<div dir="ltr"><font face="courier new, monospace" style="font-size:13px">Hello All,</font><div style="font-family:arial,sans-serif;font-size:13px"><font face="courier new, monospace">I'm running FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on Jan 26 2010 at 18:56:10 Copyright (C) 2000-2006 The FreeRADIUS server project on CENTOS, and trying for now, authenticate the same users in my old users file, but now, I set freeradius </font><span style="font-family:'courier new',monospace">to sent auth packets to a LDAP server and I don't know what is wrong. Who can help me with this issue?</span></div>
<div style="font-family:arial,sans-serif;font-size:13px"><div><font face="courier new, monospace"><br></font></div><div><b><font face="courier new, monospace">#</font></b></div><div><b><font face="courier new, monospace"># MY DEBUG -X -A</font></b></div>
<div><b><font face="courier new, monospace">#</font></b></div><div><font face="courier new, monospace">[root@radius_server raddb]# radiusd -X -A</font></div><div><font face="courier new, monospace">Starting - reading configuration files ...</font></div>
<div><font face="courier new, monospace">reread_config: reading radiusd.conf</font></div><div><font face="courier new, monospace">Config: including file: /etc/raddb/proxy.conf</font></div><div><font face="courier new, monospace">Config: including file: /etc/raddb/clients.conf</font></div>
<div><font face="courier new, monospace">Config: including file: /etc/raddb/snmp.conf</font></div><div><font face="courier new, monospace">Config: including file: /etc/raddb/eap.conf</font></div><div><font face="courier new, monospace"> main: prefix = "/usr"</font></div>
<div><font face="courier new, monospace"> main: localstatedir = "/var"</font></div><div><font face="courier new, monospace"> main: logdir = "/var/log/radius"</font></div><div><font face="courier new, monospace"> main: libdir = "/usr/lib"</font></div>
<div><font face="courier new, monospace"> main: radacctdir = "/var/log/radius/radacct"</font></div><div><font face="courier new, monospace"> main: hostname_lookups = no</font></div><div><font face="courier new, monospace"> main: snmp = no</font></div>
<div><font face="courier new, monospace"> main: max_request_time = 60</font></div><div><font face="courier new, monospace"> main: cleanup_delay = 6</font></div><div><font face="courier new, monospace"> main: max_requests = 4096</font></div>
<div><font face="courier new, monospace"> main: delete_blocked_requests = 0</font></div><div><font face="courier new, monospace"> main: port = 1812</font></div><div><font face="courier new, monospace"> main: allow_core_dumps = no</font></div>
<div><font face="courier new, monospace"> main: log_stripped_names = no</font></div><div><font face="courier new, monospace"> main: log_file = "/var/log/radius/radius.log"</font></div><div><font face="courier new, monospace"> main: log_auth = yes</font></div>
<div><font face="courier new, monospace"> main: log_auth_badpass = yes</font></div><div><font face="courier new, monospace"> main: log_auth_goodpass = yes</font></div><div><font face="courier new, monospace"> main: pidfile = "/var/run/radiusd/radiusd.pid"</font></div>
<div><font face="courier new, monospace"> main: user = "radiusd"</font></div><div><font face="courier new, monospace"> main: group = "radiusd"</font></div><div><font face="courier new, monospace"> main: usercollide = no</font></div>
<div><font face="courier new, monospace"> main: lower_user = "no"</font></div><div><font face="courier new, monospace"> main: lower_pass = "no"</font></div><div><font face="courier new, monospace"> main: nospace_user = "no"</font></div>
<div><font face="courier new, monospace"> main: nospace_pass = "no"</font></div><div><font face="courier new, monospace"> main: checkrad = "/usr/sbin/checkrad"</font></div><div><font face="courier new, monospace"> main: proxy_requests = no</font></div>
<div><font face="courier new, monospace"> proxy: retry_delay = 5</font></div><div><font face="courier new, monospace"> proxy: retry_count = 3</font></div><div><font face="courier new, monospace"> proxy: synchronous = no</font></div>
<div><font face="courier new, monospace"> proxy: default_fallback = yes</font></div><div><font face="courier new, monospace"> proxy: dead_time = 120</font></div><div><font face="courier new, monospace"> proxy: post_proxy_authorize = yes</font></div>
<div><font face="courier new, monospace"> proxy: wake_all_if_all_dead = no</font></div><div><font face="courier new, monospace"> security: max_attributes = 200</font></div><div><font face="courier new, monospace"> security: reject_delay = 3</font></div>
<div><font face="courier new, monospace"> security: status_server = no</font></div><div><font face="courier new, monospace"> main: debug_level = 0</font></div><div><font face="courier new, monospace">read_config_files: reading dictionary</font></div>
<div><font face="courier new, monospace">read_config_files: reading naslist</font></div><div><font face="courier new, monospace">Using deprecated naslist file. Support for this will go away soon.</font></div><div><font face="courier new, monospace">read_config_files: reading clients</font></div>
<div><font face="courier new, monospace">read_config_files: reading realms</font></div><div><font face="courier new, monospace">radiusd: entering modules setup</font></div><div><font face="courier new, monospace">Module: Library search path is /usr/lib</font></div>
<div><font face="courier new, monospace">Module: Loaded exec</font></div><div><font face="courier new, monospace"> exec: wait = yes</font></div><div><font face="courier new, monospace"> exec: program = "(null)"</font></div>
<div><font face="courier new, monospace"> exec: input_pairs = "request"</font></div><div><font face="courier new, monospace"> exec: output_pairs = "(null)"</font></div><div><font face="courier new, monospace"> exec: packet_type = "(null)"</font></div>
<div><font face="courier new, monospace">rlm_exec: Wait=yes but no output defined. Did you mean output=none?</font></div><div><font face="courier new, monospace">Module: Instantiated exec (exec)</font></div><div><font face="courier new, monospace">Module: Loaded expr</font></div>
<div><font face="courier new, monospace">Module: Instantiated expr (expr)</font></div><div><font face="courier new, monospace">Module: Loaded LDAP</font></div><div><font face="courier new, monospace"> ldap: server = "<a href="http://srv01t.mycompany.net.br/" target="_blank">srv01t.MYCOMPANY.net.br</a>"</font></div>
<div><font face="courier new, monospace"> ldap: port = 389</font></div><div><font face="courier new, monospace"> ldap: net_timeout = 1</font></div><div><font face="courier new, monospace"> ldap: timeout = 4</font></div><div>
<font face="courier new, monospace"> ldap: timelimit = 3</font></div><div><font face="courier new, monospace"> ldap: identity = "CN=AUTHENTIC,CN=Users,DC=MYCOMPANY,DC=NET,DC=BR"</font></div><div><font face="courier new, monospace"> ldap: tls_mode = no</font></div>
<div><font face="courier new, monospace"> ldap: start_tls = no</font></div><div><font face="courier new, monospace"> ldap: tls_cacertfile = "(null)"</font></div><div><font face="courier new, monospace"> ldap: tls_cacertdir = "(null)"</font></div>
<div><font face="courier new, monospace"> ldap: tls_certfile = "(null)"</font></div><div><font face="courier new, monospace"> ldap: tls_keyfile = "(null)"</font></div><div><font face="courier new, monospace"> ldap: tls_randfile = "(null)"</font></div>
<div><font face="courier new, monospace"> ldap: tls_require_cert = "allow"</font></div><div><font face="courier new, monospace"> ldap: password = "segredo"</font></div><div><font face="courier new, monospace"> ldap: basedn = "CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR"</font></div>
<div><font face="courier new, monospace"> ldap: filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"</font></div><div><font face="courier new, monospace"> ldap: base_filter = "(objectclass=radiusprofile)"</font></div>
<div><font face="courier new, monospace"> ldap: default_profile = "(null)"</font></div><div><font face="courier new, monospace"> ldap: profile_attribute = "(null)"</font></div><div><font face="courier new, monospace"> ldap: password_header = "(null)"</font></div>
<div><font face="courier new, monospace"> ldap: password_attribute = "(null)"</font></div><div><font face="courier new, monospace"> ldap: access_attr = "(null)"</font></div><div><font face="courier new, monospace"> ldap: groupname_attribute = "CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR"</font></div>
<div><font face="courier new, monospace"> ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"</font></div>
<div><font face="courier new, monospace"> ldap: groupmembership_attribute = "(null)"</font></div><div><font face="courier new, monospace"> ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"</font></div>
<div><font face="courier new, monospace"> ldap: ldap_debug = 0</font></div><div><font face="courier new, monospace"> ldap: ldap_connections_number = 5</font></div><div><font face="courier new, monospace"> ldap: compare_check_items = no</font></div>
<div><font face="courier new, monospace"> ldap: access_attr_used_for_allow = yes</font></div><div><font face="courier new, monospace"> ldap: do_xlat = yes</font></div><div><font face="courier new, monospace"> ldap: set_auth_type = yes</font></div>
<div><font face="courier new, monospace">rlm_ldap: Registering ldap_groupcmp for Ldap-Group</font></div><div><font face="courier new, monospace">rlm_ldap: Registering ldap_xlat with xlat_name ldap</font></div><div><font face="courier new, monospace">rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusClass mapped to RADIUS Class</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit</font></div><div><font face="courier new, monospace">rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port</font></div>
<div><font face="courier new, monospace">rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message</font></div><div><b><font face="courier new, monospace">rlm_ldap: LDAP AcmeUserPrivilege mapped to RADIUS Service-Type <-- Need for authorization and access level</font></b></div>
<div><font face="courier new, monospace"><b>rlm_ldap: LDAP AcmeUserClass mapped to RADIUS Service-Type </b><b><-- Need for authorization and access level</b></font></div><div><font face="courier new, monospace"><b>rlm_ldap: LDAP AcmeUserPrivilege mapped to RADIUS Login-Service </b><b><-- Need for authorization and access level</b></font></div>
<div><font face="courier new, monospace">conns: 0x9ef47c0</font></div><div><font face="courier new, monospace">Module: Instantiated ldap (ldap)</font></div><div><font face="courier new, monospace">Module: Loaded preprocess</font></div>
<div><font face="courier new, monospace"> preprocess: huntgroups = "/etc/raddb/huntgroups"</font></div><div><font face="courier new, monospace"> preprocess: hints = "/etc/raddb/hints"</font></div><div>
<font face="courier new, monospace"> preprocess: with_ascend_hack = no</font></div><div><font face="courier new, monospace"> preprocess: ascend_channels_per_line = 23</font></div><div><font face="courier new, monospace"> preprocess: with_ntdomain_hack = no</font></div>
<div><font face="courier new, monospace"> preprocess: with_specialix_jetstream_hack = no</font></div><div><font face="courier new, monospace"> preprocess: with_cisco_vsa_hack = no</font></div><div><font face="courier new, monospace"> preprocess: with_alvarion_vsa_hack = no</font></div>
<div><font face="courier new, monospace">Module: Instantiated preprocess (preprocess)</font></div><div><font face="courier new, monospace">Module: Loaded detail</font></div><div><font face="courier new, monospace"> detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"</font></div>
<div><font face="courier new, monospace"> detail: detailperm = 384</font></div><div><font face="courier new, monospace"> detail: dirperm = 493</font></div><div><font face="courier new, monospace"> detail: locking = no</font></div>
<div><font face="courier new, monospace">Module: Instantiated detail (auth_log)</font></div><div><font face="courier new, monospace">Module: Loaded Acct-Unique-Session-Id</font></div><div><font face="courier new, monospace"> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"</font></div>
<div><font face="courier new, monospace">Module: Instantiated acct_unique (acct_unique)</font></div><div><font face="courier new, monospace">Module: Loaded realm</font></div><div><font face="courier new, monospace"> realm: format = "suffix"</font></div>
<div><font face="courier new, monospace"> realm: delimiter = "@"</font></div><div><font face="courier new, monospace"> realm: ignore_default = no</font></div><div><font face="courier new, monospace"> realm: ignore_null = no</font></div>
<div><font face="courier new, monospace">Module: Instantiated realm (suffix)</font></div><div><font face="courier new, monospace">Module: Loaded files</font></div><div><font face="courier new, monospace"> files: usersfile = "/etc/raddb/users"</font></div>
<div><font face="courier new, monospace"> files: acctusersfile = "/etc/raddb/acct_users"</font></div><div><font face="courier new, monospace"> files: preproxy_usersfile = "/etc/raddb/preproxy_users"</font></div>
<div><font face="courier new, monospace"> files: compat = "no"</font></div><div><font face="courier new, monospace">Module: Instantiated files (files)</font></div><div><font face="courier new, monospace"> detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"</font></div>
<div><font face="courier new, monospace"> detail: detailperm = 384</font></div><div><font face="courier new, monospace"> detail: dirperm = 493</font></div><div><font face="courier new, monospace"> detail: locking = no</font></div>
<div><font face="courier new, monospace">Module: Instantiated detail (detail)</font></div><div><font face="courier new, monospace">Module: Loaded System</font></div><div><font face="courier new, monospace"> unix: cache = no</font></div>
<div><font face="courier new, monospace"> unix: passwd = "/etc/passwd"</font></div><div><font face="courier new, monospace"> unix: shadow = "/etc/shadow"</font></div><div><font face="courier new, monospace"> unix: group = "/etc/group"</font></div>
<div><font face="courier new, monospace"> unix: radwtmp = "/var/log/radius/radwtmp"</font></div><div><font face="courier new, monospace"> unix: usegroup = no</font></div><div><font face="courier new, monospace"> unix: cache_reload = 600</font></div>
<div><font face="courier new, monospace">Module: Instantiated unix (unix)</font></div><div><font face="courier new, monospace">Module: Loaded radutmp</font></div><div><font face="courier new, monospace"> radutmp: filename = "/var/log/radius/radutmp"</font></div>
<div><font face="courier new, monospace"> radutmp: username = "%{User-Name}"</font></div><div><font face="courier new, monospace"> radutmp: case_sensitive = yes</font></div><div><font face="courier new, monospace"> radutmp: check_with_nas = yes</font></div>
<div><font face="courier new, monospace"> radutmp: perm = 384</font></div><div><font face="courier new, monospace"> radutmp: callerid = yes</font></div><div><font face="courier new, monospace">Module: Instantiated radutmp (radutmp)</font></div>
<div><font face="courier new, monospace">Listening on authentication *:1812</font></div><div><font face="courier new, monospace">Listening on accounting *:1813</font></div><div><font face="courier new, monospace">Ready to process requests.</font></div>
<div><font face="courier new, monospace">rad_recv: Access-Request packet from host <a href="http://10.253.7.156:1812/" target="_blank">10.253.7.156:1812</a>, id=72, length=69</font></div><div><font face="courier new, monospace"> User-Name = "lveiga"</font></div>
<div><font face="courier new, monospace"> User-Password = "mypassword"</font></div><div><font face="courier new, monospace"> NAS-Identifier = "102537156"</font></div><div><font face="courier new, monospace"> NAS-IP-Address = 10.253.7.156</font></div>
<div><font face="courier new, monospace"> NAS-Port = 118751232</font></div><div><font face="courier new, monospace"> Processing the authorize section of radiusd.conf</font></div><div><font face="courier new, monospace">modcall: entering group authorize for request 0</font></div>
<div><font face="courier new, monospace"> modcall[authorize]: module "preprocess" returns ok for request 0</font></div><div><font face="courier new, monospace">radius_xlat: '/var/log/radius/radacct/<a href="http://10.253.7.156/auth-detail-20140210" target="_blank">10.253.7.156/auth-detail-20140210</a>'</font></div>
<div><font face="courier new, monospace">rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://10.253.7.156/auth-detail-20140210" target="_blank">10.253.7.156/auth-detail-20140210</a></font></div>
<div><font face="courier new, monospace"> modcall[authorize]: module "auth_log" returns ok for request 0</font></div><div><font face="courier new, monospace">rlm_ldap: - authorize</font></div><div><font face="courier new, monospace">rlm_ldap: performing user authorization for lveiga</font></div>
<div><font face="courier new, monospace">radius_xlat: '(cn=lveiga)'</font></div><div><font face="courier new, monospace">radius_xlat: 'CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR'</font></div><div><font face="courier new, monospace">rlm_ldap: ldap_get_conn: Checking Id: 0</font></div>
<div><font face="courier new, monospace">rlm_ldap: ldap_get_conn: Got Id: 0</font></div><div><font face="courier new, monospace">rlm_ldap: attempting LDAP reconnection</font></div><div><font face="courier new, monospace">rlm_ldap: (re)connect to <a href="http://srv01t.mycompany.net.br:389/" target="_blank">srv01t.MYCOMPANY.net.br:389</a>, authentication 0</font></div>
<div><font face="courier new, monospace">rlm_ldap: bind as CN=AUTHENTIC,CN=Users,DC=MYCOMPANY,DC=NET,DC=BR/passwordomitted to <a href="http://srv01t.mycompany.net.br:389/" target="_blank">srv01t.MYCOMPANY.net.br:389</a></font></div>
<div><font face="courier new, monospace">rlm_ldap: waiting for bind result ...</font></div><div><font face="courier new, monospace">rlm_ldap: Bind was successful</font></div><div><font face="courier new, monospace">rlm_ldap: performing search in CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR, with filter (cn=lveiga)</font></div>
<div><b><font face="courier new, monospace">rlm_ldap: object not found or got ambiguous search result</font></b></div><div><b><font face="courier new, monospace">rlm_ldap: search failed</font></b></div><div><font face="courier new, monospace">rlm_ldap: ldap_release_conn: Release Id: 0</font></div>
<div><font face="courier new, monospace"> modcall[authorize]: module "ldap" returns notfound for request 0</font></div><div><font face="courier new, monospace">modcall: leaving group authorize (returns ok) for request 0</font></div>
<div><b><font face="courier new, monospace">auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user</font></b></div><div><b><font face="courier new, monospace">auth: Failed to validate the user.</font></b></div>
<div><b><font face="courier new, monospace">Login incorrect (rlm_ldap: User not found): [lveiga/mypassword] (from client myhost80.spoig port 118751232)</font></b></div><div><font face="courier new, monospace">Delaying request 0 for 3 seconds</font></div>
<div><font face="courier new, monospace">Finished request 0</font></div><div><font face="courier new, monospace">Going to the next request</font></div><div><font face="courier new, monospace">--- Walking the entire request list ---</font></div>
<div><font face="courier new, monospace">Waking up in 3 seconds...</font></div><div><font face="courier new, monospace">--- Walking the entire request list ---</font></div><div><font face="courier new, monospace">Waking up in 3 seconds...</font></div>
<div><font face="courier new, monospace">--- Walking the entire request list ---</font></div><div><font face="courier new, monospace">Sending Access-Reject of id 72 to 10.253.7.156 port 1812</font></div><div><font face="courier new, monospace">Waking up in 1 seconds...</font></div>
<div><font face="courier new, monospace">--- Walking the entire request list ---</font></div><div><font face="courier new, monospace">Cleaning up request 0 ID 72 with timestamp 52f8d4df</font></div><div><font face="courier new, monospace">Nothing to do. Sleeping until we see a request.</font></div>
<div><font face="courier new, monospace"><br></font></div><div><b><font face="courier new, monospace">#</font></b></div><div><b><font face="courier new, monospace"># MY RLM_LDAP FILE</font></b></div><div><b><font face="courier new, monospace">#</font></b></div>
<div><font face="courier new, monospace"># Lightweight Directory Access Protocol (LDAP)</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This module definition allows you to use LDAP for</font></div>
<div><font face="courier new, monospace"> # authorization and authentication.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # See doc/rlm_ldap for description of configuration options</font></div>
<div><font face="courier new, monospace"> # and sample authorize{} and authenticate{} blocks</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # However, LDAP can be used for authentication ONLY when the</font></div>
<div><font face="courier new, monospace"> # Access-Request packet contains a clear-text User-Password</font></div><div><font face="courier new, monospace"> # attribute. LDAP authentication will NOT work for any other</font></div>
<div><font face="courier new, monospace"> # authentication method.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This means that LDAP servers don't understand EAP. If you</font></div>
<div><font face="courier new, monospace"> # force "Auth-Type = LDAP", and then send the server a</font></div><div><font face="courier new, monospace"> # request containing EAP authentication, then authentication</font></div>
<div><font face="courier new, monospace"> # WILL NOT WORK.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # The solution is to use the default configuration, which does</font></div>
<div><font face="courier new, monospace"> # work.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We</font></div>
<div><font face="courier new, monospace"> # really can't emphasize this enough.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> ldap {</font></div>
<div><font face="courier new, monospace"> server = "<a href="http://srv01t.mycompany.net.br/" target="_blank">srv01t.MYCOMPANY.net.br</a>"</font></div><div><font face="courier new, monospace"> identity = "CN=AUTHENTIC,CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR"</font></div>
<div><font face="courier new, monospace"> password = mypassword</font></div><div><font face="courier new, monospace"> basedn = "CN=Users,DC=MYCOMPANY,DC=NET,DC=BR"</font></div><div><font face="courier new, monospace"> filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"</font></div>
<div><font face="courier new, monospace"> ldap_connections_number = 5</font></div><div><font face="courier new, monospace"> timeout = 5</font></div><div><font face="courier new, monospace"> timelimit = 3</font></div>
<div><font face="courier new, monospace"> net_timeout = 1</font></div><div><font face="courier new, monospace"> dictionary_mapping = /etc/raddb/ldap.attrmap</font></div><div><font face="courier new, monospace"> access_attr_used_for_allow = no</font></div>
<div><font face="courier new, monospace"> set_auth_type = no</font></div><div><font face="courier new, monospace"> compare_check_items = yes</font></div><div><font face="courier new, monospace"> do_xlat = yes</font></div>
<div><font face="courier new, monospace">}</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This subsection configures the tls related items</font></div>
<div><font face="courier new, monospace"> # that control how FreeRADIUS connects to an LDAP</font></div><div><font face="courier new, monospace"> # server. It contains all of the "tls_*" configuration</font></div>
<div><font face="courier new, monospace"> # entries used in older versions of FreeRADIUS. Those</font></div><div><font face="courier new, monospace"> # configuration entries can still be used, but we recommend</font></div>
<div><font face="courier new, monospace"> # using these.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> tls {</font></div><div><font face="courier new, monospace"> # Set this to 'yes' to use TLS encrypted connections</font></div>
<div><font face="courier new, monospace"> # to the LDAP database by using the StartTLS extended</font></div><div><font face="courier new, monospace"> # operation.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # The StartTLS operation is supposed to be</font></div><div><font face="courier new, monospace"> # used with normal ldap connections instead of</font></div><div>
<font face="courier new, monospace"> # using ldaps (port 689) connections</font></div><div><font face="courier new, monospace"> start_tls = no</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace"> # cacertfile = /path/to/cacert.pem</font></div><div><font face="courier new, monospace"> # cacertdir = /path/to/ca/dir/</font></div><div>
<font face="courier new, monospace"> # certfile = /path/to/radius.crt</font></div><div><font face="courier new, monospace"> # keyfile = /path/to/radius.key</font></div><div><font face="courier new, monospace"> # randfile = /path/to/rnd</font></div>
<div><font face="courier new, monospace"> # require_cert = "demand"</font></div><div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div>
<div><font face="courier new, monospace"> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"</font></div><div><font face="courier new, monospace"> # profile_attribute = "radiusProfileDn"</font></div>
<div><font face="courier new, monospace"> # access_attr = "dialupAccess"</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Mapping of RADIUS dictionary attributes to LDAP</font></div>
<div><font face="courier new, monospace"> # directory attributes.</font></div><div><font face="courier new, monospace"> dictionary_mapping = ${raddbdir}/ldap.attrmap</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace"> # Set password_attribute = nspmPassword to get the</font></div><div><font face="courier new, monospace"> # user's password from a Novell eDirectory</font></div>
<div><font face="courier new, monospace"> # backend. This will work ONLY IF FreeRADIUS has been</font></div><div><font face="courier new, monospace"> # built with the --with-edir configure option.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # password_attribute = userPassword</font></div><div><font face="courier new, monospace"><br></font></div><div>
<font face="courier new, monospace"> # As of 1.1.0, the LDAP module will auto-discover</font></div><div><font face="courier new, monospace"> # the password headers (which are non-standard).</font></div><div>
<font face="courier new, monospace"> # It will use the following table to map passwords</font></div><div><font face="courier new, monospace"> # to RADIUS attributes. The PAP module (see above)</font></div>
<div><font face="courier new, monospace"> # can then automatically determine the hashing</font></div><div><font face="courier new, monospace"> # method to use to authenticate the user.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # Header Attribute</font></div><div><font face="courier new, monospace"> # ------ ---------</font></div><div><font face="courier new, monospace"> # {clear} User-Password</font></div>
<div><font face="courier new, monospace"> # {cleartext} User-Password</font></div><div><font face="courier new, monospace"> # {md5} MD5-Password</font></div><div><font face="courier new, monospace"> # {smd5} SMD5-Password</font></div>
<div><font face="courier new, monospace"> # {crypt} Crypt-Password</font></div><div><font face="courier new, monospace"> # {sha} SHA-Password</font></div><div><font face="courier new, monospace"> # {ssha} SSHA-Password</font></div>
<div><font face="courier new, monospace"> # {nt} NT-Password</font></div><div><font face="courier new, monospace"> # {ns-mta-md5} NS-MTA-MD5-Password</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # The headers are compared in a case-insensitive manner.</font></div><div><font face="courier new, monospace"> # The format of the password in LDAP (base 64-encoded, hex,</font></div>
<div><font face="courier new, monospace"> # clear-text, whatever) is not that important. The PAP</font></div><div><font face="courier new, monospace"> # module will figure it out.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # The default for "auto_header" is "no", to enable backwards</font></div><div><font face="courier new, monospace"> # compatibility with the "password_header" directive,</font></div>
<div><font face="courier new, monospace"> # which is now deprecated. If this is set to "yes",</font></div><div><font face="courier new, monospace"> # then the above table will be used, and the</font></div>
<div><font face="courier new, monospace"> # "password_header" directive will be ignored.</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #auto_header = yes</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Un-comment the following to disable Novell</font></div><div><font face="courier new, monospace"> # eDirectory account policy check and intruder</font></div>
<div><font face="courier new, monospace"> # detection. This will work *only if* FreeRADIUS is</font></div><div><font face="courier new, monospace"> # configured to build with --with-edir option.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> #edir_account_policy_check = no</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # Group membership checking. Disabled by default.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # groupname_attribute = cn</font></div>
<div><font face="courier new, monospace"> # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"</font></div>
<div><font face="courier new, monospace"> # groupmembership_attribute = radiusGroupName</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> compare_check_items = yes</font></div>
<div><font face="courier new, monospace"> do_xlat = yes</font></div><div><font face="courier new, monospace"> access_attr_used_for_allow = yes</font></div><div><font face="courier new, monospace"><br></font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # By default, if the packet contains a User-Password,</font></div><div><font face="courier new, monospace"> # and no other module is configured to handle the</font></div>
<div><font face="courier new, monospace"> # authentication, the LDAP module sets itself to do</font></div><div><font face="courier new, monospace"> # LDAP bind for authentication.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # You can disable this behavior by setting the following</font></div><div><font face="courier new, monospace"> # configuration entry to "no".</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # allowed values: {no, yes}</font></div><div><font face="courier new, monospace"> set_auth_type = yes</font></div>
<div><font face="courier new, monospace"> }</font></div><div><b><font face="courier new, monospace">#</font></b></div><div><b><font face="courier new, monospace"># MY LDAP.ATTRMAP</font></b></div><div><b><font face="courier new, monospace">#</font></b></div>
<div><font face="courier new, monospace">[root@syslog01 raddb]# cat ldap.attrmap</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"># Mapping of RADIUS dictionary attributes to LDAP directory attributes</font></div>
<div><font face="courier new, monospace"># to be used by LDAP authentication and authorization module (rlm_ldap)</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"># Format:</font></div>
<div><font face="courier new, monospace"># ItemType RADIUS-Attribute-Name ldapAttributeName</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"># Where:</font></div>
<div><font face="courier new, monospace"># ItemType = checkItem or replyItem</font></div><div><font face="courier new, monospace"># RADIUS-Attribute-Name = attribute name in RADIUS dictionary</font></div>
<div><font face="courier new, monospace"># ldapAttributeName = attribute name in LDAP schema</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"># If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies</font></div>
<div><font face="courier new, monospace"># a LDAP attribute which can be used to store any RADIUS</font></div><div><font face="courier new, monospace"># attribute/value-pair in LDAP directory.</font></div><div><font face="courier new, monospace">#</font></div>
<div><font face="courier new, monospace"># You should edit this file to suit it to your needs.</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"><br></font></div><div>
<font face="courier new, monospace">checkItem $GENERIC$ radiusCheckItem</font></div><div><font face="courier new, monospace">replyItem $GENERIC$ radiusReplyItem</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">checkItem Auth-Type radiusAuthType</font></div>
<div><font face="courier new, monospace">checkItem Simultaneous-Use radiusSimultaneousUse</font></div><div><font face="courier new, monospace">checkItem Called-Station-Id radiusCalledStationId</font></div>
<div><font face="courier new, monospace">checkItem Calling-Station-Id radiusCallingStationId</font></div><div><font face="courier new, monospace">checkItem LM-Password sambaLMPassword</font></div>
<div><font face="courier new, monospace">checkItem NT-Password sambaNTPassword</font></div><div><font face="courier new, monospace">checkItem SMB-Account-CTRL-TEXT sambaAcctFlags</font></div>
<div><font face="courier new, monospace">checkItem Expiration radiusExpiration</font></div><div><font face="courier new, monospace">checkItem NAS-IP-Address radiusNASIpAddress</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">replyItem Service-Type radiusServiceType</font></div><div><font face="courier new, monospace">replyItem Framed-Protocol radiusFramedProtocol</font></div>
<div><font face="courier new, monospace">replyItem Framed-IP-Address radiusFramedIPAddress</font></div><div><font face="courier new, monospace">replyItem Framed-IP-Netmask radiusFramedIPNetmask</font></div>
<div><font face="courier new, monospace">replyItem Framed-Route radiusFramedRoute</font></div><div><font face="courier new, monospace">replyItem Framed-Routing radiusFramedRouting</font></div>
<div><font face="courier new, monospace">replyItem Filter-Id radiusFilterId</font></div><div><font face="courier new, monospace">replyItem Framed-MTU radiusFramedMTU</font></div>
<div><font face="courier new, monospace">replyItem Framed-Compression radiusFramedCompression</font></div><div><font face="courier new, monospace">replyItem Login-IP-Host radiusLoginIPHost</font></div>
<div><font face="courier new, monospace">replyItem Login-Service radiusLoginService</font></div><div><font face="courier new, monospace">replyItem Login-TCP-Port radiusLoginTCPPort</font></div>
<div><font face="courier new, monospace">replyItem Callback-Number radiusCallbackNumber</font></div><div><font face="courier new, monospace">replyItem Callback-Id radiusCallbackId</font></div>
<div><font face="courier new, monospace">replyItem Framed-IPX-Network radiusFramedIPXNetwork</font></div><div><font face="courier new, monospace">replyItem Class radiusClass</font></div>
<div><font face="courier new, monospace">replyItem Session-Timeout radiusSessionTimeout</font></div><div><font face="courier new, monospace">replyItem Idle-Timeout radiusIdleTimeout</font></div>
<div><font face="courier new, monospace">replyItem Termination-Action radiusTerminationAction</font></div><div><font face="courier new, monospace">replyItem Login-LAT-Service radiusLoginLATService</font></div>
<div><font face="courier new, monospace">replyItem Login-LAT-Node radiusLoginLATNode</font></div><div><font face="courier new, monospace">replyItem Login-LAT-Group radiusLoginLATGroup</font></div>
<div><font face="courier new, monospace">replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink</font></div><div><font face="courier new, monospace">replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork</font></div>
<div><font face="courier new, monospace">replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone</font></div><div><font face="courier new, monospace">replyItem Port-Limit radiusPortLimit</font></div>
<div><font face="courier new, monospace">replyItem Login-LAT-Port radiusLoginLATPort</font></div><div><font face="courier new, monospace">replyItem Reply-Message radiusReplyMessage</font></div>
<div><font face="courier new, monospace"><br></font></div><div><b><font face="courier new, monospace">replyItem Service-Type AcmeUserPrivilege <- define user authorization</font></b></div><div>
<b><font face="courier new, monospace">replyItem Login-Service AcmeUserPrivilege <- define user authorization</font></b></div><div><b><font face="courier new, monospace">replyItem Service-Type AcmeUserClass <- define user authorization</font></b></div>
<div><b><font face="courier new, monospace"><br></font></b></div><div><b><font face="courier new, monospace">#</font></b></div><div><b><font face="courier new, monospace"># MY RADIUSD.CONF concerns to LDAP</font></b></div>
<div><b><font face="courier new, monospace">#</font></b></div><div><font face="courier new, monospace"> # Lightweight Directory Access Protocol (LDAP)</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # This module definition allows you to use LDAP for</font></div><div><font face="courier new, monospace"> # authorization and authentication.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # See doc/rlm_ldap for description of configuration options</font></div><div><font face="courier new, monospace"> # and sample authorize{} and authenticate{} blocks</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # However, LDAP can be used for authentication ONLY when the</font></div><div><font face="courier new, monospace"> # Access-Request packet contains a clear-text User-Password</font></div>
<div><font face="courier new, monospace"> # attribute. LDAP authentication will NOT work for any other</font></div><div><font face="courier new, monospace"> # authentication method.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # This means that LDAP servers don't understand EAP. If you</font></div><div><font face="courier new, monospace"> # force "Auth-Type = LDAP", and then send the server a</font></div>
<div><font face="courier new, monospace"> # request containing EAP authentication, then authentication</font></div><div><font face="courier new, monospace"> # WILL NOT WORK.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # The solution is to use the default configuration, which does</font></div><div><font face="courier new, monospace"> # work.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We</font></div><div><font face="courier new, monospace"> # really can't emphasize this enough.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> ldap {</font></div><div><font face="courier new, monospace"> server = "<a href="http://srv01t.embratel.net.br/" target="_blank">srv01t.embratel.net.br</a>"</font></div>
<div><font face="courier new, monospace"> port = 389</font></div><div><font face="courier new, monospace"> password = passwordomitted</font></div><div><font face="courier new, monospace"> identity = "CN=AUTHENTIC,CN=Users,DC=MYCONPANY,DC=NET,DC=BR"</font></div>
<div><font face="courier new, monospace"> net_timeout = 1</font></div><div><font face="courier new, monospace"> timeout = 4</font></div><div><font face="courier new, monospace"> timelimit = 3</font></div>
<div><font face="courier new, monospace"> tls_require_cert = "allow"</font></div><div><font face="courier new, monospace"> basedn = "CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR"</font></div><div><font face="courier new, monospace"> filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"</font></div>
<div><font face="courier new, monospace"> #groupname_attribute = "CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR"</font></div><div><font face="courier new, monospace"> dictionary_mapping = "/etc/raddb/ldap.attrmap"</font></div>
<div><font face="courier new, monospace"> ldap_debug = 0</font></div><div><font face="courier new, monospace"> ldap_connections_number = 5</font></div><div><font face="courier new, monospace"> compare_check_items = no</font></div>
<div><font face="courier new, monospace"> do_xlat = yes</font></div><div><font face="courier new, monospace"> set_auth_type = yes</font></div><div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace"> # passwd module allows to do authorization via any passwd-like</font></div><div><font face="courier new, monospace"> # file and to extract any attributes from these modules</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # parameters are:</font></div><div><font face="courier new, monospace"> # filename - path to filename</font></div>
<div><font face="courier new, monospace"> # format - format for filename record. This parameters</font></div><div><font face="courier new, monospace"> # correlates record in the passwd file and RADIUS</font></div>
<div><font face="courier new, monospace"> # attributes.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Field marked as '*' is key field. That is, the parameter</font></div>
<div><font face="courier new, monospace"> # with this name from the request is used to search for</font></div><div><font face="courier new, monospace"> # the record from passwd file</font></div>
<div><font face="courier new, monospace"> # Attribute marked as '=' is added to reply_itmes instead</font></div><div><font face="courier new, monospace"> # of default configure_itmes</font></div>
<div><font face="courier new, monospace"> # Attribute marked as '~' is added to request_items</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Field marked as ',' may contain a comma separated list</font></div>
<div><font face="courier new, monospace"> # of attributes.</font></div><div><font face="courier new, monospace"> # authtype - if record found this Auth-Type is used to authenticate</font></div><div>
<font face="courier new, monospace"> # user</font></div><div><font face="courier new, monospace"> # hashsize - hashtable size. If 0 or not specified records are not</font></div><div><font face="courier new, monospace"> # stored in memory and file is red on every request.</font></div>
<div><font face="courier new, monospace"> # allowmultiplekeys - if few records for every key are allowed</font></div><div><font face="courier new, monospace"> # ignorenislike - ignore NIS-related records</font></div>
<div><font face="courier new, monospace"> # delimiter - symbol to use as a field separator in passwd file,</font></div><div><font face="courier new, monospace"> # for format ':' symbol is always used. '\0', '\n' are</font></div>
<div><font face="courier new, monospace"> # not allowed</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # An example configuration for using /etc/smbpasswd.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> #passwd etc_smbpasswd {</font></div><div><font face="courier new, monospace"> # filename = /etc/smbpasswd</font></div>
<div><font face="courier new, monospace"> # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"</font></div><div><font face="courier new, monospace"> # authtype = MS-CHAP</font></div>
<div><font face="courier new, monospace"> # hashsize = 100</font></div><div><font face="courier new, monospace"> # ignorenislike = no</font></div><div><font face="courier new, monospace"> # allowmultiplekeys = no</font></div>
<div><font face="courier new, monospace"> #}</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Similar configuration, for the /etc/group file. Adds a Group-Name</font></div>
<div><font face="courier new, monospace"> # attribute for every group that the user is member of.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> #passwd etc_group {</font></div>
<div><font face="courier new, monospace"> # filename = /etc/group</font></div><div><font face="courier new, monospace"> # format = "=Group-Name:::*,User-Name"</font></div><div><font face="courier new, monospace"> # hashsize = 50</font></div>
<div><font face="courier new, monospace"> # ignorenislike = yes</font></div><div><font face="courier new, monospace"> # allowmultiplekeys = yes</font></div><div><font face="courier new, monospace"> # delimiter = ":"</font></div>
<div><font face="courier new, monospace"> #}</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Realm module, for proxying.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # You can have multiple instances of the realm module to</font></div><div><font face="courier new, monospace"> # support multiple realm syntaxs at the same time. The</font></div>
<div><font face="courier new, monospace"> # search order is defined by the order in the authorize and</font></div><div><font face="courier new, monospace"> # preacct sections.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # Four config options:</font></div><div><font face="courier new, monospace"> # format - must be 'prefix' or 'suffix'</font></div><div>
<font face="courier new, monospace"> # delimiter - must be a single character</font></div><div><font face="courier new, monospace"> # ignore_default - set to 'yes' or 'no'</font></div>
<div><font face="courier new, monospace"> # ignore_null - set to 'yes' or 'no'</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # ignore_default and ignore_null can be set to 'yes' to prevent</font></div>
<div><font face="courier new, monospace"> # the module from matching against DEFAULT or NULL realms. This</font></div><div><font face="courier new, monospace"> # may be useful if you have have multiple instances of the</font></div>
<div><font face="courier new, monospace"> # realm module.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # They both default to 'no'.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # 'realm/username'</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # Using this entry, IPASS users have their realm set to "IPASS".</font></div><div><font face="courier new, monospace"> realm IPASS {</font></div><div><font face="courier new, monospace"> format = prefix</font></div>
<div><font face="courier new, monospace"> delimiter = "/"</font></div><div><font face="courier new, monospace"> ignore_default = no</font></div><div><font face="courier new, monospace"> ignore_null = no</font></div>
<div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # 'username@realm'</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> realm suffix {</font></div><div><font face="courier new, monospace"> format = suffix</font></div><div><font face="courier new, monospace"> delimiter = "@"</font></div>
<div><font face="courier new, monospace"> ignore_default = no</font></div><div><font face="courier new, monospace"> ignore_null = no</font></div><div><font face="courier new, monospace"> }</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # 'username%realm'</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> realm realmpercent {</font></div>
<div><font face="courier new, monospace"> format = suffix</font></div><div><font face="courier new, monospace"> delimiter = "%"</font></div><div><font face="courier new, monospace"> ignore_default = no</font></div>
<div><font face="courier new, monospace"> ignore_null = no</font></div><div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # 'domain\user'</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> realm ntdomain {</font></div>
<div><font face="courier new, monospace"> format = prefix</font></div><div><font face="courier new, monospace"> delimiter = "\\"</font></div><div><font face="courier new, monospace"> ignore_default = no</font></div>
<div><font face="courier new, monospace"> ignore_null = no</font></div><div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # A simple value checking module</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # It can be used to check if an attribute value in the request</font></div><div><font face="courier new, monospace"> # matches a (possibly multi valued) attribute in the check</font></div>
<div><font face="courier new, monospace"> # items This can be used for example for caller-id</font></div><div><font face="courier new, monospace"> # authentication. For the module to run, both the request</font></div>
<div><font face="courier new, monospace"> # attribute and the check items attribute must exist</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # i.e.</font></div>
<div><font face="courier new, monospace"> # A user has an ldap entry with 2 radiusCallingStationId</font></div><div><font face="courier new, monospace"> # attributes with values "12345678" and "12345679". If we</font></div>
<div><font face="courier new, monospace"> # enable rlm_checkval, then any request which contains a</font></div><div><font face="courier new, monospace"> # Calling-Station-Id with one of those two values will be</font></div>
<div><font face="courier new, monospace"> # accepted. Requests with other values for</font></div><div><font face="courier new, monospace"> # Calling-Station-Id will be rejected.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # Regular expressions in the check attribute value are allowed</font></div><div><font face="courier new, monospace"> # as long as the operator is '=~'</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> checkval {</font></div><div><font face="courier new, monospace"> # The attribute to look for in the request</font></div>
<div><font face="courier new, monospace"> item-name = Calling-Station-Id</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # The attribute to look for in check items. Can be multi valued</font></div>
<div><font face="courier new, monospace"> check-name = Calling-Station-Id</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # The data type. Can be</font></div>
<div><font face="courier new, monospace"> # string,integer,ipaddr,date,abinary,octets</font></div><div><font face="courier new, monospace"> data-type = string</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace"> # If set to yes and we dont find the item-name attribute in the</font></div><div><font face="courier new, monospace"> # request then we send back a reject</font></div>
<div><font face="courier new, monospace"> # DEFAULT is no</font></div><div><font face="courier new, monospace"> #notfound-reject = no</font></div><div><font face="courier new, monospace"> }</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # rewrite arbitrary packets. Useful in accounting and authorization.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # The module can also use the Rewrite-Rule attribute. If it</font></div><div><font face="courier new, monospace"> # is set and matches the name of the module instance, then</font></div>
<div><font face="courier new, monospace"> # that module instance will be the only one which runs.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Also if new_attribute is set to yes then a new attribute</font></div>
<div><font face="courier new, monospace"> # will be created containing the value replacewith and it</font></div><div><font face="courier new, monospace"> # will be added to searchin (packet, reply, proxy, proxy_reply or config).</font></div>
<div><font face="courier new, monospace"> # searchfor,ignore_case and max_matches will be ignored in that case.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Backreferences are supported: %{0} will contain the string the whole match</font></div>
<div><font face="courier new, monospace"> # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # If max_matches is greater than one the backreferences will correspond to the</font></div>
<div><font face="courier new, monospace"> # first match</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> #attr_rewrite sanecallerid {</font></div>
<div><font face="courier new, monospace"> # attribute = Called-Station-Id</font></div><div><font face="courier new, monospace"> # may be "packet", "reply", "proxy", "proxy_reply" or "config"</font></div>
<div><font face="courier new, monospace"> # searchin = packet</font></div><div><font face="courier new, monospace"> # searchfor = "[+ ]"</font></div><div><font face="courier new, monospace"> # replacewith = ""</font></div>
<div><font face="courier new, monospace"> # ignore_case = no</font></div><div><font face="courier new, monospace"> # new_attribute = no</font></div><div><font face="courier new, monospace"> # max_matches = 10</font></div>
<div><font face="courier new, monospace"> # ## If set to yes then the replace string will be appended to the original string</font></div><div><font face="courier new, monospace"> # append = no</font></div>
<div><font face="courier new, monospace"> #}</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Preprocess the incoming RADIUS request, before handing it off</font></div>
<div><font face="courier new, monospace"> # to other modules.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This module processes the 'huntgroups' and 'hints' files.</font></div>
<div><font face="courier new, monospace"> # In addition, it re-writes some weird attributes created</font></div><div><font face="courier new, monospace"> # by some NASes, and converts the attributes into a form which</font></div>
<div><font face="courier new, monospace"> # is a little more standard.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> preprocess {</font></div>
<div><font face="courier new, monospace"> huntgroups = ${confdir}/huntgroups</font></div><div><font face="courier new, monospace"> hints = ${confdir}/hints</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace"> # This hack changes Ascend's wierd port numberings</font></div><div><font face="courier new, monospace"> # to standard 0-??? port numbers so that the "+" works</font></div>
<div><font face="courier new, monospace"> # for IP address assignments.</font></div><div><font face="courier new, monospace"> with_ascend_hack = no</font></div><div><font face="courier new, monospace"> ascend_channels_per_line = 23</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Windows NT machines often authenticate themselves as</font></div><div><font face="courier new, monospace"> # NT_DOMAIN\username</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # If this is set to 'yes', then the NT_DOMAIN portion</font></div><div><font face="courier new, monospace"> # of the user-name is silently discarded.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This configuration entry SHOULD NOT be used.</font></div><div><font face="courier new, monospace"> # See the "realms" module for a better way to handle</font></div>
<div><font face="courier new, monospace"> # NT domains.</font></div><div><font face="courier new, monospace"> with_ntdomain_hack = no</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace"> # Specialix Jetstream 8500 24 port access server.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # If the user name is 10 characters or longer, a "/"</font></div>
<div><font face="courier new, monospace"> # and the excess characters after the 10th are</font></div><div><font face="courier new, monospace"> # appended to the user name.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # If you're not running that NAS, you don't need</font></div><div><font face="courier new, monospace"> # this hack.</font></div><div><font face="courier new, monospace"> with_specialix_jetstream_hack = no</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Cisco (and Quintum in Cisco mode) sends it's VSA attributes</font></div><div><font face="courier new, monospace"> # with the attribute name *again* in the string, like:</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # H323-Attribute = "h323-attribute=value".</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # If this configuration item is set to 'yes', then</font></div><div><font face="courier new, monospace"> # the redundant data in the the attribute text is stripped</font></div>
<div><font face="courier new, monospace"> # out. The result is:</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # H323-Attribute = "value"</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # If you're not running a Cisco or Quintum NAS, you don't</font></div><div><font face="courier new, monospace"> # need this hack.</font></div>
<div><font face="courier new, monospace"> with_cisco_vsa_hack = no</font></div><div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Livingston-style 'users' file</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> files {</font></div><div><font face="courier new, monospace"> usersfile = ${confdir}/users</font></div>
<div><font face="courier new, monospace"> acctusersfile = ${confdir}/acct_users</font></div><div><font face="courier new, monospace"> #preproxy_usersfile = ${confdir}/preproxy_users</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # If you want to use the old Cistron 'users' file</font></div><div><font face="courier new, monospace"> # with FreeRADIUS, you should change the next line</font></div>
<div><font face="courier new, monospace"> # to 'compat = cistron'. You can the copy your 'users'</font></div><div><font face="courier new, monospace"> # file from Cistron.</font></div>
<div><font face="courier new, monospace"> compat = no</font></div><div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Write a detailed log of all accounting records received.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> detail {</font></div><div><font face="courier new, monospace"> # Note that we do NOT use NAS-IP-Address here, as</font></div>
<div><font face="courier new, monospace"> # that attribute MAY BE from the originating NAS, and</font></div><div><font face="courier new, monospace"> # NOT from the proxy which actually sent us the</font></div>
<div><font face="courier new, monospace"> # request. The Client-IP-Address attribute is ALWAYS</font></div><div><font face="courier new, monospace"> # the address of the client which sent us the</font></div>
<div><font face="courier new, monospace"> # request.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # The following line creates a new detail file for</font></div>
<div><font face="courier new, monospace"> # every radius client (by IP address or hostname).</font></div><div><font face="courier new, monospace"> # In addition, a new detail file is created every</font></div>
<div><font face="courier new, monospace"> # day, so that the detail file doesn't have to go</font></div><div><font face="courier new, monospace"> # through a 'log rotation'</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # If your detail files are large, you may also want</font></div><div><font face="courier new, monospace"> # to add a ':%H' (see doc/variables.txt) to the end</font></div>
<div><font face="courier new, monospace"> # of it, to create a new detail file every hour, e.g.:</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # ..../detail-%Y%m%d:%H</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This will create a new detail file for every hour.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # The Unix-style permissions on the 'detail' file.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # The detail file often contains secret or private</font></div>
<div><font face="courier new, monospace"> # information about users. So by keeping the file</font></div><div><font face="courier new, monospace"> # permissions restrictive, we can prevent unwanted</font></div>
<div><font face="courier new, monospace"> # people from seeing that information.</font></div><div><font face="courier new, monospace"> detailperm = 0600</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Certain attributes such as User-Password may be</font></div><div><font face="courier new, monospace"> # "sensitive", so they should not be printed in the</font></div>
<div><font face="courier new, monospace"> # detail file. This section lists the attributes</font></div><div><font face="courier new, monospace"> # that should be suppressed.</font></div><div>
<font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # The attributes should be listed one to a line.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> #suppress {</font></div><div><font face="courier new, monospace"> # User-Password</font></div><div><font face="courier new, monospace"> #}</font></div>
<div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Many people want to log authentication requests.</font></div>
<div><font face="courier new, monospace"> # Rather than modifying the server core to print out more</font></div><div><font face="courier new, monospace"> # messages, we can use a different instance of the 'detail'</font></div>
<div><font face="courier new, monospace"> # module, to log the authentication requests to a file.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # You will also need to un-comment the 'auth_log' line</font></div>
<div><font face="courier new, monospace"> # in the 'authorize' section, below.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> detail auth_log {</font></div>
<div><font face="courier new, monospace"> detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # This MUST be 0600, otherwise anyone can read</font></div><div><font face="courier new, monospace"> # the users passwords!</font></div><div><font face="courier new, monospace"> detailperm = 0600</font></div>
<div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This module logs authentication reply packets sent</font></div>
<div><font face="courier new, monospace"> # to a NAS. Both Access-Accept and Access-Reject packets</font></div><div><font face="courier new, monospace"> # are logged.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # You will also need to un-comment the 'reply_log' line</font></div><div><font face="courier new, monospace"> # in the 'post-auth' section, below.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"># Changed here ----</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> detail reply_log {</font></div>
<div><font face="courier new, monospace"> detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # This MUST be 0600, otherwise anyone can read</font></div><div><font face="courier new, monospace"> # the users passwords!</font></div><div><font face="courier new, monospace"> detailperm = 0600</font></div>
<div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"># Finished here</font></div><div><font face="courier new, monospace">#</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This module logs packets proxied to a home server.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # You will also need to un-comment the 'pre_proxy_log' line</font></div><div><font face="courier new, monospace"> # in the 'pre-proxy' section, below.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # detail pre_proxy_log {</font></div><div><font face="courier new, monospace"> # detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This MUST be 0600, otherwise anyone can read</font></div>
<div><font face="courier new, monospace"> # the users passwords!</font></div><div><font face="courier new, monospace"> # detailperm = 0600</font></div><div><font face="courier new, monospace"> # }</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This module logs response packets from a home server.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # You will also need to un-comment the 'post_proxy_log' line</font></div><div><font face="courier new, monospace"> # in the 'post-proxy' section, below.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # detail post_proxy_log {</font></div><div><font face="courier new, monospace"> # detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This MUST be 0600, otherwise anyone can read</font></div>
<div><font face="courier new, monospace"> # the users passwords!</font></div><div><font face="courier new, monospace"> # detailperm = 0600</font></div><div><font face="courier new, monospace"> # }</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # The rlm_sql_log module appends the SQL queries in a log</font></div>
<div><font face="courier new, monospace"> # file which is read later by the radsqlrelay program.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This module only performs the dynamic expansion of the</font></div>
<div><font face="courier new, monospace"> # variables found in the SQL statements. No operation is</font></div><div><font face="courier new, monospace"> # executed on the database server. (this could be done</font></div>
<div><font face="courier new, monospace"> # later by an external program) That means the module is</font></div><div><font face="courier new, monospace"> # useful only with non-"SELECT" statements.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # See rlm_sql_log(5) manpage.</font></div><div><font face="courier new, monospace"> #</font></div><div>
<font face="courier new, monospace"># sql_log {</font></div><div><font face="courier new, monospace"># path = ${radacctdir}/sql-relay</font></div><div><font face="courier new, monospace"># acct_table = "radacct"</font></div>
<div><font face="courier new, monospace"># postauth_table = "radpostauth"</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"># Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \</font></div>
<div><font face="courier new, monospace"># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \</font></div><div><font face="courier new, monospace"># AcctSessionTime, AcctTerminateCause) VALUES \</font></div>
<div><font face="courier new, monospace"># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \</font></div><div><font face="courier new, monospace"># '%{Framed-IP-Address}', '%S', '0', '0', '');"</font></div>
<div><font face="courier new, monospace"># Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \</font></div><div><font face="courier new, monospace"># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \</font></div>
<div><font face="courier new, monospace"># AcctSessionTime, AcctTerminateCause) VALUES \</font></div><div><font face="courier new, monospace"># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \</font></div>
<div><font face="courier new, monospace"># '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \</font></div><div><font face="courier new, monospace"># '%{Acct-Terminate-Cause}');"</font></div>
<div><font face="courier new, monospace"># Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \</font></div><div><font face="courier new, monospace"># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \</font></div>
<div><font face="courier new, monospace"># AcctSessionTime, AcctTerminateCause) VALUES \</font></div><div><font face="courier new, monospace"># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \</font></div>
<div><font face="courier new, monospace"># '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"</font></div><div><font face="courier new, monospace">#</font></div>
<div><font face="courier new, monospace"># Post-Auth = "INSERT INTO ${postauth_table} \</font></div><div><font face="courier new, monospace"># (user, pass, reply, date) VALUES \</font></div>
<div><font face="courier new, monospace"># ('%{User-Name}', '%{User-Password:-Chap-Password}', \</font></div><div><font face="courier new, monospace"># '%{reply:Packet-Type}', '%S');"</font></div>
<div><font face="courier new, monospace"># }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Create a unique accounting session Id. Many NASes re-use</font></div>
<div><font face="courier new, monospace"> # or repeat values for Acct-Session-Id, causing no end of</font></div><div><font face="courier new, monospace"> # confusion.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # This module will add a (probably) unique session id</font></div><div><font face="courier new, monospace"> # to an accounting packet based on the attributes listed</font></div>
<div><font face="courier new, monospace"> # below found in the packet. See doc/rlm_acct_unique for</font></div><div><font face="courier new, monospace"> # more information.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> acct_unique {</font></div><div><font face="courier new, monospace"> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"</font></div>
<div><font face="courier new, monospace"> }</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Include another file that has the SQL-related configuration.</font></div>
<div><font face="courier new, monospace"> # This is another file only because it tends to be big.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # The following configuration file is for use with MySQL.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # For Postgresql, use: ${confdir}/postgresql.conf</font></div><div><font face="courier new, monospace"> # For MS-SQL, use: ${confdir}/mssql.conf</font></div>
<div><font face="courier new, monospace"> # For Oracle, use: ${confdir}/oraclesql.conf</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"># $INCLUDE ${confdir}/sql.conf</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # For Cisco VoIP specific accounting with Postgresql,</font></div>
<div><font face="courier new, monospace"> # use: ${confdir}/pgsql-voip.conf</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # You will also need the sql schema from:</font></div>
<div><font face="courier new, monospace"> # src/billing/cisco_h323_db_schema-postgres.sql</font></div><div><font face="courier new, monospace"> # Note: This config can be use AS WELL AS the standard sql</font></div>
<div><font face="courier new, monospace"> # config if you need SQL based Auth</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Write a 'utmp' style file, of which users are currently</font></div>
<div><font face="courier new, monospace"> # logged in, and where they've logged in from.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # This file is used mainly for Simultaneous-Use checking,</font></div>
<div><font face="courier new, monospace"> # and also 'radwho', to see who's currently logged in.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> radutmp {</font></div>
<div><font face="courier new, monospace"> # Where the file is stored. It's not a log file,</font></div><div><font face="courier new, monospace"> # so it doesn't need rotating.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> filename = ${logdir}/radutmp</font></div><div><font face="courier new, monospace"><br></font></div>
<div><font face="courier new, monospace"> # The field in the packet to key on for the</font></div><div><font face="courier new, monospace"> # 'user' name, If you have other fields which you want</font></div>
<div><font face="courier new, monospace"> # to use to key on to control Simultaneous-Use,</font></div><div><font face="courier new, monospace"> # then you can use them here.</font></div><div>
<font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # Note, however, that the size of the field in the</font></div><div><font face="courier new, monospace"> # 'utmp' data structure is small, around 32</font></div>
<div><font face="courier new, monospace"> # characters, so that will limit the possible choices</font></div><div><font face="courier new, monospace"> # of keys.</font></div><div><font face="courier new, monospace"> #</font></div>
<div><font face="courier new, monospace"> # You may want instead: %{Stripped-User-Name:-%{User-Name}}</font></div><div><font face="courier new, monospace"> username = %{User-Name}</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Whether or not we want to treat "user" the same</font></div>
<div><font face="courier new, monospace"> # as "USER", or "User". Some systems have problems</font></div><div><font face="courier new, monospace"> # with case sensitivity, so this should be set to</font></div>
<div><font face="courier new, monospace"> # 'no' to enable the comparisons of the key attribute</font></div><div><font face="courier new, monospace"> # to be case insensitive.</font></div>
<div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> case_sensitive = yes</font></div><div><font face="courier new, monospace"><br></font></div><div>
<font face="courier new, monospace"> # Accounting information may be lost, so the user MAY</font></div><div><font face="courier new, monospace"> # have logged off of the NAS, but we haven't noticed.</font></div>
<div><font face="courier new, monospace"> # If so, we can verify this information with the NAS,</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> # If we want to believe the 'utmp' file, then this</font></div>
<div><font face="courier new, monospace"> # configuration entry can be set to 'no'.</font></div><div><font face="courier new, monospace"> #</font></div><div><font face="courier new, monospace"> check_with_nas = yes</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> # Set the file permissions, as the contents of this file</font></div><div><font face="courier new, monospace"> # are usually private.</font></div>
<div><font face="courier new, monospace"> perm = 0600</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> callerid = "yes"</font></div>
</div></div>