from relay %{request:Packet-Src-IP-Address} rejected, failed count =
> %{control:Tmp-Integer-1}
> (5541) --> EDR req_num:5541 req_id:151 MAC 000000000001 from
> relay 127.0.0.1 rejected, failed count = 45
> (5541) &Tmp-String-0 := EDR req_num:5541 req_id:151 MAC
> 000000000001 from relay 127.0.0.1 rejected, failed count = 45
> (5541) } # update control = noop
> (5541) } # if (Client-Shortname != "L2R") = noop
> (5541) ... skipping else: Preceding "if" was taken
> (5541) update reply {
> (5541) &Reply-Message += &control:Tmp-String-0 -> 'EDR
> req_num:5541 req_id:151 MAC 000000000001 from relay 127.0.0.1 rejected,
> failed count = 45 '
> (5541) No attributes updated for RHS
> &request:ENDFORCE-RelayAgentAddr
> (5541) } # update reply = noop
> (5541) update control {
> (5541) &Auth-Type := Reject
> (5541) } # update control = noop
> (5541) [reject] = reject
> (5541) } # policy edr_count_and_reject = reject
> (5541) } # post-auth = reject
> (5541) Using Post-Auth-Type Reject
> (5541) Post-Auth-Type sub-section not found. Ignoring.
> (5541) # Executing group from file /etc/edr_raddb/sites-enabled/default
> (5541) EXPAND %{&reply:Reply-Message}
> (5541) --> EDR req_num:5541 req_id:151 MAC 000000000001 from relay
> 127.0.0.1 rejected, failed count = 45
> (5541) Rejected in post-auth: [000000000001/<via Auth-Type = Reject>]
> (from client localhost port 10) EDR req_num:5541 req_id:151 MAC
> 000000000001 from relay 127.0.0.1 rejected, failed count = 45
> (5541) EXPAND %{&reply:Reply-Message}
> (5541) --> EDR req_num:5541 req_id:151 MAC 000000000001 from relay
> 127.0.0.1 rejected, failed count = 45
> (5541) Login incorrect (rlm_sql_db2: HY014: [IBM][CLI Driver] CLI0129E An
> attempt to allocate a handle failed because there are no more handles to
> allocate. SQLSTATE=HY014): [000000000001/<via Auth-Type = Reject>] (from
> client localhost port 10) EDR req_num:5541 req_id:151 MAC 000000000001
> from relay 127.0.0.1 rejected, failed count = 45
> (5541) Sent Access-Reject Id 151 from 127.0.0.1:1812 to 127.0.0.1:30962
> length 0
> (5541) Reply-Message += "EDR req_num:5541 req_id:151 MAC 000000000001
> from relay 127.0.0.1 rejected, failed count = 45 "
> (5541) Finished request
> (5506) Cleaning up request packet ID 240 with timestamp +338
> ...
> Waking up in 1.9 seconds.
> (5672) Cleaning up request packet ID 198 with timestamp +374
> Ready to process requests
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list