<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style>@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Consolas;
}
@page WordSection1 {margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; FONT-SIZE: 12pt
}
LI.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; FONT-SIZE: 12pt
}
DIV.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; FONT-SIZE: 12pt
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
PRE {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Courier New"; FONT-SIZE: 10pt
}
P.MsoAcetate {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Tahoma","sans-serif"; FONT-SIZE: 8pt
}
LI.MsoAcetate {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Tahoma","sans-serif"; FONT-SIZE: 8pt
}
DIV.MsoAcetate {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Tahoma","sans-serif"; FONT-SIZE: 8pt
}
SPAN.HTMLPreformattedChar {
FONT-FAMILY: Consolas
}
SPAN.EmailStyle20 {
FONT-FAMILY: "Calibri","sans-serif"; COLOR: #1f497d
}
SPAN.EmailStyle23 {
FONT-FAMILY: "Calibri","sans-serif"; COLOR: #1f497d
}
SPAN.BalloonTextChar {
FONT-FAMILY: "Tahoma","sans-serif"
}
.MsoChpDefault {
FONT-SIZE: 10pt
}
</style><style id="owaParaStyle">P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</style>
</head>
<body lang="EN-US" vlink="purple" link="blue" fPStyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">
<p>Well, I added that to the top of the /etc/raddb/users file and restarted RADIUS. Here's the debug output. I can clearly see where it's going to the entry at line 2 in the /etc/raddb/users file that reads as follows:</p>
<p> </p>
<p>Line 1: DEFUALT Ldap-Gorup == "sshadmins"</p>
<p><strong><font color="#ff0000">Line 2: DEFAULT Auth-Type := Reject</font></strong></p>
<p> </p>
<p>I just don't understand what it is I'm looking at. I see where it says it's executing the authorize section from /etc/raddb/sites-enabled/default and then entering the group, but I don't understand the language from there. I do see that it's looking for
the "@" delimiter and it doesn't see it based on how I input my username.</p>
<p> </p>
<p> </p>
<p>I haven't made one configuration change to any of the LDAP modules in RADIUS. So I wasn't so confident from the start that the Line 1 entry would work for me. I'm authenticating against AD via the NTLM_AUTH module. So I'm guessing there's more configuration
I need to do??</p>
<p> </p>
<p> </p>
<p>BEGIN DEBUG OUTPUT</p>
<p>**********************************************************************</p>
<p>**********************************************************************</p>
<p>**********************************************************************</p>
<p>rad_recv: Access-Request packet from host 10.10.0.5 port 1645, id=31, length=82<br>
User-Name = "ETRAFFIC\\jjulson"<br>
User-Password = "PASSWORDOMMITTED"<br>
NAS-Port = 389<br>
NAS-Port-Id = "tty389"<br>
NAS-Port-Type = Virtual<br>
NAS-IP-Address = 10.10.0.5<br>
# Executing section authorize from file /etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No <a href="mailto:'@'">'@'</a> in User-Name = "ETRAFFIC\jjulson", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
<strong><font color="#ff0000">[files] users: Matched entry DEFAULT at line 2<br>
</font></strong>++[files] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
<strong><font color="#ff0000">[pap] WARNING: Auth-Type already set. Not setting to PAP<br>
</font></strong>++[pap] returns noop<br>
Found Auth-Type = Reject<br>
Auth-Type = Reject, rejecting user<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> ETRAFFIC\jjulson<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 1 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 1<br>
Sending Access-Reject of id 31 to 10.10.0.5 port 1645<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 1 ID 31 with timestamp +58<br>
Ready to process requests.<br>
</p>
<p> </p>
<p> </p>
<div style="FONT-FAMILY: Times New Roman; COLOR: #000000; FONT-SIZE: 16px">
<hr tabindex="-1">
<div style="DIRECTION: ltr" id="divRpF964752"><font color="#000000" size="2" face="Tahoma"><b>From:</b> Julson, Jim<br>
<b>Sent:</b> Friday, June 22, 2012 1:59 PM<br>
<b>To:</b> FreeRadius users mailing list<br>
<b>Subject:</b> RE: Can't figure out Group Authentication<br>
</font><br>
</div>
<div></div>
<div>
<div class="WordSection1">
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Huh….I’ve searched all over and haven’t seen any reference to that syntax for the users file. Let me give that a shot.
</span></p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"></span> </p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Are there any additional modules I would have to configure, or should I be good to go considering I can already authenticate via Active Directory?</span></p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"></span> </p>
<div>
<div style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<p class="MsoNormal"><b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">From:</span></b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt"> freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org]
<b>On Behalf Of </b>Nolan King<br>
<b>Sent:</b> Friday, June 22, 2012 1:22 PM<br>
<b>To:</b> FreeRadius users mailing list<br>
<b>Subject:</b> RE: Can't figure out Group Authentication</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">I do it like this, in users file:</span></p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"></span> </p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">DEFAULT Ldap-Group == "wifiusers"</span></p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">DEFAULT Auth-Type := Reject</span></p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"></span> </p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"></span> </p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Anyone in wifiusers AD security group gets in, all others are rejected.</span></p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"></span> </p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Nolan</span></p>
<p class="MsoNormal"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"></span> </p>
<div>
<div style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<p class="MsoNormal"><b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">From:</span></b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">
<a href="mailto:freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org" target="_blank">
freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org</a> <a href="mailto:[mailto:freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org]" target="_blank">
[mailto:freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org]</a> <b>On Behalf Of
</b>Julson, Jim<br>
<b>Sent:</b> Friday, June 22, 2012 8:32 AM<br>
<b>To:</b> <a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">
freeradius-users@lists.freeradius.org</a><br>
<b>Subject:</b> Can't figure out Group Authentication</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">First, I'd like to thank Alan for his beyond countless hours of dedication to all the blogs, forum posting, and general support within the community. Your write-ups are thorough
and well thought out. I wish more people were like you. I'm pretty new to RADIUS and as consequently, Linux in general. So I might ask questions that seem noobish or lame, but it doesn't mean I'm not willing to learn, research etc. <em><b><u><span style="FONT-FAMILY: 'Tahoma','sans-serif'">
Just bare with me. </span></u></b></em></span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">Now, the problem is this. Following Alan DeKok's guide at
<a href="http://deployingradius.com/documents/configuration/active_directory.html" target="_blank">
http://deployingradius.com/documents/configuration/active_directory.html</a>, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS
setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this.
It's authenticating...a little too well. </span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">I've added the following entry into "/etc/raddb/clients.conf" to allow AAA on one of my cisco routers.
</span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">*************************************</span></p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: blue; FONT-SIZE: 10pt">client 10.10.0.5 {</span></strong><b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: blue; FONT-SIZE: 10pt"><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> secret = REALSECRETOMMITTED</span></strong></span></b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: blue; FONT-SIZE: 10pt"> shortname = Cisco-2911-VPCRTR</span></strong><b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: blue; FONT-SIZE: 10pt"><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> nastype = cisco</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'">}</span></strong></span></b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"><br>
*************************************</span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">Now, I then setup my Cisco router accordingly, and then did an SSH test to it using my AD Account. Voila! It worked great.
<em><b><u><span style="FONT-FAMILY: 'Tahoma','sans-serif'">However, so did every other "Domain User" account in the environment. </span></u></b></em> This goes back to me being so new to RADIUS and Linux where I don't feel like I'm fully grasping all of the
directives within the configuration files, and exactly how they all tie together. I'm getting there, but just not fast enough.
</span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">So, how do I lock down the SSH Authentication to an Active Directory Group of users, or individual users? </span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">
Remember, go easy on me. I'll provide whatever you need to help. I'm assuming you will ask for my RADIUSD -X output, so I've attached that as well.
</span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">NOTE: One thing I don't understand is how in Alan DeKok's write up from the link above, he says don't use the "DEFAULT Auth-Type = ntlm_auth" in the "/etc/raddb/users" file,
but yet that's one of the final steps to test in the write-up. Maybe it's because I am so new, but I've been through that document probably 30 times line by line, and yet every time I remove that entry, it breaks the Authentication.
</span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">BEGIN RADIUSD -X DEBUG OUTPUT</span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">**************************************************************************************************</span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">**************************************************************************************************</span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">**************************************************************************************************</span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Jul 19 2011 at 10:21:08<br>
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.<br>
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A<br>
PARTICULAR PURPOSE.<br>
You may redistribute copies of FreeRADIUS under the terms of the<br>
GNU General Public License v2.<br>
Starting - reading configuration files ...<br>
including configuration file /etc/raddb/radiusd.conf<br>
including configuration file /etc/raddb/proxy.conf<br>
including configuration file /etc/raddb/clients.conf<br>
including files in directory /etc/raddb/modules/<br>
including configuration file /etc/raddb/modules/exec<br>
including configuration file /etc/raddb/modules/attr_rewrite<br>
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login<br>
including configuration file /etc/raddb/modules/ippool<br>
including configuration file /etc/raddb/modules/policy<br>
including configuration file /etc/raddb/modules/inner-eap<br>
including configuration file /etc/raddb/modules/krb5<br>
including configuration file /etc/raddb/modules/ntlm_auth<br>
including configuration file /etc/raddb/modules/radutmp<br>
including configuration file /etc/raddb/modules/digest<br>
including configuration file /etc/raddb/modules/ldap<br>
including configuration file /etc/raddb/modules/sql_log<br>
including configuration file /etc/raddb/modules/otp<br>
including configuration file /etc/raddb/modules/pam<br>
including configuration file /etc/raddb/modules/opendirectory<br>
including configuration file /etc/raddb/modules/expiration<br>
including configuration file /etc/raddb/modules/perl<br>
including configuration file /etc/raddb/modules/etc_group<br>
including configuration file /etc/raddb/modules/attr_filter<br>
including configuration file /etc/raddb/modules/echo<br>
including configuration file /etc/raddb/modules/mschap<br>
including configuration file /etc/raddb/modules/logintime<br>
including configuration file /etc/raddb/modules/detail<br>
including configuration file /etc/raddb/modules/smsotp<br>
including configuration file /etc/raddb/modules/smbpasswd<br>
including configuration file /etc/raddb/modules/wimax<br>
including configuration file /etc/raddb/modules/linelog<br>
including configuration file /etc/raddb/modules/sradutmp<br>
including configuration file /etc/raddb/modules/detail.log<br>
including configuration file /etc/raddb/modules/dynamic_clients<br>
including configuration file /etc/raddb/modules/pap<br>
including configuration file /etc/raddb/modules/unix<br>
including configuration file /etc/raddb/modules/files<br>
including configuration file /etc/raddb/modules/detail.example.com<br>
including configuration file /etc/raddb/modules/counter<br>
including configuration file /etc/raddb/modules/passwd<br>
including configuration file /etc/raddb/modules/mac2vlan<br>
including configuration file /etc/raddb/modules/mac2ip<br>
including configuration file /etc/raddb/modules/preprocess<br>
including configuration file /etc/raddb/modules/acct_unique<br>
including configuration file /etc/raddb/modules/cui<br>
including configuration file /etc/raddb/modules/realm<br>
including configuration file /etc/raddb/modules/checkval<br>
including configuration file /etc/raddb/modules/always<br>
including configuration file /etc/raddb/modules/expr<br>
including configuration file /etc/raddb/modules/chap<br>
including configuration file /etc/raddb/eap.conf<br>
including configuration file /etc/raddb/policy.conf<br>
including files in directory /etc/raddb/sites-enabled/<br>
including configuration file /etc/raddb/sites-enabled/inner-tunnel<br>
including configuration file /etc/raddb/sites-enabled/default<br>
including configuration file /etc/raddb/sites-enabled/control-socket<br>
main {<br>
user = "radiusd"<br>
group = "radiusd"<br>
allow_core_dumps = no<br>
}<br>
including dictionary file /etc/raddb/dictionary<br>
main {<br>
prefix = "/usr"<br>
localstatedir = "/var"<br>
logdir = "/var/log/radius"<br>
libdir = "/usr/lib64/freeradius"<br>
radacctdir = "/var/log/radius/radacct"<br>
hostname_lookups = no<br>
max_request_time = 30<br>
cleanup_delay = 5<br>
max_requests = 1024<br>
pidfile = "/var/run/radiusd/radiusd.pid"<br>
checkrad = "/usr/sbin/checkrad"<br>
debug_level = 0<br>
proxy_requests = yes<br>
log {<br>
stripped_names = no<br>
auth = no<br>
auth_badpass = no<br>
auth_goodpass = no<br>
}<br>
security {<br>
max_attributes = 200<br>
reject_delay = 1<br>
status_server = yes<br>
}<br>
}<br>
radiusd: #### Loading Realms and Home Servers ####<br>
proxy server {<br>
retry_delay = 5<br>
retry_count = 3<br>
default_fallback = no<br>
dead_time = 120<br>
wake_all_if_all_dead = no<br>
}<br>
home_server localhost {<br>
ipaddr = 127.0.0.1<br>
port = 1812<br>
type = "auth"<br>
secret = "testing123"<br>
response_window = 20<br>
max_outstanding = 65536<br>
require_message_authenticator = yes<br>
zombie_period = 40<br>
status_check = "status-server"<br>
ping_interval = 30<br>
check_interval = 30<br>
num_answers_to_alive = 3<br>
num_pings_to_alive = 3<br>
revive_interval = 120<br>
status_check_timeout = 4<br>
irt = 2<br>
mrt = 16<br>
mrc = 5<br>
mrd = 30<br>
}<br>
home_server_pool my_auth_failover {<br>
type = fail-over<br>
home_server = localhost<br>
}<br>
realm example.com {<br>
auth_pool = my_auth_failover<br>
}<br>
realm LOCAL {<br>
}<br>
</span><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: blue; FONT-SIZE: 10pt">radiusd: #### Loading Clients ####</span></strong><b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: blue; FONT-SIZE: 10pt"><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> client 172.16.1.1 {</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> require_message_authenticator = no</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> shortname = "Cisco-4507-1"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> nastype = "cisco"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> }</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> client 172.16.1.3 {</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> require_message_authenticator = no</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> shortname = "Cisco-4507-2"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> nastype = "cisco"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> }</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> client 172.16.1.2 {</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> require_message_authenticator = no</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> shortname = "Cisco-ASA-5520-01"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> nastype = "cisco"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> }</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> client 10.10.0.5 {</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> require_message_authenticator = no</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> shortname = "Cisco-2911-VPCRTR"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> nastype = "cisco"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> }</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> client 172.16.1.10 {</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> require_message_authenticator = no</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> shortname = "Cisco-ASA-5510-GDM"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> nastype = "cisco"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> }</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> client localhost {</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> ipaddr = 127.0.0.1</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> require_message_authenticator = no</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> secret = "testing123"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> nastype = "other"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> }</span></strong><br>
</span></b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt">radiusd: #### Instantiating modules ####<br>
instantiate {<br>
Module: Linked to module rlm_exec<br>
Module: Instantiating module "exec" from file /etc/raddb/modules/exec<br>
exec {<br>
wait = no<br>
input_pairs = "request"<br>
shell_escape = yes<br>
}<br>
Module: Linked to module rlm_expr<br>
Module: Instantiating module "expr" from file /etc/raddb/modules/expr<br>
Module: Linked to module rlm_expiration<br>
Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration<br>
expiration {<br>
reply-message = "Password Has Expired "<br>
}<br>
Module: Linked to module rlm_logintime<br>
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime<br>
logintime {<br>
reply-message = "You are calling outside your allowed timespan "<br>
minimum-timeout = 60<br>
}<br>
}<br>
radiusd: #### Loading Virtual Servers ####<br>
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel<br>
modules {<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Linked to module rlm_pap<br>
Module: Instantiating module "pap" from file /etc/raddb/modules/pap<br>
pap {<br>
encryption_scheme = "auto"<br>
auto_header = no<br>
}<br>
Module: Linked to module rlm_chap<br>
Module: Instantiating module "chap" from file /etc/raddb/modules/chap<br>
Module: Linked to module rlm_mschap<br>
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap<br>
mschap {<br>
use_mppe = yes<br>
require_encryption = no<br>
require_strong = no<br>
with_ntdomain_hack = no<br>
}<br>
</span><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; BACKGROUND: white; COLOR: blue; FONT-SIZE: 10pt"> Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth</span></strong><b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; BACKGROUND: white; COLOR: blue; FONT-SIZE: 10pt"><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> exec ntlm_auth {</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> wait = yes</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYREALDOMAIN-OMMITTED --username=%{mschap:User-Name} --password=%{User-Password}"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> input_pairs = "request"</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> shell_escape = yes</span></strong><br>
<strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'"> }</span></strong></span></b><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"><br>
Module: Linked to module rlm_unix<br>
Module: Instantiating module "unix" from file /etc/raddb/modules/unix<br>
unix {<br>
radwtmp = "/var/log/radius/radwtmp"<br>
}<br>
Module: Linked to module rlm_eap<br>
Module: Instantiating module "eap" from file /etc/raddb/eap.conf<br>
eap {<br>
default_eap_type = "md5"<br>
timer_expire = 60<br>
ignore_unknown_eap_types = no<br>
cisco_accounting_username_bug = no<br>
max_sessions = 4096<br>
}<br>
Module: Linked to sub-module rlm_eap_md5<br>
Module: Instantiating eap-md5<br>
Module: Linked to sub-module rlm_eap_leap<br>
Module: Instantiating eap-leap<br>
Module: Linked to sub-module rlm_eap_gtc<br>
Module: Instantiating eap-gtc<br>
gtc {<br>
challenge = "Password: "<br>
auth_type = "PAP"<br>
}<br>
Module: Linked to sub-module rlm_eap_tls<br>
Module: Instantiating eap-tls<br>
tls {<br>
rsa_key_exchange = no<br>
dh_key_exchange = yes<br>
rsa_key_length = 512<br>
dh_key_length = 512<br>
verify_depth = 0<br>
CA_path = "/etc/raddb/certs"<br>
pem_file_type = yes<br>
private_key_file = "/etc/raddb/certs/server.pem"<br>
certificate_file = "/etc/raddb/certs/server.pem"<br>
CA_file = "/etc/raddb/certs/ca.pem"<br>
private_key_password = "whatever"<br>
dh_file = "/etc/raddb/certs/dh"<br>
random_file = "/etc/raddb/certs/random"<br>
fragment_size = 1024<br>
include_length = yes<br>
check_crl = no<br>
cipher_list = "DEFAULT"<br>
cache {<br>
enable = no<br>
lifetime = 24<br>
max_entries = 255<br>
}<br>
verify {<br>
}<br>
}<br>
Module: Linked to sub-module rlm_eap_ttls<br>
Module: Instantiating eap-ttls<br>
ttls {<br>
default_eap_type = "md5"<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
virtual_server = "inner-tunnel"<br>
include_length = yes<br>
}<br>
Module: Linked to sub-module rlm_eap_peap<br>
Module: Instantiating eap-peap<br>
peap {<br>
default_eap_type = "mschapv2"<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
proxy_tunneled_request_as_eap = yes<br>
virtual_server = "inner-tunnel"<br>
}<br>
Module: Linked to sub-module rlm_eap_mschapv2<br>
Module: Instantiating eap-mschapv2<br>
mschapv2 {<br>
with_ntdomain_hack = no<br>
}<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Linked to module rlm_realm<br>
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm<br>
realm suffix {<br>
format = "suffix"<br>
delimiter = "@"<br>
ignore_default = no<br>
ignore_null = no<br>
}<br>
Module: Linked to module rlm_files<br>
Module: Instantiating module "files" from file /etc/raddb/modules/files<br>
files {<br>
usersfile = "/etc/raddb/users"<br>
acctusersfile = "/etc/raddb/acct_users"<br>
preproxy_usersfile = "/etc/raddb/preproxy_users"<br>
compat = "no"<br>
}<br>
Module: Checking session {...} for more modules to load<br>
Module: Linked to module rlm_radutmp<br>
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp<br>
radutmp {<br>
filename = "/var/log/radius/radutmp"<br>
username = "%{User-Name}"<br>
case_sensitive = yes<br>
check_with_nas = yes<br>
perm = 384<br>
callerid = yes<br>
}<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
Module: Linked to module rlm_attr_filter<br>
Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter<br>
attr_filter attr_filter.access_reject {<br>
attrsfile = "/etc/raddb/attrs.access_reject"<br>
key = "%{User-Name}"<br>
}<br>
} # modules<br>
} # server<br>
server { # from file /etc/raddb/radiusd.conf<br>
modules {<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Linked to module rlm_digest<br>
Module: Instantiating module "digest" from file /etc/raddb/modules/digest<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Linked to module rlm_preprocess<br>
Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess<br>
preprocess {<br>
huntgroups = "/etc/raddb/huntgroups"<br>
hints = "/etc/raddb/hints"<br>
with_ascend_hack = no<br>
ascend_channels_per_line = 23<br>
with_ntdomain_hack = no<br>
with_specialix_jetstream_hack = no<br>
with_cisco_vsa_hack = no<br>
with_alvarion_vsa_hack = no<br>
}<br>
Module: Checking preacct {...} for more modules to load<br>
Module: Linked to module rlm_acct_unique<br>
Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique<br>
acct_unique {<br>
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>
}<br>
Module: Checking accounting {...} for more modules to load<br>
Module: Linked to module rlm_detail<br>
Module: Instantiating module "detail" from file /etc/raddb/modules/detail<br>
detail {<br>
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>
header = "%t"<br>
detailperm = 384<br>
dirperm = 493<br>
locking = no<br>
log_packet_header = no<br>
}<br>
Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter<br>
attr_filter attr_filter.accounting_response {<br>
attrsfile = "/etc/raddb/attrs.accounting_response"<br>
key = "%{User-Name}"<br>
}<br>
Module: Checking session {...} for more modules to load<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
} # modules<br>
} # server<br>
radiusd: #### Opening IP addresses and Ports ####<br>
listen {<br>
type = "auth"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "acct"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "control"<br>
listen {<br>
socket = "/var/run/radiusd/radiusd.sock"<br>
}<br>
}<br>
listen {<br>
type = "auth"<br>
ipaddr = 127.0.0.1<br>
port = 18120<br>
}<br>
Listening on authentication address * port 1812<br>
Listening on accounting address * port 1813<br>
Listening on command file /var/run/radiusd/radiusd.sock<br>
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel<br>
Listening on proxy address * port 1814<br>
Ready to process requests.</span></p>
<p><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span> </p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">**************************************************************************************************</span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">**************************************************************************************************</span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">**************************************************************************************************</span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
<p><strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: red; FONT-SIZE: 10pt">END RADIUSD -X DEBUG OUTPUT</span></strong><span style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: black; FONT-SIZE: 10pt"></span></p>
</div>
<p style="MARGIN-BOTTOM: 12pt" class="MsoNormal"> </p>
<p class="MsoNormal"><b><span style="COLOR: #1c3f94">Jim C. Julson</span></b></p>
<p class="MsoNormal"><span style="COLOR: #262626; FONT-SIZE: 10pt">Sr. Network & Systems Administrator</span></p>
<p class="MsoNormal"><span style="COLOR: #262626; FONT-SIZE: 10pt">C 208.908.1476</span></p>
<p class="MsoNormal"><span style="COLOR: #1c3f94; FONT-SIZE: 10pt"><a href="mailto:jjulson@marketron.com" target="_blank"><span style="COLOR: #1c3f94">jjulson@marketron.com</span></a>
</span></p>
<div>
<p class="MsoNormal"><span style="COLOR: #1c3f94; FONT-SIZE: 10pt"><a href="http://www.marketron.com" target="_blank"><span style="TEXT-DECORATION: none"><img id="_x0000_i1025" border="0" alt="www.marketron.com" src="https://mail.marketron.com/owa/auth/emaillogo.png"></span></a></span><span class="MsoHyperlink"></span></p>
</div>
<p class="MsoNormal"><u><span style="COLOR: blue; FONT-SIZE: 10pt"><a href="http://www.marketron.com" target="_blank"><br>
<br>
</a><span class="MsoHyperlink"></span></span></u></p>
<div>
<p class="MsoNormal"><span style="COLOR: #1c3f94; FONT-SIZE: 10pt"><a href="http://www.marketron.com/network-connect.php?email" target="_blank"><span style="TEXT-DECORATION: none"><img id="_x0000_i1026" border="0" alt="Learn more about Network Connect" src="https://mail.marketron.com/owa/auth/Email-NC-Support.png"></span></a></span><span class="MsoHyperlink"><span style="FONT-SIZE: 10pt"></span></span></p>
</div>
<p class="MsoNormal"> </p>
<pre>The information contained in this e-mail message may be confidential and</pre>
<pre>protected from disclosure. If you are not the intended recipient, any</pre>
<pre>dissemination, distribution or copying is strictly prohibited. If you</pre>
<pre>think that you have received this e-mail message in error, please notify</pre>
<pre>the sender immediately by replying to this message and then delete it</pre>
<pre>from your system.</pre>
<pre> </pre>
</div>
</div>
</div>
</div>
</body>
</html>
<pre>The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.