Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2005
- 219 participants
- 323 discussions
Hello everyone!
Please help me! I need to authorise cisco ports, using Radius.
Please tell me, witch parameters I need to put in radiusd.conf for using Active Directory database.
Thanks a lot!
Nikolai.
1
0
Thanks for responding Marcin, just to double check:
I added those details into radgroupcheck:
mysql> select * from radgroupcheck;
+----+-----------+---------------------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+---------------------+----+-------+
| 1 | 24Hours | Max-Daily-Session | := | 86400 |
| 2 | 24Hours | Max-Weekly-Session | := | 86400 |
| 3 | 24Hours | Max-Monthly-Session | := | 86400 |
| 4 | 24Hours | Max-All-Session | := | 86400 |
| 5 | 10Mins | Max-Daily-Session | := | 600 |
| 6 | 10Mins | Max-Weekly-Session | := | 600 |
| 7 | 10Mins | Max-Monthly-Session | := | 600 |
| 8 | 10Mins | Max-All-Session | := | 600 |
+----+-----------+---------------------+----+-------+
8 rows in set (0.00 sec)
mysql>
==
My sqlcounter.conf is exactly the same.
I have added this:
$INCLUDE ${confdir}/sqlcounter.conf
Into the radiusd.conf
==
When I fire up radius in debug mode I get these messages for sqlcounter:
Module: Loaded SQL Counter
sqlcounter: counter-name = "Daily-Session-Time"
sqlcounter: check-name = "Max-Daily-Session"
sqlcounter: key = "User-Name"
sqlcounter: sqlmod-inst = "sql"
sqlcounter: query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
sqlcounter: reset = "daily"
rlm_sqlcounter: Counter attribute Daily-Session-Time is number 1671
rlm_sqlcounter: Check attribute Max-Daily-Session is number 1672
rlm_sqlcounter: Current Time: 1121220718 [2005-07-13 12:11:58], Next
reset 1121263200 [2005-07-14 00:00:00]
rlm_sqlcounter: Current Time: 1121220718 [2005-07-13 12:11:58], Prev
reset 1121176800 [2005-07-13 00:00:00]
Module: Instantiated sqlcounter (dailycounter)
==
I read the experimental.conf but I can't seem to understand where the
counters are reset, which table ?
Could you give me an example of the table so I can see what it should
look like ? (daily totals)
I don't really have any need to disconnect people after a certain period
of time, just need daily and monthly totals.
Thanks again, greatly appreciated ! :)
Regards,
--
Ross
-----Original Message-----
From: Marcin Jessa [mailto:lists@yazzy.org]
Sent: Tuesday, 12 July 2005 6:03 PM
To: FreeRadius users mailing list
Cc: Ross Tsolakidis
Subject: Re: sql counter clarification and issues
On Tue, 12 Jul 2005 15:21:52 +1000
"Ross Tsolakidis" <Ross.Tsolakidis(a)day3.com.au> wrote:
> Ok, now I'm really confused :(
>
> Can someone please clarify exactly what does the sqlcounter module do
?
> Basically I need to calculate the data on a daily basis for each user.
sqlcounter works fine.
Your radgroupcheck or radcheck needs to have the same attributes you
have in your sqlcounter config.
Check out mine:
http://www.yazzy.org/configs/linux/freeradius/sqlcounter.conf
mysql> select * from radgroupcheck;
+----+-----------+---------------------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+---------------------+----+-------+
| 1 | 24hours | Max-Daily-Session | := | 86400 |
| 2 | 24hours | Max-Weekly-Session | := | 86400 |
| 3 | 24hours | Max-Monthly-Session | := | 86400 |
| 4 | 24hours | Max-All-Session | := | 86400 |
| 5 | 10mins | Max-Daily-Session | := | 600 |
| 6 | 10mins | Max-Weekly-Session | := | 600 |
| 7 | 10mins | Max-Monthly-Session | := | 600 |
| 8 | 10mins | Max-All-Session | := | 600 |
+----+-----------+---------------------+----+-------+
8 rows in set (0.00 sec)
Read experimental.conf, it describes the module.
It count's user's online time stored in the raddacct table and based on
that info allows user to log in if her allowed session time is not
exceeded.
This can be done on daily, weekly, monthly or total basis.
> Thanks for your patience :)
Read former postings to the list describing the behaviour and
functionality of the module.
People tend to be more patient if they know you did some work on your
own.
Cheers,
Marcin Jessa
>
> -----Original Message-----
> From: freeradius-users-bounces(a)lists.freeradius.org
> [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of
> Ross Tsolakidis
> Sent: Tuesday, 5 July 2005 2:14 PM
> To: FreeRadius users mailing list
> Subject: RE: sql counter clarification and issues
>
> Yes the server is receiving accounting packets.
> The SQL rows are updating every 5 mins, (I have the NAS set to send
> accounting packets every 5 mins).
>
> I run it in debug mode, I see:
> Module: Loaded SQL Counter
> sqlcounter: counter-name = "Daily-Session-Time"
> sqlcounter: check-name = "Max-Daily-Session"
> sqlcounter: key = "User-Name"
> sqlcounter: sqlmod-inst = "sqlcca3"
> sqlcounter: query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{%k}'
> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
> sqlcounter: reset = "1h"
> rlm_sqlcounter: Counter attribute Daily-Session-Time is number 1671
> rlm_sqlcounter: Check attribute Max-Daily-Session is number 1672
> rlm_sqlcounter: num=1, last=h
> rlm_sqlcounter: Current Time: 1120532709 [2005-07-05 13:05:09], Next
> reset 1120536000 [2005-07-05 14:00:00]
> rlm_sqlcounter: num=1, last=h
> rlm_sqlcounter: Current Time: 1120532709 [2005-07-05 13:05:09], Prev
> reset 1120532400 [2005-07-05 13:00:00]
> Module: Instantiated sqlcounter (dailycounter)
>
> But no reset.
>
> Does anyone have this working, if so, what am I looking for, what am I
> supposed to see ?
>
> Thanks :)
>
> Regards,
> --
> Ross
>
> -----Original Message-----
> From: freeradius-users-bounces(a)lists.freeradius.org
> [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of
> Alan DeKok
> Sent: Tuesday, 5 July 2005 2:05 AM
> To: FreeRadius users mailing list
> Subject: Re: sql counter clarification and issues
>
> "Ross Tsolakidis" <Ross.Tsolakidis(a)day3.com.au> wrote:
> > At midnight every night will it begin a new row in SQL ?
>
> I don't know, I've never used the module.
>
> > Because at the moment there are no new rows being created, no
> > counters
>
> > being reset.
>
> Is the server receiving accounting packets?
>
> Run it in debug mode with "reset=hour", and spend some time looking
> at what it's doing.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
2
1
Hi,
Comments inlined.
On Tue, 2005-07-12 at 11:15 -0700, jp(a)joshmp.com wrote:
> I appologize in advance, but I am new to FreeRADIUS and RADIUS in
general.
>
> Here is my setup:
> - Server with FreeRADIUS 1.0.4 --with-edir on FreeBSD 4.11
> - Server with NetWare 6.5.4
>
> Here is what I am trying to accomplish:
> - Get FreeRADIUS to authenticate VPN users (Cisco VPN Contentrator) to
LDAP
> database in NetWare tree.
>
> Here is what I DON'T want to do:
> - Mess with eDirectory (profiles, extending the schema, etc.)
>
> Basically, when this configuration is moved into production,
FreeRADIUS would
> authenticate users who IDs already exist in a complex, mature NetWare
eDir tree.
> I don't want to mess with Universal Passwords, extending the schema,
etc. I
> have already sucessfully configured the Cisco VPN Concentrator to
authenticate
> users using FreeRADIUS and the UNIX users list. However, I can't get
FreeRADIUS
> to successfully query the LDAP database on the NetWare server.
>
> I have been through Novell's documentation, but their docs include
building
> RADIUS profiles, extending the schema, etc. This is something that I
am not
> going to be able to do. I have also been up and down the web,
FreeRADIUS mail
> lists, docs, etc. I have found threads where it is mentioned that you
can get
> FreeRADIUS to authenticate users to a NetWare LDAP directory using
cleartext,
> but I have not been able to do this myself.
>
> I would like to take this in stages:
> 1. Succesfully query LDAP without security (with the assumption that
this would
> be the easiest first step).
The debug output shows that FreeRADIUS is already doing this,
> 2. Get FreeRADIUS to query LDAP securely.
This also can be configured.
>
> Below you will find the following:
> - Text from radiusd.conf file
> - Output from radiusd -X
> - Text from radius.log file
>
<- Snipped,....
> # Lightweight Directory Access Protocol (LDAP)
> #
> # This module definition allows you to use LDAP for
> # authorization and authentication (Auth-Type := LDAP)
> #
> # See doc/rlm_ldap for description of configuration options
> # and sample authorize{} and authenticate{} blocks
> ldap {
> server = "10.1.1.71"
> identity = "cn=admin,o=radius"
> password = pass
> basedn = "o=radius"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> base_filter = "(objectclass=radiusprofile)"
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with
normal
> # ldap connections instead of using ldaps (port 689)
connections
> start_tls = no
Set start_tls = yes for making a secure connection to eDirectory.
>
> # tls_cacertfile = /path/to/cacert.pem
Set the path to eDirectory CA cert here.
> # tls_cacertdir = /path/to/ca/dir/
> # tls_certfile = /path/to/radius.crt
> # tls_keyfile = /path/to/radius.key
> # tls_randfile = /path/to/rnd
> # tls_require_cert = "demand"
>
> # default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> # access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
>
> #
> # NOTICE: The password_header directive is NOT case
insensitive
> #
> # password_header = "{clear}"
> #
> # Set:
> password_attribute = nspmPassword
Set password_attribute to anything other than nspmPassword or
comment
out this attribute. This will make sure FreeRADIUS does not try to read
Universal Password.
> #
> # to get the user's password from a Novell eDirectory
> # backend. This will work *only if* freeRADIUS is
> # configured to build with --with-edir option.
> #
> #
> # The server can usually figure this out on its own,
and pull
> # the correct User-Password or NT-Password from the
database.
> #
> # Note that NT-Passwords MUST be stored as a 32-digit
hex
> # string, and MUST start off with "0x", such as:
> #
> # 0x000102030405060708090a0b0c0d0e0f
> #
> # Without the leading "0x", NT-Passwords will not
work.
> # This goes for NT-Passwords stored in SQL, too.
> #
> # password_attribute = userPassword
> #
> # Un-comment the following to disable Novell
eDirectory account
> # policy check and intruder detection. This will work
*only if*
> # FreeRADIUS is configured to build with --with-edir
option.
> #
> edir_account_policy_check=yes
> #
> # groupname_attribute = cn
> # groupmembership_filter =
>
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> # groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # do_xlat = yes
> # access_attr_used_for_allow = yes
> }
>
<-Snipped....
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:2302, id=75,
length=57
> User-Name = "admin"
> User-Password = "pass"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 10
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "admin", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry DEFAULT at line 152
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for admin
> radius_xlat: '(uid=admin)'
> radius_xlat: 'o=radius'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.1.1.71:389, authentication 0
> rlm_ldap: bind as cn=admin,o=radius/pass to 10.1.1.71:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in o=radius, with filter (uid=admin)
As you can see FreeRADIUS is already querying eDirectory for user
information.
> rlm_ldap: Error reading Universal Password.Return Code = 80
See comments on password_attribute.
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user admin authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type System
The Auth-Type is set to System. I reckon this is done by one of
the
default entries in users file. What is the authentication mechanism you
want to use? If you want to use authentication methods like CHAP,
MS-CHAP, EAP etc you will have to enable Universal Password. However if
you just want to authenticate against eDirectory with plain text
password then you need not read Universal Password. You must enable the
ldap module in the authenticate section.
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> modcall[authenticate]: module "unix" returns notfound for request 0
> modcall: group authenticate returns notfound for request 0
> auth: Failed to validate the user.
> Processing the post-auth section of radiusd.conf
> modcall: entering group Post-Auth-Type for request 0
> modcall[post-auth]: module "ldap" returns noop for request 0
> modcall: group Post-Auth-Type returns noop for request 0
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 75 to 127.0.0.1:2302
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 75 with timestamp 42d39d5d
> Nothing to do. Sleeping until we see a request.
> -----END RADIUSD DEBUG-----
>
> The line that I find disturbing is the "error reading Universal
Password" line.
> I assume that I must edit my config in some way so that FreeRADIUS is
not
> attempting to read a Universal Password, or somehow tells NLDAP not to
send a
> Universal Password.
Hope this helps.
Get back to me in case you have any further queries.
-Sayantan.
1
0
Hi,
i try to install 802.1x enviroment (windows 2000 -> Cisco Switch ->
freeradius).
The switch only allow auhtentificated clients (windows) to send packets to
the intranet. All works well, but all the time freeradius reject because no
User-Password, but i insert one in the login screen.
System: Freeradius 1.0.4, Windows 2000, Cisco 3550
Log:
rad_recv: Access-Request packet from host 192.168.1.3:1812, id=6, length=98
NAS-IP-Address = 192.168.1.3
NAS-Port = 50010
NAS-Port-Type = Ethernet
User-Name = "test"
Calling-Station-Id = "00-04-75-DA-4C-C8"
Service-Type = Framed-User
EAP-Message = 0x020100090174657374
Message-Authenticator = 0x05ada6b6c1de489b42a378805df01aac
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry test at line 54
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
User Entry:
test Auth-Type := Local, User-Passwort == "xxx"
Service-Type = Framed-User
And i insert the password in the login screen (windows client)
Thx for help and hints
--
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl
3
5
I appologize in advance, but I am new to FreeRADIUS and RADIUS in general.
Here is my setup:
- Server with FreeRADIUS 1.0.4 --with-edir on FreeBSD 4.11
- Server with NetWare 6.5.4
Here is what I am trying to accomplish:
- Get FreeRADIUS to authenticate VPN users (Cisco VPN Contentrator) to LDAP
database in NetWare tree.
Here is what I DON'T want to do:
- Mess with eDirectory (profiles, extending the schema, etc.)
Basically, when this configuration is moved into production, FreeRADIUS would
authenticate users who IDs already exist in a complex, mature NetWare eDir tree.
I don't want to mess with Universal Passwords, extending the schema, etc. I
have already sucessfully configured the Cisco VPN Concentrator to authenticate
users using FreeRADIUS and the UNIX users list. However, I can't get FreeRADIUS
to successfully query the LDAP database on the NetWare server.
I have been through Novell's documentation, but their docs include building
RADIUS profiles, extending the schema, etc. This is something that I am not
going to be able to do. I have also been up and down the web, FreeRADIUS mail
lists, docs, etc. I have found threads where it is mentioned that you can get
FreeRADIUS to authenticate users to a NetWare LDAP directory using cleartext,
but I have not been able to do this myself.
I would like to take this in stages:
1. Succesfully query LDAP without security (with the assumption that this would
be the easiest first step).
2. Get FreeRADIUS to query LDAP securely.
Below you will find the following:
- Text from radiusd.conf file
- Output from radiusd -X
- Text from radius.log file
Here is my radiusd.conf file. I have included the entire file since I am afraid
that if I only include what I deem to be relevant information, I will be leaving
out something crucial:
-----BEGIN RADIUSD.CONF-----
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.188.2.4 2005/06/11 22:20:40 nbk Exp $
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
#user = nobody
#group = nobody
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# bind_address: Make the server listen on a particular IP address, and
# send replies out from that address. This directive is most useful
# for machines with multiple IP addresses on one interface.
#
# It can either contain "*", or an IP address, or a fully qualified
# Internet domain name. The default is "*"
#
# As of 1.0, you can also use the "listen" directive. See below for
# more information.
#
bind_address = *
# port: Allows you to bind FreeRADIUS to a specific port.
#
# The default port that most NAS boxes use is 1645, which is historical.
# RFC 2138 defines 1812 to be the new port. Many new servers and
# NAS boxes use 1812, which can create interoperability problems.
#
# The port is defined here to be 0 so that the server will pick up
# the machine's local configuration for the radius port, as defined
# in /etc/services.
#
# If you want to use the default RADIUS port as defined on your server,
# (usually through 'grep radius /etc/services') set this to 0 (zero).
#
# A port given on the command-line via '-p' over-rides this one.
#
# As of 1.0, you can also use the "listen" directive. See below for
# more information.
#
port = 0
#
# By default, the server uses "bind_address" to listen to all IP's
# on a machine, or just one IP. The "port" configuration is used
# to select the authentication port used when listening on those
# addresses.
#
# If you want the server to listen on additional addresses, you can
# use the "listen" section. A sample section (commented out) is included
# below. This "listen" section duplicates the functionality of the
# "bind_address" and "port" configuration entries, but it only listens
# for authentication packets.
#
# If you comment out the "bind_address" and "port" configuration entries,
# then it becomes possible to make the server accept only accounting,
# or authentication packets. Previously, it always listened for both
# types of packets, and it was impossible to make it listen for only
# one type of packet.
#
#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
# ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
# type = auth
#}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = no
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
# usercollide: Turn "username collision" code on and off. See the
# "doc/duplicate-users" file
#
# WARNING
# !!!!!!! Setting this to "yes" may result in the server behaving
# !!!!!!! strangely. The "username collision" code will ONLY work
# !!!!!!! with clear-text passwords. Even then, it may not do what
# !!!!!!! you want, or what you expect.
# !!!!!!!
# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
# !!!!!!! and that you find another way of acheiving the same goal.
# !!!!!!!
# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
# WARNING
#
usercollide = no
# lower_user / lower_pass:
# Lower case the username/password "before" or "after"
# attempting to authenticate.
#
# If "before", the server will first modify the request and then try
# to auth the user. If "after", the server will first auth using the
# values provided by the user. If that fails it will reprocess the
# request after modifying it as you specify below.
#
# This is as close as we can get to case insensitivity. It is the
# admin's job to ensure that the username on the auth db side is
# *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = no
lower_pass = no
# nospace_user / nospace_pass:
#
# Some users like to enter spaces in their username or password
# incorrectly. To save yourself the tech support call, you can
# eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = no
nospace_pass = no
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# delayed_reject: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# Normally this should be set to "no", because they're useless.
# See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
#
# However, certain NAS boxes may require them.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept packet, containing a Reply-Message attribute,
# which is a string describing how long the server has been
# running.
#
status_server = no
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
# proxy_requests = yes
# $INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if SNMP support was enabled
# at compile time.
#
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
#
# snmp = no
# $INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# below for an example.
#
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}
# Unix /etc/passwd style authentication
#
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them.
#
# For FreeBSD and NetBSD, you do NOT want to enable
# the cache, as it's password lookups are done via a
# database, so set this value to 'no'.
#
# Some systems (e.g. RedHat Linux with pam_pwbd) can
# take *seconds* to check a password, when th passwd
# file containing 1000's of entries. For those systems,
# you should set the cache value to 'yes', and set
# the locations of the 'passwd', 'shadow', and 'group'
# files, below.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, leave the following entries
# commented out.
#
# This is required for some systems, like FreeBSD,
# and Mac OSX.
#
# passwd = /etc/passwd
# shadow = /etc/shadow
# group = /etc/group
#
# The location of the "wtmp" file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE ${confdir}/eap.conf
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
#
#require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
#require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "10.1.1.71"
identity = "cn=admin,o=radius"
password = pass
basedn = "o=radius"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
edir_account_policy_check=yes
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
# filename - path to filename
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
# Attribute marked as '=' is added to reply_itmes instead
# of default configure_itmes
# Attribute marked as '~' is added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
# authtype - if record found this Auth-Type is used to authenticate
# user
# hashsize - hashtable size. If 0 or not specified records are not
# stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
# ignorenislike - ignore NIS-related records
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
# Similar configuration, for the /etc/group file. Adds a Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order in the authorize and
# preacct sections.
#
# Four config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
# ignore_default - set to 'yes' or 'no'
# ignore_null - set to 'yes' or 'no'
#
# ignore_default and ignore_null can be set to 'yes' to prevent
# the module from matching against DEFAULT or NULL realms. This
# may be useful if you have have multiple instances of the
# realm module.
#
# They both default to 'no'.
#
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# A simple value checking module
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values "12345678" and "12345679". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
# rewrite arbitrary packets. Useful in accounting and authorization.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy, proxy_reply or config).
# searchfor,ignore_case and max_matches will be ignored in that case.
#
# Backreferences are supported: %{0} will contain the string the whole match
# and %{1} to %{8} will contain the contents of the 1st to the 8th
parentheses
#
# If max_matches is greater than one the backreferences will correspond
to the
# first match
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to the
original string
# append = no
#}
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request. The Client-IP-Address attribute is ALWAYS
# the address of the client which sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600
}
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
# detail auth_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
# detail reply_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
# detail pre_proxy_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
# detail post_proxy_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
# Create a unique accounting session Id. Many NASes re-use or
# repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
# For Oracle, use: ${confdir}/oraclesql.conf
#
# $INCLUDE ${confdir}/sql.conf
# For Cisco VoIP specific accounting with Postgresql,
# use: ${confdir}/pgsql-voip.conf
#
# You will also need the sql schema from:
# src/billing/cisco_h323_db_schema-postgres.sql
# Note: This config can be use AS WELL AS the standard sql
# config if you need SQL based Auth
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add the
# value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout attribute
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
expr {
}
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in 'doc/variables.txt'
#
exec {
wait = yes
input_pairs = request
}
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
}
# Do server side ip pool management. Should be added in post-auth and
# accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
#
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES *********
#
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address
already set
override = no
# maximum-timeout: If not zero specifies the maximum time in
seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
# ANSI X9.9 token support. Not included by default.
# $INCLUDE ${confdir}/x99.conf
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# Read the 'users' file
files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
# sql
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Querie" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log
#
# After authenticating the user, do another SQL qeury.
#
# See "Authentication Logging Queries" in sql.conf
# sql
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module name to the ldap instance
# name if you have set 'edir_account_policy_check = yes' in the ldap
# module sub-section of the 'modules' section.
#
Post-Auth-Type REJECT {
ldap
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}
-----END RADIUSD.CONF-----
Here is the debug info captured when radiusd is started and the radtest command
is executed:
radius# radtest admin pass localhost 10 testing123
-----BEGIN RADIUSD DEBUG-----
radius# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/eap.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded LDAP
ldap: server = "10.1.1.71"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=admin,o=radius"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "pass"
ldap: basedn = "o=radius"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "nspmPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x8085400
Module: Instantiated ldap (ldap)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:2302, id=75, length=57
User-Name = "admin"
User-Password = "pass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "admin", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for admin
radius_xlat: '(uid=admin)'
radius_xlat: 'o=radius'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.1.1.71:389, authentication 0
rlm_ldap: bind as cn=admin,o=radius/pass to 10.1.1.71:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=radius, with filter (uid=admin)
rlm_ldap: Error reading Universal Password.Return Code = 80
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user admin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns notfound for request 0
modcall: group authenticate returns notfound for request 0
auth: Failed to validate the user.
Processing the post-auth section of radiusd.conf
modcall: entering group Post-Auth-Type for request 0
modcall[post-auth]: module "ldap" returns noop for request 0
modcall: group Post-Auth-Type returns noop for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 75 to 127.0.0.1:2302
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 75 with timestamp 42d39d5d
Nothing to do. Sleeping until we see a request.
-----END RADIUSD DEBUG-----
The line that I find disturbing is the "error reading Universal Password" line.
I assume that I must edit my config in some way so that FreeRADIUS is not
attempting to read a Universal Password, or somehow tells NLDAP not to send a
Universal Password.
And finally, the text from radius.log when radiusd is started without debug mode:
-----BEGIN RADIUS.LOG-----
Fri Jul 8 09:11:39 2005 : Info: rlm_exec: Wait=yes but no output defined. Did
you mean output=none?
Fri Jul 8 09:11:39 2005 : Info: Ready to process requests.
-----END RADIUS.LOG-----
Thanks in advance.
Josh
2
1
Hi!
I'm receiving a "rlm_eap_peap: Had sent TLV failure, rejecting." on
the end of the debug when trying to auth EAP/PEAP XP-SP2 client.
Looking earlier, on the debug, i'd see:
-----
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
-----
But... now i don't know if the mschapv2 is the value that is "Unknow"
or what value is unknow for the auth?
Please, help me telling me what i doing wrong?
Thanks in advice for your help.
radiusd.conf:
-----
prefix = /programas/freeradius2
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
with_cisco_vsa_hack = no
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
eap
}
authenticate {
eap
}
preacct {
acct_unique
}
accounting {
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
-----
eap.conf:
-----
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/tls/cert-srv.pem
certificate_file = ${raddbdir}/certs/tls/cert-srv.pem
CA_file = ${raddbdir}/certs/tls/CA/cacert.pem
dh_file = ${raddbdir}/certs/tls/dh
random_file = ${raddbdir}/certs/tls/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
}
mschapv2 {
}
}
-----
debug log:
-----
+ LD_LIBRARY_PATH=/usr/local/openssl/lib
+ LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
+ export LD_LIBRARY_PATH LD_PRELOAD
+ /programas/freeradius2/sbin/radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /programas/freeradius2/etc/raddb/clients.conf
Config: including file: /programas/freeradius2/etc/raddb/eap.conf
Config: including file: /programas/freeradius2/etc/raddb/sql.conf
main: prefix = "/programas/freeradius2"
main: localstatedir = "/programas/freeradius2/var"
main: logdir = "/programas/freeradius2/var/log/radius"
main: libdir = "/programas/freeradius2/lib"
main: radacctdir = "/programas/freeradius2/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/programas/freeradius2/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/programas/freeradius2/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/programas/freeradius2/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /programas/freeradius2/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file =
"/programas/freeradius2/etc/raddb/certs/tls/cert-srv.pem"
tls: certificate_file =
"/programas/freeradius2/etc/raddb/certs/tls/cert-srv.pem"
tls: CA_file = "/programas/freeradius2/etc/raddb/certs/tls/CA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/programas/freeradius2/etc/raddb/certs/tls/dh"
tls: random_file = "/programas/freeradius2/etc/raddb/certs/tls/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/programas/freeradius2/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/programas/freeradius2/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.20.7:55049, id=141, length=134
User-Name = "pepe"
NAS-IP-Address = 192.168.20.7
Called-Station-Id = "00-0c-41-b1-37-07"
Calling-Station-Id = "00-0b-7d-0f-f7-35"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x023200090170657065
Message-Authenticator = 0x3fe87643717488557b8e86a44a4929c6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_eap: EAP packet type response id 50 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 141 to 192.168.20.7:55049
EAP-Message = 0x013300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x15018a8667aa6f2bf399348682539a27
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.7:55048, id=142, length=255
User-Name = "pepe"
NAS-IP-Address = 192.168.20.7
Called-Station-Id = "00-0c-41-b1-37-07"
Calling-Station-Id = "00-0b-7d-0f-f7-35"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
State = 0x15018a8667aa6f2bf399348682539a27
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0233007019800000006616030100610100005d030142d40537ab2cf5b1ffa5776b3b8f68665e174ed49548c109ad68f86f7a0cd1d120e0cbf6c19dcd9b3581e28dbd6a1c2353a68b22d555b27765d568d1f260b5ac04001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x1b8c51e62702793dfd50c8837d3c4b0f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_eap: EAP packet type response id 51 length 112
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0662], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 142 to 192.168.20.7:55048
EAP-Message =
0x0134040a19c0000006bf160301004a02000046030142d40500bd0530d47bb9f0bf7d0466dff46308e08dc3535d98837308a00fad2920b108b434da5eb62bf266f75260a4fe1061477acffb72dc08e8f4bd96a54f60f800040016030106620b00065e00065b0002c4308202c030820229a003020102020900f12ab1347a5cd9e1300d06092a864886f70d010104050030818c310b300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e61206465
EAP-Message =
0x20496e666f726d617469636120792054656c65636f6d756e69636163696f6e6573301e170d3035303632323138333932335a170d3036303632323138333932335a30819d310b300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e6120646520496e666f726d617469636120792054656c65636f6d756e69636163696f6e6573310f300d060355040313066f6e65626f7830819f300d06092a864886f70d010101050003818d00308189028181
EAP-Message =
0x00d30db19c37a7284f5f673101f2773ac3924fc774d15b7f55bc563b955b73aff9ac4f61d88aadaab244f47e944cdba13890f54008bd9ef1c553229e671ac5f4ffe6bb9bea797ac67188e37b9db3fb60006b68a8b3d01f73e9600612ae2d6bd4f0ce313e761bbdd177d9344579bd17565cc7b12a944820f52ab29365d22e4a24d30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181000795bf4630d57fde5f57eb8b0d4f0ceab17fd13b31437e09d666c1a5f7e3c6bc095b29442d889460764b7108194e06cc690a8b4e5ce1bc45744d57ffff07a9326ff1ac7e0d066e2cc86f83
EAP-Message =
0x8db90cbfa1ecd56e767573304003569d1693f6cf224e9a651d9d2e78a208ce2aed4ac4f0da6187ca561c946c98d24aa0161d9bf2080003913082038d308202f6a003020102020900f12ab1347a5cd9df300d06092a864886f70d010104050030818c310b300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e6120646520496e666f726d617469636120792054656c65636f6d756e69636163696f6e6573301e170d3035303632323138333631
EAP-Message = 0x395a170d3037303632323138333631395a30818c310b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4f23eb8f5f09f1a8c84ebb931550b4bd
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.7:55050, id=143, length=149
User-Name = "pepe"
NAS-IP-Address = 192.168.20.7
Called-Station-Id = "00-0c-41-b1-37-07"
Calling-Station-Id = "00-0b-7d-0f-f7-35"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
State = 0x4f23eb8f5f09f1a8c84ebb931550b4bd
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x023400061900
Message-Authenticator = 0x830d6a0c2dcc38bb22d7a1400948e4fe
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_eap: EAP packet type response id 52 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 143 to 192.168.20.7:55050
EAP-Message =
0x013502c51900300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e6120646520496e666f726d617469636120792054656c65636f6d756e69636163696f6e657330819f300d06092a864886f70d010101050003818d0030818902818100a4d3a6bb7f0b08a448a8b84fe5236a0ef724951374d6320389f264f2c5007aee8cfc1cfd319e16e1cb910c5cfd07821ac809e1ac9baade2e618b7addf29844732d923ca1103395642bd3f9c230d4aace
EAP-Message =
0xb77b9b2e3f96436860556ece59ee48b29a57b7824847e851a6829cc9dbefe96b24e9fb66d03e368cdcd4e40c7a7b66230203010001a381f43081f1301d0603551d0e0416041433bfd1100827d8643dcde9ca1ce76b25f46446913081c10603551d230481b93081b6801433bfd1100827d8643dcde9ca1ce76b25f4644691a18192a4818f30818c310b300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e6120646520496e666f726d61746963
EAP-Message =
0x6120792054656c65636f6d756e69636163696f6e6573820900f12ab1347a5cd9df300c0603551d13040530030101ff300d06092a864886f70d0101040500038181003e06154dfd6945605d183a420498b80e43472ddc37ba210af99451122c28c0f9c0fe3a8c35e5fbf834e8c9359cab9c8a5178c6e93656d1aa4a90a40114d600bdc2698199b4adb031c83633ac990f05f42244a771769d888393d4c183f71cfdbaad74a467189ae89427f68d1e55ac68320bc63370dac576cfeaa005fc9855ef5e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb649f7b9cfb7b8ccdb805d8a851a27d4
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.7:55049, id=144, length=335
User-Name = "pepe"
NAS-IP-Address = 192.168.20.7
Called-Station-Id = "00-0c-41-b1-37-07"
Calling-Station-Id = "00-0b-7d-0f-f7-35"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
State = 0xb649f7b9cfb7b8ccdb805d8a851a27d4
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x023500c01980000000b616030100861000008200804c70cebbcbafc5324563c330bf527a29c11a0483bfbfe450087e2531c08d2b8e713189e5555aeb166d477c9d8358ce9ca819b1afd8c491420cab162935ec1b80c69d3af8474a71b3460afbd52372954f74d977897c13698b53c4cf5209caafaf2fa6d7ba8cd952252e7697c0cdcd7731ee589048bbc1475bae28bc1aae0f0a0a1403010001011603010020096180b7dfa708498a1aeae672b4551b669c5fc6ae79622650efb3a10336b136
Message-Authenticator = 0xf47a9e90b06d8a38556ab39d5d345e7d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
rlm_eap: EAP packet type response id 53 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 144 to 192.168.20.7:55049
EAP-Message =
0x0136003119001403010001011603010020d03bfe69fdf6584b1d6882152fe7eb203fa22ba4852aae206dfc4196ab7659cd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6500c067b47a56e3d7eb39eb1f51f75d
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.7:55048, id=145, length=149
User-Name = "pepe"
NAS-IP-Address = 192.168.20.7
Called-Station-Id = "00-0c-41-b1-37-07"
Calling-Station-Id = "00-0b-7d-0f-f7-35"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
State = 0x6500c067b47a56e3d7eb39eb1f51f75d
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x023600061900
Message-Authenticator = 0xc9b738b4a99d700ff9f05aacd6343fdf
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
rlm_eap: EAP packet type response id 54 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 145 to 192.168.20.7:55048
EAP-Message =
0x0137002019001703010015139bfe6db0aca01e9c03e24c58b78467857d4be279
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e15c0c8c154169e15a6597e59ff063f
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.7:55048, id=146, length=175
User-Name = "pepe"
NAS-IP-Address = 192.168.20.7
Called-Station-Id = "00-0c-41-b1-37-07"
Calling-Station-Id = "00-0b-7d-0f-f7-35"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
State = 0x0e15c0c8c154169e15a6597e59ff063f
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0237002019001703010015c074abf8e34854264935655f3a9f33dc72cf409bca
Message-Authenticator = 0x33d50e786188aa6c15d1d581e93976c7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
rlm_eap: EAP packet type response id 55 length 32
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - pepe
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of pepe
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to pepe
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
rlm_eap: EAP packet type response id 55 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 146 to 192.168.20.7:55048
EAP-Message =
0x013800351900170301002a0d4aa1f3ae3837a8cb3f1823ce849e91f05b2b62a808621970c414f055fd2a41e83218f896985e63e9f2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbc2a6b2ebc6704039852f97fd53633f3
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.7:55050, id=147, length=229
User-Name = "pepe"
NAS-IP-Address = 192.168.20.7
Called-Station-Id = "00-0c-41-b1-37-07"
Calling-Station-Id = "00-0b-7d-0f-f7-35"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
State = 0xbc2a6b2ebc6704039852f97fd53633f3
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x023800561900170301004b0c6b58d944b8e5207dcc18641ebdd59dfe6c2c5e2cdeeb8c566316839b67d6279030b3480e61e635b0abe6862b2725c463ff23de791f75b5fd563cd0e41f0b9cc88dbb3a7a11c699547f93
Message-Authenticator = 0xf56c53360d6d6b4d44c2d586bb6027d6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
rlm_eap: EAP packet type response id 56 length 86
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to pepe
PEAP: Adding old state with 71 1d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
rlm_eap: EAP packet type response id 56 length 63
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 147 to 192.168.20.7:55050
EAP-Message =
0x013900261900170301001b8f31916149f1767ba59d80746534182ee04d12cd8bc72aa59d0310
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2518cc6fe36775cf22af6b0801873445
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.7:55050, id=148, length=181
User-Name = "pepe"
NAS-IP-Address = 192.168.20.7
Called-Station-Id = "00-0c-41-b1-37-07"
Calling-Station-Id = "00-0b-7d-0f-f7-35"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
State = 0x2518cc6fe36775cf22af6b0801873445
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x023900261900170301001bf5d93fbbc88f93d5d9886ccd2e16d37fc67244f08b25213e49d54b
Message-Authenticator = 0xf510098b504d463f41750e04aae0ed5d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
rlm_eap: EAP packet type response id 57 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 141 with timestamp 42d40500
Cleaning up request 1 ID 142 with timestamp 42d40500
Cleaning up request 2 ID 143 with timestamp 42d40500
Cleaning up request 3 ID 144 with timestamp 42d40500
Cleaning up request 4 ID 145 with timestamp 42d40500
Cleaning up request 5 ID 146 with timestamp 42d40500
Cleaning up request 6 ID 147 with timestamp 42d40500
Sending Access-Reject of id 148 to 192.168.20.7:55050
EAP-Message = 0x04390004
Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 7 ID 148 with timestamp 42d40500
Nothing to do. Sleeping until we see a request.
-----
2
3
12 Jul '05
Hi all,
I've read many emails regarding "rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication". Some say you need to you need to tell the server what the user's correct password is and use plaint text password. But may I know where to tell the server to user plain text password?Is it in the radiusd.conf or eap.conf?
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for melvin with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 7
modcall: group Auth-Type returns reject for request 7
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 7
modcall: group authenticate returns reject for request 7
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
cheers,
melvin
2
1
Hi,
i get the listet log. The freeradius server identify the request as EAP. But
why it startet rlm_eap_tls?
I thought he gots the message, notice its EAP and take the password from
users (file). But it start tls handshake, and fails. (Where i can see how
rlm_eap, rlm_eap_tls is configured?)
Second queston, why no decision occurs, i found no reject or accept!?
Thx for your help
Michael
LOG:
rad_recv: Access-Request packet from host 192.168.1.3:1812, id=39, length=98
NAS-IP-Address = 192.168.1.3
NAS-Port = 50010
NAS-Port-Type = Ethernet
User-Name = "test"
Calling-Station-Id = "00-04-75-DA-4C-C8"
Service-Type = Framed-User
EAP-Message = 0x020100090174657374
Message-Authenticator = 0xe6b2e1c93f52004f14bc268c7894ecfd
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry test at line 54
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 39 to 192.168.1.3:1812
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x163120a63f7aadd336b0e76ac31c0c17
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.3:1812, id=40,
length=187
NAS-IP-Address = 192.168.1.3
NAS-Port = 50010
NAS-Port-Type = Ethernet
User-Name = "test"
Calling-Station-Id = "00-04-75-DA-4C-C8"
Service-Type = Framed-User
State = 0x163120a63f7aadd336b0e76ac31c0c17
EAP-Message =
0x0202005019800000004616030100410100003d030142d27e6d475fe32bebed7ae37075c341
be0fadba80a11c04f8c468ea02ff68cf00001600040005000a00090064006200030006001300
1200630100
Message-Authenticator = 0x4b27203775b97e4a9a3d543a7cba95ea
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry test at line 54
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 05ae], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 40 to 192.168.1.3:1812
EAP-Message =
0x0103040a19c00000060b160301004a02000046030142d28da92d2e3dce36fa41299b41b3fc
eb9337e0419cc9955f8b503ad12741e7200a3d67a894ec4885fa5638a70585a57dd1bbd308a7
e196f4321a4bedc481a1ea00040016030105ae0b0005aa0005a70002723082026e308201d7a0
03020102020900c54a18eee8c82a38300d06092a864886f70d0101040500306d310b30090603
55040613024445311630140603550408130d4e69656465727361636873656e3111300f060355
0407130848616e6e6f766572310c300a060355040a130346484831133011060355040b130a49
6e666f726d6174696b3110300e06035504031307696473526f6f
EAP-Message =
0x74301e170d3035303632343130323030315a170d3036303632343130323030315a306c310b
3009060355040613024445311630140603550408130d4e69656465727361636873656e311130
0f0603550407130848616e6e6f766572310c300a060355040a13034648483113301106035504
0b130a496e666f726d6174696b310f300d0603550403130669647353727630819f300d06092a
864886f70d010101050003818d0030818902818100c41bbdefa0e18b7a86822e40a288bde770
208e2d664594692a0f29d6e17136c8bbcd069ff636f713d199bdf76fbda405cd94f2dfefd2fa
32d4b6cc7b54858519b304e911fbcf2441e1a4ba3b3e43413198
EAP-Message =
0xbd985b957133ad10246bf90575d1dc33d20c06720f4cb6f6fe2e3ab749bac6ca0cc182d144
d38945377be15bb03f510203010001a317301530130603551d25040c300a06082b0601050507
0301300d06092a864886f70d0101040500038181004a500df63d64c6068e07e6114f7b2b317b
998ecf50b5e4493087776e204c59f6e8ea54150c473d694ccf6892a07f497de3c8b19668ba1a
ccc40d9c6a56141de74fe7613e30979eb17f3ffdd52a6ddab7c3858eda356fe7c0fc7de24f61
637c7bfe98d71a5e949609574cdaa3d9cd0453bf09c5c57df30dc7ff1827baf4a1dbeb00032f
3082032b30820294a003020102020900c54a18eee8c82a36300d
EAP-Message =
0x06092a864886f70d0101040500306d310b3009060355040613024445311630140603550408
130d4e69656465727361636873656e3111300f0603550407130848616e6e6f766572310c300a
060355040a130346484831133011060355040b130a496e666f726d6174696b3110300e060355
04031307696473526f6f74301e170d3035303632343130313834395a170d3037303632343130
313834395a306d310b3009060355040613024445311630140603550408130d4e696564657273
61636873656e3111300f0603550407130848616e6e6f766572310c300a060355040a13034648
4831133011060355040b130a496e666f726d6174696b3110300e
EAP-Message = 0x06035504031307696473526f6f7430819f300d06092a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d3082dd717b8f84c8e57ba72651e779
Finished request 1
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 39 with timestamp 42d28da9
Cleaning up request 1 ID 40 with timestamp 42d28da9
Nothing to do. Sleeping until we see a request.
--
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
2
5
I am trying to do EAP-PEAP, using FreeRadius 1.0.4. Here are the debug logs,
at the breaking points:
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 8
rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 8
modcall: group Auth-Type returns reject for request 8
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 8
modcall: group authenticate returns reject for request 8
auth: Failed to validate the user.
Login incorrect: [johnk/<no User-Password attribute>] (from client localhost port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
and again later on...
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 9
modcall: group authenticate returns invalid for request 9
auth: Failed to validate the user.
Login incorrect: [johnk/<no User-Password attribute>] (from client xXxXx1100 port 821 cli 000e.35b5.eb8f)
Here is how my two auth sections look:
radiusd.conf:
authorize {
preprocess
auth_log
mschap
eap
sql }
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
eap }
Here are a few excerpts from
eap.conf:
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = mschapv2
....
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
}
My thoughts are that SQL and MSCHAP should be in the authorization section,
and MSCHAP and EAP should be in authentication. I have tried this, and
it does not work for me. I really have no idea of what I am doing, although
I have read the documentation.
I am storing NTLM passwords in my SQL server.
mysql> select * from radcheck where UserName = "johnk";
+------+----------+---------------+----+-------------------------------------------------------------------+
| id | UserName | Attribute | op | Value |
+------+----------+---------------+----+-------------------------------------------------------------------+
| 1490 | johnk | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |
+------+----------+---------------+----+-------------------------------------------------------------------+
1 row in set (0.00 sec)
(The password above has been assigned a false value)
mysql> select * from usergroup where UserName = "johnk";
+------+----------+------------+
| id | UserName | GroupName |
+------+----------+------------+
| 2502 | johnk | pirate |
+------+----------+------------+
1 row in set (0.01 sec)
mysql> select * from radgroupreply;
+----+------------+---------------------------+----+----------+------+
| id | GroupName | Attribute | op | Value | prio |
+----+------------+---------------------------+----+----------+------+
| 39 | pirate | Tunnel-Medium-Type:0 | = | IEEE-802 | 0 |
| 40 | pirate | Tunnel-Type:0 | = | VLAN | 0 |
| 41 | pirate | Tunnel-Private-Group-ID:0 | = | 111 | 0 |
+----+------------+---------------------------+----+----------+------+
3 rows in set (0.00 sec)
What can be suggested, so that my authentication phase goes as well as my
authorization phase?
--johnk
3
12
Alan as you suggested (thanks) I have commented out LDAP and I am now
attempting to authenticate via ntlm_auth. I've configured and started
Samba and windindd.
I can authenticate via ntlm_auth outside of Freeradius, but not with it.
I KNOW THE PROBLEM IS WITH MY CONFIGURATION AND NOT FREERADIUS!
I'd appreciate help in locating / understanding what I have
misconfigured?
Also, my final goal is to authenticate clients to a Cisco Aironet 1200
via our Windows 2003 Active Directory usernames and passwords is
ntlm_auth the correct method to use?
[root@phllnxsrv01 raddb]# ntlm_auth --username="test ops"
--password=xxxxxx --domain=usmisgnet --request-NT-key
NT_STATUS_OK: Success (0x0)
Below are the ntlm_auth section of radiusd.conf and the radtest string
used and the debug output from the other window.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
radtest "test ops" xxxxxx localhost 0 testing123
radiusd -xxyz -l stdout
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
[NORMAL OUTPUT SUPPRESSED]
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32784, id=232,
length=60
--- Walking the entire request list ---
Waking up in 31 seconds...
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
Threads: total/active/spare threads = 5/0/5
User-Name = "test ops"
User-Password = "m1sg0ps"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_lowerpair: User-Name now 'test ops'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test ops", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: No '\' in User-Name = "test ops", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [test ops] (from client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 127.0.0.1:32784, id=232,
length=60
Sending Access-Reject of id 232 to 127.0.0.1:32784
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 232 with timestamp 42d3e0ec
Nothing to do. Sleeping until we see a request.
Ken George
Systems and Network Engineering
Mi Services Group, Inc.
+1 610-230-2500 x129
2
1