<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="�" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]><style id=owaParaStyle>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I do it like this, in users file:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">DEFAULT Ldap-Group == "wifiusers"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">DEFAULT Auth-Type := Reject<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Anyone in wifiusers AD security group gets in, all others are rejected.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Nolan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org [mailto:freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org]
<b>On Behalf Of </b>Julson, Jim<br>
<b>Sent:</b> Friday, June 22, 2012 8:32 AM<br>
<b>To:</b> freeradius-users@lists.freeradius.org<br>
<b>Subject:</b> Can't figure out Group Authentication<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">First, I'd like to thank Alan for his beyond countless hours of dedication to all the blogs, forum posting, and general support within the community. Your write-ups are thorough
and well thought out. I wish more people were like you. I'm pretty new to RADIUS and as consequently, Linux in general. So I might ask questions that seem noobish or lame, but it doesn't mean I'm not willing to learn, research etc. <em><b><u><span style="font-family:"Tahoma","sans-serif"">
Just bare with me. </span></u></b></em><o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Now, the problem is this. Following Alan DeKok's guide at
<a href="http://deployingradius.com/documents/configuration/active_directory.html">
http://deployingradius.com/documents/configuration/active_directory.html</a>, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS
setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this.
It's authenticating...a little too well. <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">I've added the following entry into "/etc/raddb/clients.conf" to allow AAA on one of my cisco routers.
<o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">*************************************<o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue">client 10.10.0.5 {</span></strong><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue"><br>
<strong><span style="font-family:"Tahoma","sans-serif""> secret = REALSECRETOMMITTED</span></strong></span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue"> shortname = Cisco-2911-VPCRTR</span></strong><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue"><br>
<strong><span style="font-family:"Tahoma","sans-serif""> nastype = cisco</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif"">}</span></strong></span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><br>
*************************************<o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Now, I then setup my Cisco router accordingly, and then did an SSH test to it using my AD Account. Voila! It worked great.
<em><b><u><span style="font-family:"Tahoma","sans-serif"">However, so did every other "Domain User" account in the environment. </span></u></b></em> This goes back to me being so new to RADIUS and Linux where I don't feel like I'm fully grasping all of the
directives within the configuration files, and exactly how they all tie together. I'm getting there, but just not fast enough.
<o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">So, how do I lock down the SSH Authentication to an Active Directory Group of users, or individual users? </span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">
Remember, go easy on me. I'll provide whatever you need to help. I'm assuming you will ask for my RADIUSD -X output, so I've attached that as well.
<o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">NOTE: One thing I don't understand is how in Alan DeKok's write up from the link above, he says don't use the "DEFAULT Auth-Type = ntlm_auth" in the "/etc/raddb/users" file,
but yet that's one of the final steps to test in the write-up. Maybe it's because I am so new, but I've been through that document probably 30 times line by line, and yet every time I remove that entry, it breaks the Authentication.
<o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">BEGIN RADIUSD -X DEBUG OUTPUT</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">**************************************************************************************************</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">**************************************************************************************************</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">**************************************************************************************************</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Jul 19 2011 at 10:21:08<br>
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.<br>
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A<br>
PARTICULAR PURPOSE.<br>
You may redistribute copies of FreeRADIUS under the terms of the<br>
GNU General Public License v2.<br>
Starting - reading configuration files ...<br>
including configuration file /etc/raddb/radiusd.conf<br>
including configuration file /etc/raddb/proxy.conf<br>
including configuration file /etc/raddb/clients.conf<br>
including files in directory /etc/raddb/modules/<br>
including configuration file /etc/raddb/modules/exec<br>
including configuration file /etc/raddb/modules/attr_rewrite<br>
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login<br>
including configuration file /etc/raddb/modules/ippool<br>
including configuration file /etc/raddb/modules/policy<br>
including configuration file /etc/raddb/modules/inner-eap<br>
including configuration file /etc/raddb/modules/krb5<br>
including configuration file /etc/raddb/modules/ntlm_auth<br>
including configuration file /etc/raddb/modules/radutmp<br>
including configuration file /etc/raddb/modules/digest<br>
including configuration file /etc/raddb/modules/ldap<br>
including configuration file /etc/raddb/modules/sql_log<br>
including configuration file /etc/raddb/modules/otp<br>
including configuration file /etc/raddb/modules/pam<br>
including configuration file /etc/raddb/modules/opendirectory<br>
including configuration file /etc/raddb/modules/expiration<br>
including configuration file /etc/raddb/modules/perl<br>
including configuration file /etc/raddb/modules/etc_group<br>
including configuration file /etc/raddb/modules/attr_filter<br>
including configuration file /etc/raddb/modules/echo<br>
including configuration file /etc/raddb/modules/mschap<br>
including configuration file /etc/raddb/modules/logintime<br>
including configuration file /etc/raddb/modules/detail<br>
including configuration file /etc/raddb/modules/smsotp<br>
including configuration file /etc/raddb/modules/smbpasswd<br>
including configuration file /etc/raddb/modules/wimax<br>
including configuration file /etc/raddb/modules/linelog<br>
including configuration file /etc/raddb/modules/sradutmp<br>
including configuration file /etc/raddb/modules/detail.log<br>
including configuration file /etc/raddb/modules/dynamic_clients<br>
including configuration file /etc/raddb/modules/pap<br>
including configuration file /etc/raddb/modules/unix<br>
including configuration file /etc/raddb/modules/files<br>
including configuration file /etc/raddb/modules/detail.example.com<br>
including configuration file /etc/raddb/modules/counter<br>
including configuration file /etc/raddb/modules/passwd<br>
including configuration file /etc/raddb/modules/mac2vlan<br>
including configuration file /etc/raddb/modules/mac2ip<br>
including configuration file /etc/raddb/modules/preprocess<br>
including configuration file /etc/raddb/modules/acct_unique<br>
including configuration file /etc/raddb/modules/cui<br>
including configuration file /etc/raddb/modules/realm<br>
including configuration file /etc/raddb/modules/checkval<br>
including configuration file /etc/raddb/modules/always<br>
including configuration file /etc/raddb/modules/expr<br>
including configuration file /etc/raddb/modules/chap<br>
including configuration file /etc/raddb/eap.conf<br>
including configuration file /etc/raddb/policy.conf<br>
including files in directory /etc/raddb/sites-enabled/<br>
including configuration file /etc/raddb/sites-enabled/inner-tunnel<br>
including configuration file /etc/raddb/sites-enabled/default<br>
including configuration file /etc/raddb/sites-enabled/control-socket<br>
main {<br>
user = "radiusd"<br>
group = "radiusd"<br>
allow_core_dumps = no<br>
}<br>
including dictionary file /etc/raddb/dictionary<br>
main {<br>
prefix = "/usr"<br>
localstatedir = "/var"<br>
logdir = "/var/log/radius"<br>
libdir = "/usr/lib64/freeradius"<br>
radacctdir = "/var/log/radius/radacct"<br>
hostname_lookups = no<br>
max_request_time = 30<br>
cleanup_delay = 5<br>
max_requests = 1024<br>
pidfile = "/var/run/radiusd/radiusd.pid"<br>
checkrad = "/usr/sbin/checkrad"<br>
debug_level = 0<br>
proxy_requests = yes<br>
log {<br>
stripped_names = no<br>
auth = no<br>
auth_badpass = no<br>
auth_goodpass = no<br>
}<br>
security {<br>
max_attributes = 200<br>
reject_delay = 1<br>
status_server = yes<br>
}<br>
}<br>
radiusd: #### Loading Realms and Home Servers ####<br>
proxy server {<br>
retry_delay = 5<br>
retry_count = 3<br>
default_fallback = no<br>
dead_time = 120<br>
wake_all_if_all_dead = no<br>
}<br>
home_server localhost {<br>
ipaddr = 127.0.0.1<br>
port = 1812<br>
type = "auth"<br>
secret = "testing123"<br>
response_window = 20<br>
max_outstanding = 65536<br>
require_message_authenticator = yes<br>
zombie_period = 40<br>
status_check = "status-server"<br>
ping_interval = 30<br>
check_interval = 30<br>
num_answers_to_alive = 3<br>
num_pings_to_alive = 3<br>
revive_interval = 120<br>
status_check_timeout = 4<br>
irt = 2<br>
mrt = 16<br>
mrc = 5<br>
mrd = 30<br>
}<br>
home_server_pool my_auth_failover {<br>
type = fail-over<br>
home_server = localhost<br>
}<br>
realm example.com {<br>
auth_pool = my_auth_failover<br>
}<br>
realm LOCAL {<br>
}<br>
</span><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue">radiusd: #### Loading Clients ####</span></strong><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue"><br>
<strong><span style="font-family:"Tahoma","sans-serif""> client 172.16.1.1 {</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> require_message_authenticator = no</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> shortname = "Cisco-4507-1"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> nastype = "cisco"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> }</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> client 172.16.1.3 {</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> require_message_authenticator = no</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> shortname = "Cisco-4507-2"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> nastype = "cisco"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> }</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> client 172.16.1.2 {</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> require_message_authenticator = no</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> shortname = "Cisco-ASA-5520-01"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> nastype = "cisco"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> }</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> client 10.10.0.5 {</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> require_message_authenticator = no</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> shortname = "Cisco-2911-VPCRTR"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> nastype = "cisco"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> }</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> client 172.16.1.10 {</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> require_message_authenticator = no</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> secret = "REALSECRETOMMITTED"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> shortname = "Cisco-ASA-5510-GDM"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> nastype = "cisco"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> }</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> client localhost {</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> ipaddr = 127.0.0.1</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> require_message_authenticator = no</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> secret = "testing123"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> nastype = "other"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> }</span></strong><br>
</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">radiusd: #### Instantiating modules ####<br>
instantiate {<br>
Module: Linked to module rlm_exec<br>
Module: Instantiating module "exec" from file /etc/raddb/modules/exec<br>
exec {<br>
wait = no<br>
input_pairs = "request"<br>
shell_escape = yes<br>
}<br>
Module: Linked to module rlm_expr<br>
Module: Instantiating module "expr" from file /etc/raddb/modules/expr<br>
Module: Linked to module rlm_expiration<br>
Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration<br>
expiration {<br>
reply-message = "Password Has Expired "<br>
}<br>
Module: Linked to module rlm_logintime<br>
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime<br>
logintime {<br>
reply-message = "You are calling outside your allowed timespan "<br>
minimum-timeout = 60<br>
}<br>
}<br>
radiusd: #### Loading Virtual Servers ####<br>
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel<br>
modules {<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Linked to module rlm_pap<br>
Module: Instantiating module "pap" from file /etc/raddb/modules/pap<br>
pap {<br>
encryption_scheme = "auto"<br>
auto_header = no<br>
}<br>
Module: Linked to module rlm_chap<br>
Module: Instantiating module "chap" from file /etc/raddb/modules/chap<br>
Module: Linked to module rlm_mschap<br>
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap<br>
mschap {<br>
use_mppe = yes<br>
require_encryption = no<br>
require_strong = no<br>
with_ntdomain_hack = no<br>
}<br>
</span><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue;background:white"> Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth</span></strong><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue;background:white"><br>
<strong><span style="font-family:"Tahoma","sans-serif""> exec ntlm_auth {</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> wait = yes</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYREALDOMAIN-OMMITTED --username=%{mschap:User-Name} --password=%{User-Password}"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> input_pairs = "request"</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> shell_escape = yes</span></strong><br>
<strong><span style="font-family:"Tahoma","sans-serif""> }</span></strong></span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><br>
Module: Linked to module rlm_unix<br>
Module: Instantiating module "unix" from file /etc/raddb/modules/unix<br>
unix {<br>
radwtmp = "/var/log/radius/radwtmp"<br>
}<br>
Module: Linked to module rlm_eap<br>
Module: Instantiating module "eap" from file /etc/raddb/eap.conf<br>
eap {<br>
default_eap_type = "md5"<br>
timer_expire = 60<br>
ignore_unknown_eap_types = no<br>
cisco_accounting_username_bug = no<br>
max_sessions = 4096<br>
}<br>
Module: Linked to sub-module rlm_eap_md5<br>
Module: Instantiating eap-md5<br>
Module: Linked to sub-module rlm_eap_leap<br>
Module: Instantiating eap-leap<br>
Module: Linked to sub-module rlm_eap_gtc<br>
Module: Instantiating eap-gtc<br>
gtc {<br>
challenge = "Password: "<br>
auth_type = "PAP"<br>
}<br>
Module: Linked to sub-module rlm_eap_tls<br>
Module: Instantiating eap-tls<br>
tls {<br>
rsa_key_exchange = no<br>
dh_key_exchange = yes<br>
rsa_key_length = 512<br>
dh_key_length = 512<br>
verify_depth = 0<br>
CA_path = "/etc/raddb/certs"<br>
pem_file_type = yes<br>
private_key_file = "/etc/raddb/certs/server.pem"<br>
certificate_file = "/etc/raddb/certs/server.pem"<br>
CA_file = "/etc/raddb/certs/ca.pem"<br>
private_key_password = "whatever"<br>
dh_file = "/etc/raddb/certs/dh"<br>
random_file = "/etc/raddb/certs/random"<br>
fragment_size = 1024<br>
include_length = yes<br>
check_crl = no<br>
cipher_list = "DEFAULT"<br>
cache {<br>
enable = no<br>
lifetime = 24<br>
max_entries = 255<br>
}<br>
verify {<br>
}<br>
}<br>
Module: Linked to sub-module rlm_eap_ttls<br>
Module: Instantiating eap-ttls<br>
ttls {<br>
default_eap_type = "md5"<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
virtual_server = "inner-tunnel"<br>
include_length = yes<br>
}<br>
Module: Linked to sub-module rlm_eap_peap<br>
Module: Instantiating eap-peap<br>
peap {<br>
default_eap_type = "mschapv2"<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
proxy_tunneled_request_as_eap = yes<br>
virtual_server = "inner-tunnel"<br>
}<br>
Module: Linked to sub-module rlm_eap_mschapv2<br>
Module: Instantiating eap-mschapv2<br>
mschapv2 {<br>
with_ntdomain_hack = no<br>
}<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Linked to module rlm_realm<br>
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm<br>
realm suffix {<br>
format = "suffix"<br>
delimiter = "@"<br>
ignore_default = no<br>
ignore_null = no<br>
}<br>
Module: Linked to module rlm_files<br>
Module: Instantiating module "files" from file /etc/raddb/modules/files<br>
files {<br>
usersfile = "/etc/raddb/users"<br>
acctusersfile = "/etc/raddb/acct_users"<br>
preproxy_usersfile = "/etc/raddb/preproxy_users"<br>
compat = "no"<br>
}<br>
Module: Checking session {...} for more modules to load<br>
Module: Linked to module rlm_radutmp<br>
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp<br>
radutmp {<br>
filename = "/var/log/radius/radutmp"<br>
username = "%{User-Name}"<br>
case_sensitive = yes<br>
check_with_nas = yes<br>
perm = 384<br>
callerid = yes<br>
}<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
Module: Linked to module rlm_attr_filter<br>
Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter<br>
attr_filter attr_filter.access_reject {<br>
attrsfile = "/etc/raddb/attrs.access_reject"<br>
key = "%{User-Name}"<br>
}<br>
} # modules<br>
} # server<br>
server { # from file /etc/raddb/radiusd.conf<br>
modules {<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Linked to module rlm_digest<br>
Module: Instantiating module "digest" from file /etc/raddb/modules/digest<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Linked to module rlm_preprocess<br>
Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess<br>
preprocess {<br>
huntgroups = "/etc/raddb/huntgroups"<br>
hints = "/etc/raddb/hints"<br>
with_ascend_hack = no<br>
ascend_channels_per_line = 23<br>
with_ntdomain_hack = no<br>
with_specialix_jetstream_hack = no<br>
with_cisco_vsa_hack = no<br>
with_alvarion_vsa_hack = no<br>
}<br>
Module: Checking preacct {...} for more modules to load<br>
Module: Linked to module rlm_acct_unique<br>
Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique<br>
acct_unique {<br>
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>
}<br>
Module: Checking accounting {...} for more modules to load<br>
Module: Linked to module rlm_detail<br>
Module: Instantiating module "detail" from file /etc/raddb/modules/detail<br>
detail {<br>
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>
header = "%t"<br>
detailperm = 384<br>
dirperm = 493<br>
locking = no<br>
log_packet_header = no<br>
}<br>
Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter<br>
attr_filter attr_filter.accounting_response {<br>
attrsfile = "/etc/raddb/attrs.accounting_response"<br>
key = "%{User-Name}"<br>
}<br>
Module: Checking session {...} for more modules to load<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
} # modules<br>
} # server<br>
radiusd: #### Opening IP addresses and Ports ####<br>
listen {<br>
type = "auth"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "acct"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "control"<br>
listen {<br>
socket = "/var/run/radiusd/radiusd.sock"<br>
}<br>
}<br>
listen {<br>
type = "auth"<br>
ipaddr = 127.0.0.1<br>
port = 18120<br>
}<br>
Listening on authentication address * port 1812<br>
Listening on accounting address * port 1813<br>
Listening on command file /var/run/radiusd/radiusd.sock<br>
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel<br>
Listening on proxy address * port 1814<br>
Ready to process requests.<o:p></o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> <o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">**************************************************************************************************</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">**************************************************************************************************</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">**************************************************************************************************</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
<p><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:red">END RADIUSD -X DEBUG OUTPUT</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:#1C3F94">Jim C. Julson</span></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;color:#262626">Sr. Network & Systems Administrator</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;color:#262626">C 208.908.1476</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;color:#1C3F94"><a href="mailto:jjulson@marketron.com"><span style="color:#1C3F94">jjulson@marketron.com</span></a>
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1C3F94"><a href="http://www.marketron.com"><span style="text-decoration:none"><img border="0" id="_x0000_i1025" src="https://mail.marketron.com/owa/auth/emaillogo.png" alt="www.marketron.com"></span><span style="font-size:12.0pt"><o:p></o:p></span></a></span></p>
</div>
<p class="MsoNormal"><u><span style="font-size:10.0pt;color:blue"><a href="http://www.marketron.com"><br>
<br>
<o:p></o:p></a></span></u></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1C3F94"><a href="http://www.marketron.com/network-connect.php?email"><span style="text-decoration:none"><img border="0" id="_x0000_i1026" src="https://mail.marketron.com/owa/auth/Email-NC-Support.png" alt="Learn more about Network Connect"></span><o:p></o:p></a></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>The information contained in this e-mail message may be confidential and<o:p></o:p></pre>
<pre>protected from disclosure. If you are not the intended recipient, any<o:p></o:p></pre>
<pre>dissemination, distribution or copying is strictly prohibited. If you<o:p></o:p></pre>
<pre>think that you have received this e-mail message in error, please notify<o:p></o:p></pre>
<pre>the sender immediately by replying to this message and then delete it<o:p></o:p></pre>
<pre>from your system.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
</div>
</body>
</html>