Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2008
- 153 participants
- 244 discussions
Hello Users,
I need to test the EAP-SIM and EAP-AKA for some authentication
procedure. As of now I am using "freeradius-server-2.0.5" for this purpose.
I was able to get the EAP-SIM authentication successfully, but I can see
that this version does not support EAP-AKA. Does any one know if freeradius
is coming up with EAP-AKA soon?. Any pointer to other radius servers which
support EAP-AKA would be helpful.
--BR
-Sriharsha
1
0
Hello users,
--
Inti
Dhanyavaadagalondige
-Sriharsha
1
0
I'm in the process of debugging a problem and it seems to me
paircompare() (in src/main/valuepair.c) is returning the wrong result.
But I might be ascribing the wrong semantics to the function. Here is
what I think it's supposed to do, is this correct?
If any check attribute matches (according to it's operator) any
attribute of the same attribute type in the request then return 0 else
return ~0.
Phrased another way it's a short circuit "logical or", e.g. as long as
something matches it succeeds.
If that is the intended semantics then I think there are couple of bugs
in it and I'll provide a patch along with an explanation, otherwise
could you set me straight on what it's behaviour is supposed to be?
Thanks!
--
John Dennis <jdennis(a)redhat.com>
2
1
What is in this entry:
users: Matched entry test100 at line 172
we are using the 'users' file to authenticate the clients and in the file
'users' we are defining the clients.
please find the attached 'users' file which is at "/usr/local/etc/raddb/".
regards,
Venkat
SAI Technology Inc.,
408.727.1560
2008/8/15 <freeradius-users-request(a)lists.freeradius.org>
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. RE: Freeradius in an AD environment on opensuse server
> (Murray, Elizabeth [DNR])
> 2. Re: 2.0.5 on Solaris with openssl 0.9.8h (Andrew Hood)
> 3. Re: Freeradius in an AD environment on opensuse server
> (Maurizio Cimaschi)
> 4. RE: Freeradius in an AD environment on opensuse server
> (Murray, Elizabeth [DNR])
> 5. Re: Crash on x64? (Alex Balashov)
> 6. RE: FreeRadius 2.0.5 AD PEAP (Brooks, Kyle)
> 7. Re: Failing to authenticate using FreeRadius(in OpenBSD) + XP
> as a client+Linksys AP (WRT54v2.2) using peap (Ivan Kalik)
> 8. what are the intended semantics of paircompare()? (John Dennis)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 15 Aug 2008 08:45:24 -0500
> From: "Murray, Elizabeth [DNR]" <Elizabeth.Murray(a)dnr.iowa.gov>
> Subject: RE: Freeradius in an AD environment on opensuse server
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID:
> <
> 19B6CF3C6982234BB7AD5E01E70F5AF8037F0194B9(a)iowadsmex104.iowa.gov.state.ia.us
> >
>
> Content-Type: text/plain; charset="us-ascii"
>
> Sorry. I'm really new at this and I took this as a good suggestion. I was
> just trying to follow the instructions. I will begin again and leave that
> out. I do appreciate having the ability to communicate with everyone on the
> list and will try to be more exact.
>
> Right now I have installed 11.0 opensuse. Radius -X does not load error
> message is
> First error I found says
> "/etc/raddb/certs/bootstrap: line 15: make: command not found"
>
>
>
> -----Original Message-----
> From: freeradius-users-bounces+elizabeth.murray=dnr.iowa.gov@
> lists.freeradius.org [mailto:freeradius-users-bounces+elizabeth.murray<freeradius-users-bounces%2Belizabeth.murray>
> =dnr.iowa.gov(a)lists.freeradius.org] On Behalf Of Maurizio Cimaschi
> Sent: Thursday, August 14, 2008 4:22 PM
> To: FreeRadius users mailing list
> Subject: Re: Freeradius in an AD environment on opensuse server
>
> Murray, Elizabeth [DNR] wrote:
> > OK. Following the suggestions, I installed the application for the
> application to track changes. Not so easy to do. I now give up.
> > I followed the instructions and when I run the test it asks me about the
> .hgrc file. Not to be found anywhere.
>
> Given this error, it seems that you're busy installing Mercurial; but I
> did not sugest you to install any Source Control Management system. At
> least is not related with the installation of freeradius.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 16 Aug 2008 00:03:40 +1000
> From: Andrew Hood <freeradius(a)andyhood.net>
> Subject: Re: 2.0.5 on Solaris with openssl 0.9.8h
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <48A58CBC.40201(a)andyhood.net>
> Content-Type: text/plain; charset=us-ascii
>
> Rafiqul Ahsan wrote:
> > Hi Alan, and All,
> >
> > Well, I believe I have linked Freeradius 2.0.5 with the right openssl
> > (0.9.8h) now by adding below env variables(my build logs also says
> > that linked with -L/usr/local/ssl/lib). However I still see the same
> > error while using sha256 encryption algorithm with RSA 2048 key. I
> > sent this query to openssl maillist, they are sending me back to you
> > (freeradius folks) to verify whether Freeradius supports sha2, sha256
> > etc. (I hoped that below patch would allow, but no luck).
> >
> > CFLAGS=-I/usr/local/ssl/include/openssl
> > CPPFLAGS=-I/usr/local/ssl/include/openssl
> > LDFLAGS=-L/usr/local/ssl/lib
> > export CFLAGS CPPFLAGS LDFLAGS
>
> I forget. Were you using the Sun toolchain or GNU?
>
> You probably need one of:
>
> LDFLAGS='-L/usr/local/ssl/lib -Wl,-rpath -Wl,/usr/local/ssl/lib
>
> or
>
> LDFLAGS='-L/usr/local/ssl/lib -R/usr/local/ssl/lib'
>
> or whatever similar incantation your linker wants to achive the same
> result, forcing it to use the version of openssl in /usr/local/lib
>
>
> --
> REALITY.SYS not found: Universe halted.
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 15 Aug 2008 17:03:23 +0200
> From: Maurizio Cimaschi <mauri(a)unixrulez.org>
> Subject: Re: Freeradius in an AD environment on opensuse server
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <48A59ABB.7080702(a)unixrulez.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Murray, Elizabeth [DNR] wrote:
> > "/etc/raddb/certs/bootstrap: line 15: make: command not found"
>
> you need to install "make" package.
>
> Try here: http://packages.opensuse-community.org/
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 15 Aug 2008 10:27:45 -0500
> From: "Murray, Elizabeth [DNR]" <Elizabeth.Murray(a)dnr.iowa.gov>
> Subject: RE: Freeradius in an AD environment on opensuse server
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID:
> <
> 19B6CF3C6982234BB7AD5E01E70F5AF8037EB28264(a)iowadsmex104.iowa.gov.state.ia.us
> >
>
> Content-Type: text/plain; charset="us-ascii"
>
>
> ________________________________________
> From: freeradius-users-bounces+elizabeth.murray=dnr.iowa.gov@
> lists.freeradius.org [freeradius-users-bounces+elizabeth.murray=
> dnr.iowa.gov(a)lists.freeradius.org] On Behalf Of Maurizio Cimaschi [
> mauri(a)unixrulez.org]
> Sent: Friday, August 15, 2008 10:03 AM
> To: FreeRadius users mailing list
> Subject: Re: Freeradius in an AD environment on opensuse server
>
> Murray, Elizabeth [DNR] wrote:
> > "/etc/raddb/certs/bootstrap: line 15: make: command not found"
>
> you need to install "make" package.
>
> Try here: http://packages.opensuse-community.org/
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 15 Aug 2008 13:00:06 -0400 (EDT)
> From: "Alex Balashov" <abalashov(a)evaristesys.com>
> Subject: Re: Crash on x64?
> To: "FreeRadius users mailing list"
> <freeradius-users(a)lists.freeradius.org>
> Message-ID:
> <4043.97.81.69.51.1218819606.squirrel(a)webmail.corp.evaristesys.com>
> Content-Type: text/plain;charset=iso-8859-1
>
>
> On Fri, August 15, 2008 5:56 am, Phil Mayers wrote:
>
> > Well, it's an invalid "free", obviously, which indicates pointer
> > corruption or something similar. What's odd is that we're running a
> > relatively high-volume server on RHEL5 & Postgres and it's fine.
>
> 2.0.5 (tried both from binary and source0. Postgres 8.3.3.
>
> --
> Alex Balashov
> Evariste Systems
> Web : http://www.evaristesys.com/
> Tel : (+1) (678) 954-0670
> Direct : (+1) (678) 954-0671
> Mobile : (+1) (706) 338-8599
>
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 15 Aug 2008 13:23:23 -0400
> From: "Brooks, Kyle" <Kyle.Brooks(a)nrc-cnrc.gc.ca>
> Subject: RE: FreeRadius 2.0.5 AD PEAP
> To: "FreeRadius users mailing list"
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <6AF37B759D23CD4FB862A21C1F06CF9732AD3C(a)nrccenexb2.nrc.ca>
> Content-Type: text/plain; charset="us-ascii"
>
> >>>++[mschap] returns ok
> >>>MSCHAP Success
> >>>++[eap] returns handled
> >>
> >>Radius is doing fine. Your switch is having problems with
> EAP-MSCHAPv2.
> >>Debug the switch.
> >>
> >>Ivan Kalik
> >>Kalik Informatika ISP
> >
> >Ok, but we are using this same switch and config for our current
> >deployment of freeradius 1.1.7 with AD and everything is working fine.
> >
> >I will debug the switch but would it be something else?
>
> I've debugged the switch which is currently passing auth traffic with
> FreeRadius 1.1.7 correctly, and it too is passing traffic correctly with
> 2.0.5.
>
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 15 Aug 2008 21:28:51 +0100
> From: "Ivan Kalik" <tnt(a)kalik.net>
> Subject: Re: Failing to authenticate using FreeRadius(in OpenBSD) + XP
> as a client+Linksys AP (WRT54v2.2) using peap
> To: "FreeRadius users mailing list"
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <FkuK2QF9.1218832131.0955900.tnt(a)kalik.co.yu>
> Content-Type: text/plain; charset=ISO-8859-2
>
> What is in this entry:
>
> users: Matched entry test100 at line 172
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 15/8/2008, "Venkata LK Mula" <vlkmula(a)saitechnology.com> pi?e:
>
> >Hi,
> >
> >This is with reference to the above mentioned subject, we
> >are trying to authenticate client in PEAP-MSCHAPv2
> >configuration.
> >
> >For which we are getting the following error:
> >
> >modsingle[authenticate]: calling mschap (rlm_mschap) for
> >request 6
> >rlm_mschap: No Cleartext-Password configured. Cannot create
> >LM-Password.
> >rlm_mschap: No Cleartext-Password configured. Cannot create
> >NT-Password.
> >rlm_mschap: Told to do MS-CHAPv2 for test100 with
> >NT-Password
> >rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
> >authentication.
> >rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> >modsingle[authenticate]: returned from mschap (rlm_mschap)
> >for request 6
> >++[mschap] returns reject
> >rlm_eap: Freeing handler
> >modsingle[authenticate]: returned from eap (rlm_eap) for
> >request 6
> >++[eap] returns reject
> >auth: Failed to validate the user.
> >PEAP: Tunneled authentication was rejected.
> >rlm_eap_peap: FAILURE
> >modsingle[authenticate]: returned from eap (rlm_eap) for
> >request 6
> >++[eap] returns handled
> >
> >
> >rlm_eap_peap: Received EAP-TLV response.
> >rlm_eap_peap: Had sent TLV failure. User was rejected
> >earlier in this session.
> >
> >The version of FreeRadius is 2.0.5.
> >
> >Please help me out to solve the issue.
> >
> >regards,
> >Venkat
> >
> >We are also attaching the total log and the clients.conf,
> >eap.conf and radiusd.conf. and the log file as .rar file.
> >
> >
>
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 15 Aug 2008 16:50:21 -0400
> From: John Dennis <jdennis(a)redhat.com>
> Subject: what are the intended semantics of paircompare()?
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <48A5EC0D.2020101(a)redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I'm in the process of debugging a problem and it seems to me
> paircompare() (in src/main/valuepair.c) is returning the wrong result.
> But I might be ascribing the wrong semantics to the function. Here is
> what I think it's supposed to do, is this correct?
>
> If any check attribute matches (according to it's operator) any
> attribute of the same attribute type in the request then return 0 else
> return ~0.
>
> Phrased another way it's a short circuit "logical or", e.g. as long as
> something matches it succeeds.
>
> If that is the intended semantics then I think there are couple of bugs
> in it and I'll provide a patch along with an explanation, otherwise
> could you set me straight on what it's behaviour is supposed to be?
>
> Thanks!
>
> --
> John Dennis <jdennis(a)redhat.com>
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 40, Issue 68
> ************************************************
>
--
regards,
Venkat
9885480745
'take the things and as and when the way they come ...'
1
0
Failing to authenticate using FreeRadius(in OpenBSD) + XP as a client +Linksys AP (WRT54v2.2) using peap
by Venkata LK Mula 15 Aug '08
by Venkata LK Mula 15 Aug '08
15 Aug '08
Hi,
This is with reference to the above mentioned subject, we
are trying to authenticate client in PEAP-MSCHAPv2
configuration.
For which we are getting the following error:
modsingle[authenticate]: calling mschap (rlm_mschap) for
request 6
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for test100 with
NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modsingle[authenticate]: returned from mschap (rlm_mschap)
for request 6
++[mschap] returns reject
rlm_eap: Freeing handler
modsingle[authenticate]: returned from eap (rlm_eap) for
request 6
++[eap] returns reject
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modsingle[authenticate]: returned from eap (rlm_eap) for
request 6
++[eap] returns handled
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected
earlier in this session.
The version of FreeRadius is 2.0.5.
Please help me out to solve the issue.
regards,
Venkat
We are also attaching the total log and the clients.conf,
eap.conf and radiusd.conf. and the log file as .rar file.
3
2
Hello, I'm not very familiar with radius, and i have a lot of questions.
For example:
Is it possible to proxy auth and acct request from one freeradius to
another over an encrypted network stream such as SSL or TLS?
2
3
Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.29 port 1812, id=42, length=88 State = 0xfffffffff
by Martin Silvero 14 Aug '08
by Martin Silvero 14 Aug '08
14 Aug '08
hi ! to firts alan my server is 10.30.1.104 no 10.0.6.29 and when i write
this: radiusd -i 10.30.1.104 -p 1812 -x -X :
Thu Aug 14 17:36:15 2008 : Info: FreeRADIUS Version 2.0.5, for host
x86_64-unknown-linux-gnu, built on Jul 24 2008 at 10:54:31
Thu Aug 14 17:36:15 2008 : Info: Copyright (C) 1999-2008 The FreeRADIUS
server project and contributors.
Thu Aug 14 17:36:15 2008 : Info: There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A
Thu Aug 14 17:36:15 2008 : Info: PARTICULAR PURPOSE.
Thu Aug 14 17:36:15 2008 : Info: You may redistribute copies of FreeRADIUS
under the terms of the
Thu Aug 14 17:36:15 2008 : Info: GNU General Public License v2.
Thu Aug 14 17:36:15 2008 : Info: Starting - reading configuration files ...
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/radiusd.conf
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/proxy.conf
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/clients.conf
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/snmp.conf
Thu Aug 14 17:36:15 2008 : Debug: including files in directory
/usr/local/etc/raddb/modules/
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/mac2vlan
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/ldap
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/smbpasswd
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/files
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/policy
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/echo
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/passwd
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/expr
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/attr_filter
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/always
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/realm
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/ippool
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/preprocess
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/chap
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/unix
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/mschap
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/radutmp
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/detail
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/expiration
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/pam
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/checkval
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/logintime
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/pap
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/etc_group
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/detail.log
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/acct_unique
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/mac2ip
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/digest
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/attr_rewrite
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/sradutmp
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/krb5
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/exec
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/sql_log
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/modules/counter
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/eap.conf
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/policy.conf
Thu Aug 14 17:36:15 2008 : Debug: including files in directory
/usr/local/etc/raddb/sites-enabled/
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
Thu Aug 14 17:36:15 2008 : Debug: including configuration file
/usr/local/etc/raddb/sites-enabled/default
Thu Aug 14 17:36:15 2008 : Debug: including dictionary file
/usr/local/etc/raddb/dictionary
Thu Aug 14 17:36:15 2008 : Debug: main {
Thu Aug 14 17:36:15 2008 : Debug: prefix = "/usr/local"
Thu Aug 14 17:36:15 2008 : Debug: localstatedir = "/usr/local/var"
Thu Aug 14 17:36:15 2008 : Debug: logdir = "/usr/local/var/log/radius"
Thu Aug 14 17:36:15 2008 : Debug: libdir = "/usr/local/lib"
Thu Aug 14 17:36:15 2008 : Debug: radacctdir =
"/usr/local/var/log/radius/radacct"
Thu Aug 14 17:36:15 2008 : Debug: hostname_lookups = no
Thu Aug 14 17:36:15 2008 : Debug: max_request_time = 30
Thu Aug 14 17:36:15 2008 : Debug: cleanup_delay = 5
Thu Aug 14 17:36:15 2008 : Debug: max_requests = 1024
Thu Aug 14 17:36:15 2008 : Debug: allow_core_dumps = no
Thu Aug 14 17:36:15 2008 : Debug: pidfile =
"/usr/local/var/run/radiusd/radiusd.pid"
Thu Aug 14 17:36:15 2008 : Debug: checkrad =
"/usr/local/sbin/checkrad"
Thu Aug 14 17:36:15 2008 : Debug: debug_level = 0
Thu Aug 14 17:36:15 2008 : Debug: proxy_requests = yes
Thu Aug 14 17:36:15 2008 : Debug: log {
Thu Aug 14 17:36:15 2008 : Debug: stripped_names = no
Thu Aug 14 17:36:15 2008 : Debug: auth = no
Thu Aug 14 17:36:15 2008 : Debug: auth_badpass = no
Thu Aug 14 17:36:15 2008 : Debug: auth_goodpass = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: client 127.0.0.1 {
Thu Aug 14 17:36:15 2008 : Debug: ipaddr = localhost IP address [
127.0.0.1]
Thu Aug 14 17:36:15 2008 : Debug: require_message_authenticator = no
Thu Aug 14 17:36:15 2008 : Debug: secret = "testing123"
Thu Aug 14 17:36:15 2008 : Debug: shortname = "AP"
Thu Aug 14 17:36:15 2008 : Debug: nastype = "other"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: radiusd: #### Loading Realms and Home
Servers ####
Thu Aug 14 17:36:15 2008 : Debug: proxy server {
Thu Aug 14 17:36:15 2008 : Debug: retry_delay = 5
Thu Aug 14 17:36:15 2008 : Debug: retry_count = 3
Thu Aug 14 17:36:15 2008 : Debug: default_fallback = no
Thu Aug 14 17:36:15 2008 : Debug: dead_time = 120
Thu Aug 14 17:36:15 2008 : Debug: wake_all_if_all_dead = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: home_server localhost {
Thu Aug 14 17:36:15 2008 : Debug: ipaddr = 127.0.0.1
Thu Aug 14 17:36:15 2008 : Debug: port = 1812
Thu Aug 14 17:36:15 2008 : Debug: type = "auth"
Thu Aug 14 17:36:15 2008 : Debug: secret = "testing123"
Thu Aug 14 17:36:15 2008 : Debug: response_window = 20
Thu Aug 14 17:36:15 2008 : Debug: max_outstanding = 65536
Thu Aug 14 17:36:15 2008 : Debug: zombie_period = 40
Thu Aug 14 17:36:15 2008 : Debug: status_check = "status-server"
Thu Aug 14 17:36:15 2008 : Debug: ping_check = "none"
Thu Aug 14 17:36:15 2008 : Debug: ping_interval = 30
Thu Aug 14 17:36:15 2008 : Debug: check_interval = 30
Thu Aug 14 17:36:15 2008 : Debug: num_answers_to_alive = 3
Thu Aug 14 17:36:15 2008 : Debug: num_pings_to_alive = 3
Thu Aug 14 17:36:15 2008 : Debug: revive_interval = 120
Thu Aug 14 17:36:15 2008 : Debug: status_check_timeout = 4
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: home_server_pool my_auth_failover {
Thu Aug 14 17:36:15 2008 : Debug: type = fail-over
Thu Aug 14 17:36:15 2008 : Debug: home_server = localhost
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: realm example.com {
Thu Aug 14 17:36:15 2008 : Debug: auth_pool = my_auth_failover
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: realm LOCAL {
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: radiusd: #### Instantiating modules ####
Thu Aug 14 17:36:15 2008 : Debug: instantiate {
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_exec, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_exec
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating exec
Thu Aug 14 17:36:15 2008 : Debug: exec {
Thu Aug 14 17:36:15 2008 : Debug: wait = no
Thu Aug 14 17:36:15 2008 : Debug: input_pairs = "request"
Thu Aug 14 17:36:15 2008 : Debug: shell_escape = yes
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_expr, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_expr
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating expr
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_expiration, checking if
it's valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_expiration
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating expiration
Thu Aug 14 17:36:15 2008 : Debug: expiration {
Thu Aug 14 17:36:15 2008 : Debug: reply-message = "Password Has
Expired "
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_logintime, checking if
it's valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_logintime
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating logintime
Thu Aug 14 17:36:15 2008 : Debug: logintime {
Thu Aug 14 17:36:15 2008 : Debug: reply-message = "You are calling
outside your allowed timespan "
Thu Aug 14 17:36:15 2008 : Debug: minimum-timeout = 60
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: radiusd: #### Loading Virtual Servers ####
Thu Aug 14 17:36:15 2008 : Debug: server inner-tunnel {
Thu Aug 14 17:36:15 2008 : Debug: modules {
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking authenticate {...} for
more modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_pap, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_pap
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating pap
Thu Aug 14 17:36:15 2008 : Debug: pap {
Thu Aug 14 17:36:15 2008 : Debug: encryption_scheme = "auto"
Thu Aug 14 17:36:15 2008 : Debug: auto_header = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_chap, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_chap
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating chap
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_mschap, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_mschap
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating mschap
Thu Aug 14 17:36:15 2008 : Debug: mschap {
Thu Aug 14 17:36:15 2008 : Debug: use_mppe = yes
Thu Aug 14 17:36:15 2008 : Debug: require_encryption = no
Thu Aug 14 17:36:15 2008 : Debug: require_strong = no
Thu Aug 14 17:36:15 2008 : Debug: with_ntdomain_hack = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_unix, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_unix
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating unix
Thu Aug 14 17:36:15 2008 : Debug: unix {
Thu Aug 14 17:36:15 2008 : Debug: radwtmp =
"/usr/local/var/log/radius/radwtmp"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_eap, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_eap
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating eap
Thu Aug 14 17:36:15 2008 : Debug: eap {
Thu Aug 14 17:36:15 2008 : Debug: default_eap_type = "tls"
Thu Aug 14 17:36:15 2008 : Debug: timer_expire = 60
Thu Aug 14 17:36:15 2008 : Debug: ignore_unknown_eap_types = no
Thu Aug 14 17:36:15 2008 : Debug: cisco_accounting_username_bug = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to sub-module rlm_eap_md5
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating eap-md5
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to sub-module rlm_eap_leap
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating eap-leap
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to sub-module rlm_eap_tls
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating eap-tls
Thu Aug 14 17:36:15 2008 : Debug: tls {
Thu Aug 14 17:36:15 2008 : Debug: rsa_key_exchange = no
Thu Aug 14 17:36:15 2008 : Debug: dh_key_exchange = yes
Thu Aug 14 17:36:15 2008 : Debug: rsa_key_length = 512
Thu Aug 14 17:36:15 2008 : Debug: dh_key_length = 512
Thu Aug 14 17:36:15 2008 : Debug: verify_depth = 0
Thu Aug 14 17:36:15 2008 : Debug: pem_file_type = yes
Thu Aug 14 17:36:15 2008 : Debug: private_key_file =
"/usr/local/etc/raddb/certs/server.pem"
Thu Aug 14 17:36:15 2008 : Debug: certificate_file =
"/usr/local/etc/raddb/certs/server.pem"
Thu Aug 14 17:36:15 2008 : Debug: CA_file =
"/usr/local/etc/raddb/certs/ca.pem"
Thu Aug 14 17:36:15 2008 : Debug: private_key_password = "testing123"
Thu Aug 14 17:36:15 2008 : Debug: dh_file =
"/usr/local/etc/raddb/certs/dh"
Thu Aug 14 17:36:15 2008 : Debug: random_file =
"/usr/local/etc/raddb/certs/random"
Thu Aug 14 17:36:15 2008 : Debug: fragment_size = 1024
Thu Aug 14 17:36:15 2008 : Debug: include_length = yes
Thu Aug 14 17:36:15 2008 : Debug: check_crl = no
Thu Aug 14 17:36:15 2008 : Debug: make_cert_command =
"/usr/local/etc/raddb/certs/bootstrap"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to sub-module rlm_eap_ttls
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating eap-ttls
Thu Aug 14 17:36:15 2008 : Debug: ttls {
Thu Aug 14 17:36:15 2008 : Debug: default_eap_type = "md5"
Thu Aug 14 17:36:15 2008 : Debug: copy_request_to_tunnel = no
Thu Aug 14 17:36:15 2008 : Debug: use_tunneled_reply = no
Thu Aug 14 17:36:15 2008 : Debug: virtual_server = "inner-tunnel"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to sub-module rlm_eap_peap
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating eap-peap
Thu Aug 14 17:36:15 2008 : Debug: peap {
Thu Aug 14 17:36:15 2008 : Debug: default_eap_type = "mschapv2"
Thu Aug 14 17:36:15 2008 : Debug: copy_request_to_tunnel = no
Thu Aug 14 17:36:15 2008 : Debug: use_tunneled_reply = no
Thu Aug 14 17:36:15 2008 : Debug: proxy_tunneled_request_as_eap = yes
Thu Aug 14 17:36:15 2008 : Debug: virtual_server = "inner-tunnel"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to sub-module
rlm_eap_mschapv2
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating eap-mschapv2
Thu Aug 14 17:36:15 2008 : Debug: mschapv2 {
Thu Aug 14 17:36:15 2008 : Debug: with_ntdomain_hack = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking authorize {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_realm, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_realm
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating suffix
Thu Aug 14 17:36:15 2008 : Debug: realm suffix {
Thu Aug 14 17:36:15 2008 : Debug: format = "suffix"
Thu Aug 14 17:36:15 2008 : Debug: delimiter = "@"
Thu Aug 14 17:36:15 2008 : Debug: ignore_default = no
Thu Aug 14 17:36:15 2008 : Debug: ignore_null = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_files, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_files
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating files
Thu Aug 14 17:36:15 2008 : Debug: files {
Thu Aug 14 17:36:15 2008 : Debug: usersfile =
"/usr/local/etc/raddb/users"
Thu Aug 14 17:36:15 2008 : Debug: acctusersfile =
"/usr/local/etc/raddb/acct_users"
Thu Aug 14 17:36:15 2008 : Debug: preproxy_usersfile =
"/usr/local/etc/raddb/preproxy_users"
Thu Aug 14 17:36:15 2008 : Debug: compat = "no"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking session {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_radutmp, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_radutmp
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating radutmp
Thu Aug 14 17:36:15 2008 : Debug: radutmp {
Thu Aug 14 17:36:15 2008 : Debug: filename =
"/usr/local/var/log/radius/radutmp"
Thu Aug 14 17:36:15 2008 : Debug: username = "%{User-Name}"
Thu Aug 14 17:36:15 2008 : Debug: case_sensitive = yes
Thu Aug 14 17:36:15 2008 : Debug: check_with_nas = yes
Thu Aug 14 17:36:15 2008 : Debug: perm = 384
Thu Aug 14 17:36:15 2008 : Debug: callerid = yes
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking post-proxy {...} for
more modules to load
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking post-auth {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_attr_filter, checking if
it's valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_attr_filter
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating
attr_filter.access_reject
Thu Aug 14 17:36:15 2008 : Debug: attr_filter attr_filter.access_reject {
Thu Aug 14 17:36:15 2008 : Debug: attrsfile =
"/usr/local/etc/raddb/attrs.access_reject"
Thu Aug 14 17:36:15 2008 : Debug: key = "%{User-Name}"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: server {
Thu Aug 14 17:36:15 2008 : Debug: modules {
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking authenticate {...} for
more modules to load
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking authorize {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_preprocess, checking if
it's valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_preprocess
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating preprocess
Thu Aug 14 17:36:15 2008 : Debug: preprocess {
Thu Aug 14 17:36:15 2008 : Debug: huntgroups =
"/usr/local/etc/raddb/huntgroups"
Thu Aug 14 17:36:15 2008 : Debug: hints = "/usr/local/etc/raddb/hints"
Thu Aug 14 17:36:15 2008 : Debug: with_ascend_hack = no
Thu Aug 14 17:36:15 2008 : Debug: ascend_channels_per_line = 23
Thu Aug 14 17:36:15 2008 : Debug: with_ntdomain_hack = no
Thu Aug 14 17:36:15 2008 : Debug: with_specialix_jetstream_hack = no
Thu Aug 14 17:36:15 2008 : Debug: with_cisco_vsa_hack = no
Thu Aug 14 17:36:15 2008 : Debug: with_alvarion_vsa_hack = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking preacct {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_acct_unique, checking if
it's valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_acct_unique
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating acct_unique
Thu Aug 14 17:36:15 2008 : Debug: acct_unique {
Thu Aug 14 17:36:15 2008 : Debug: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking accounting {...} for
more modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_detail, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_detail
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating detail
Thu Aug 14 17:36:15 2008 : Debug: detail {
Thu Aug 14 17:36:15 2008 : Debug: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
Thu Aug 14 17:36:15 2008 : Debug: header = "%t"
Thu Aug 14 17:36:15 2008 : Debug: detailperm = 384
Thu Aug 14 17:36:15 2008 : Debug: dirperm = 493
Thu Aug 14 17:36:15 2008 : Debug: locking = no
Thu Aug 14 17:36:15 2008 : Debug: log_packet_header = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating
attr_filter.accounting_response
Thu Aug 14 17:36:15 2008 : Debug: attr_filter
attr_filter.accounting_response {
Thu Aug 14 17:36:15 2008 : Debug: attrsfile =
"/usr/local/etc/raddb/attrs.accounting_response"
Thu Aug 14 17:36:15 2008 : Debug: key = "%{User-Name}"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking session {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking post-proxy {...} for
more modules to load
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking post-auth {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: radiusd: #### Opening IP addresses and
Ports ####
Thu Aug 14 17:36:15 2008 : Debug: Listening on authentication address
10.30.1.104 port 1812
Thu Aug 14 17:36:15 2008 : Debug: Listening on accounting address
10.30.1.104 port 1813
Thu Aug 14 17:36:15 2008 : Debug: Listening on proxy address
10.30.1.104port 1814
Thu Aug 14 17:36:15 2008 : Debug: Ready to process requests.
ok, and when i write : radtest test testing123 10.0.6.29 1812 testing123 i
get:
Sending Access-Request of id 74 to 10.0.6.29 port 1812
User-Name = "test"
User-Password = "testing123"
NAS-IP-Address = 10.30.1.104
NAS-Port = 1812
rad_recv: Access-Reject packet from host 10.0.6.29 port 1812, id=74,
length=88
State =
0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb58bf2bf2470c7b33a07ab72ff21378e
Message-Authenticator = 0xbefeb88cc603cce206c6101378ca48b4
and to second alan, no understand very much you say.
sorry my ingles, is not my lenguage native..
thanks for you time!!!
3
2
Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.29 port 1812, id=42, length=88 State = 0xfffffffffffff
by Martin Silvero 14 Aug '08
by Martin Silvero 14 Aug '08
14 Aug '08
hello!!!!!
now i have this..... i hope this time your answerme!!1
Sending Access-Request of id 42 to 10.0.6.29 port 1812
User-Name = "test"
User-Password = "testing123"
NAS-IP-Address = 10.30.1.104
NAS-Port = 1812
rad_recv: Access-Reject packet from host 10.0.6.29 port 1812, id=42,
length=88
State =
0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb58bf2bf2470c7b33a07ab72ff21378e
Message-Authenticator = 0x53f17e1045e6a2f65d3a3f48704ea2c9
¿? could you help me
--
--
Silvero Martin
3
2
14 Aug '08
My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP
That being said I have taken one of my existing, working with FreeRadius
1.1.5, access points and pointed it at my test radius server.
When I try and connect the agent sends dozens of requests that the debug
log seems very happy with "Login OK: [prieheck] (from client...."
However, that seems to be the extent of it. The login's are approved,
but it doesn't seem like anyone is getting informed.
A radeapclient test:
+++> About to send encoded packet:
User-Name = "prieheck"
Cleartext-Password = "please"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "prieheck"
Message-Authenticator = 0x00
NAS-Port = 0
<+++ EAP decoded packet:
EAP-Message = 0x01d300160410e04884bebefb1c9c1940272ac62346e4
Message-Authenticator = 0xe1b0cbd908bc1932ee01c1634efccc17
State = 0x5d58d3605d8bd76df879afd5c99b16ef
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x10e04884bebefb1c9c1940272ac62346e4
+++> About to send encoded packet:
User-Name = "prieheck"
Cleartext-Password = "please"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port = 0
EAP-Type-MD5 = 0x105df5963fda67a6941067d7019e8bbe14
State = 0x5d58d3605d8bd76df879afd5c99b16ef
<+++ EAP decoded packet:
EAP-Message = 0x03d30004
Message-Authenticator = 0xd8d24fc4a6faa627be412bfc40169290
User-Name = "prieheck"
EAP-Id = 211
EAP-Code = Success
Total approved auths: 1
Total denied auths: 1
So it looks to me like the eap bit is all going good, but I am at a loss
(especially concerning the denied auth there...).
EAP/PEAP is working just fine so I think it may be my eap.conf file
related to ttls:
#### eap.conf
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/radius.key
certificate_file = ${certdir}/radius.crt
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
md5 {
}
}
This is a bit of the debug output from free radius
<snip>
++[pap] returns ok
Login OK: [prieheck] (from client AP1200 port 0 via TLS tunnel)
} # server inner-tunnel
TTLS: Got tunneled reply RADIUS code 2
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [prieheck] (from client AP1200 port 385 cli 0106.cfa9.d2eb)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 222 to 10.4.6.7 port 1645
MS-MPPE-Recv-Key =
0x9a15665cdb643dd496bc1bf028a244b31833e89886d373d74f7864714839c048
MS-MPPE-Send-Key =
0x92acfe330cfa9a94b9fc61226a1c438c2572287a8aac94c71ed2e0828050f174
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "prieheck"
Finished request 4.
Going to the next request
Waking up in 4.0 seconds.
Cleaning up request 0 ID 218 with timestamp +19
Waking up in 0.3 seconds.
Cleaning up request 1 ID 219 with timestamp +20
Cleaning up request 2 ID 220 with timestamp +20
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 10.4.6.7 port 1645, id=223,
length=142
User-Name = "prieheck"
Framed-MTU = 1400
Called-Station-Id = "000f.f7d4.d460"
Calling-Station-Id = "0106.cfa9.d2eb"
Service-Type = Login-User
</snip>
Currently using FreeRadius 2.0.5 on 32-bit Ubuntu, built by me.
I would happily share any of my other config lines, but don't know what
you would want to see and don't want to flood you with too much data....
Pat
2
2
Here are the .conf files.
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.268 2008/03/04 16:53:02 aland Exp $
##
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
######################################################################
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See "man radiusd.conf" for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that "man" page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the "authorize", "authenticate", "accounting", etc. sections.
# See "man unlang" for details.
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
# Should likely be ${localstatedir}/lib/radiusd
db_dir = $(raddbdir)
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that
symbol,
# and add the directory containing that library to the end of
'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/lib/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few
permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these
systems!
#
# On systems with shadow passwords, you might have to set 'group =
shadow'
# for the server to be able to read the shadow password file. If you
can
# authenticate users while in debug mode, but not in daemon mode, it
may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
#user = radiusd
#group = radiusd
user = root
group = root
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it
takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See
your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate
requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See
'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# listen: Make the server listen on a particular IP address, and send
# replies out from that address. This directive is most useful for
# hosts with multiple IP addresses on one interface.
#
# If you want the server to listen on additional addresses, or on
# additionnal ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
#
type = auth
# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * Only ONE proxy listener can be defined.
# * A proxy listener CANNOT be used in a virtual server
section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = *
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0
# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0
# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of
clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of
"per_socket_clients".
#
# clients = per_socket_clients
}
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility",
below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and
forces
# logging to go to stdout.
#
destination = files
#
# The logging messages for the server are appended to the
# tail of this file if ${destination} == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You
probably
# don't want to change this.
#
syslog_facility = daemon
# Log the full User-Name attribute, as it was found in the
request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = no
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of
attributes"
max_attributes = 200
#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to
brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the
request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a
Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
status_server = yes
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn
proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if SNMP support was enabled
# at compile time.
#
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
#
snmp = no
$INCLUDE snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a
reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so
it
# should NOT BE SET TOO LOW. It is intended mainly as a brake
to
# keep a runaway server from taking the system with it as it
spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems
with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in
the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers
never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this
section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and
'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp'
configuration
# below for an example.
#
# PAP module to authenticate users based on their stored
password
#
# Supports multiple encryption/hash schemes. See "man pap"
# for details.
#
# The "auto_header" configuration item can be set to "yes".
# In this case, the module will look inside of the
User-Password
# attribute for the headers {crypt}, {clear}, etc., and will
# automatically create the attribute on the right-hand side,
# with the correct value. It will also automatically handle
# Base-64 encoded data, hex strings, and binary data.
pap {
auto_header = no
}
# CHAP module
#
# To authenticate requests containing a CHAP-Password
attribute.
#
chap {
authtype = CHAP
}
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory
leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the
'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}
# Unix /etc/passwd style authentication
#
unix {
# As of 1.1.0, the Unix module no longer reads,
# or caches /etc/passwd, /etc/shadow, or /etc/group.
# If you wish to cache those files, see the passwd
# module, above.
#
#
# The location of the "wtmp" file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
#
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
require_strong = no
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the
User-Name
# attribute, and do prefix/suffix checks in order to
obtain
# the "best" user name for the request.
#
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=**** --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "cnsad.ads.****.org"
port = 3268
identity = "bckup(a)ads.****.org"
password = "3MFmqw_6f"
#server = "ldap.your.domain"
#identity = "cn=admin,o=My Org,c=UA"
#password = mypass
#basedn = "o=My Org,c=UA"
basedn = "dc=ads,dc=****,dc=org"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter = "(&(samaccountName=%{mschap:User-Name}))"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we
recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the
cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't
verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
#
http://www.novell.com/coolsolutions/appnote/16745.html
#
https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_
f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before
returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
#groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectC
lass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x
(EAP).
#
# You can disable this behavior by setting the
following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
}
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
# filename - path to filename
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is key field. That is, the
parameter
# with this name from the request is used to search
for
# the record from passwd file
# Attribute marked as '=' is added to reply_itmes
instead
# of default configure_itmes
# Attribute marked as '~' is added to request_items
#
# Field marked as ',' may contain a comma separated
list
# of attributes.
# hashsize - hashtable size. If 0 or not specified records are
not
# stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
# ignorenislike - ignore NIS-related records
# delimiter - symbol to use as a field separator in passwd
file,
# for format ':' symbol is always used. '\0', '\n'
are
# not allowed
#
# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
# Similar configuration, for the /etc/group file. Adds a
Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order in the authorize and
# preacct sections.
#
# Four config options:
# format - must be "prefix" or "suffix"
# The special cases of "DEFAULT"
# and "NULL" are allowed, too.
# delimiter - must be a single character
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to
"IPASS".
realm IPASS {
format = prefix
delimiter = "/"
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}
# A simple value checking module
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values "12345678" and "12345679". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi
valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute
in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
# rewrite arbitrary packets. Useful in accounting and
authorization.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy,
# proxy_reply or config).
#
# searchfor,ignore_case and max_matches will be ignored in that
case.
#
# Backreferences are supported.
# %{0} will contain the string the whole match
# %{1} to %{8} will contain the contents of the 1st to
# the 8th parentheses
#
# If max_matches is greater than one, the backreferences will
# correspond to the first attributed that matched.
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or
"config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
#
# ## If set to yes then the replace string will be
# ## appended to the original string
# append = no
#}
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA
attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is
stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you
don't
# need this hack.
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
# The default key attribute to use for matches. The
content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{Stripped-User-Name:-%{User-Name}}"
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request. The Client-IP-Address attribute is ALWAYS
# the address of the client which sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customized by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "%t"
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
# detail auth_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
# }
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
# detail reply_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
# detailperm = 0600
# }
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
# detail pre_proxy_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
# }
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
# detail post_proxy_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
# detailperm = 0600
# }
#
# The rlm_sql_log module appends the SQL queries in a log
# file which is read later by the radsqlrelay program.
#
# This module only performs the dynamic expansion of the
# variables found in the SQL statements. No operation is
# executed on the database server. (this could be done
# later by an external program) That means the module is
# useful only with non-"SELECT" statements.
#
# See rlm_sql_log(5) manpage.
#
# sql_log {
# path = "${radacctdir}/sql-relay"
# acct_table = "radacct"
# postauth_table = "radpostauth"
# sql_user_name = "%{%{User-Name}:-DEFAULT}"
#
# Start = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES
\
# ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '%S', '0', '0', '');"
# Stop = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES
\
# ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '%S',
'%{Acct-Session-Time}', \
# '%{Acct-Terminate-Cause}');"
# Alive = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES
\
# ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '0',
'%{Acct-Session-Time}','');"
#
# Post-Auth = "INSERT INTO ${postauth_table}
\
# (username, pass, reply, authdate) VALUES
\
# ('%{User-Name}', '%{User-Password:-Chap-Password}',
\
# '%{reply:Packet-Type}', '%S');"
# }
#
# Create a unique accounting session Id. Many NASes re-use
# or repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
#$INCLUDE sql.conf
# For Cisco VoIP specific accounting with Postgresql,
# use: ${confdir}/sql/postgresql/voip-postpaid.conf
#
# You will also need the sql schema from:
# src/billing/cisco_h323_db_schema-postgres.sql
# Note: This config can be use AS WELL AS the standard sql
# config if you need SQL based Auth
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead:
%{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is
given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS
client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type
we add
# the value of the attribute. If it is anything else we
increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset
to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
#
# If the count attribute is Acct-Session-Time then on each
# login we send back the remaining online time as a
# Session-Timeout attribute ELSE and if the reply-name is
# set, we send back that attribute. The reply-name attribute
# MUST be of an integer type.
#
# The counter-name can also be used instead of using the
check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second
one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
#$INCLUDE sql/mysql/counter.conf
#$INCLUDE sql/postgresql/counter.conf
#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The module also registers a few paircompare functions
expr {
}
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
#
# The Reply-Message which will be sent back in case the
# account has expired. Dynamic substitution is supported
#
reply-message = "Password Has Expired\r\n"
# reply-message = "Your account has expired,
%{User-Name}\r\n"
}
# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes. It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has bene permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
#
# The Reply-Message which will be sent back in case
# the account is calling outside of the allowed
# timespan. Dynamic substitution is supported.
#
reply-message = "You are calling outside your allowed
timespan\r\n"
# reply-message = "Outside allowed timespan
(%{control:Login-Time}), %{User-Name}\r\n"
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
# allow the logon. Some NASes do not handle values
# lower than 60 seconds well.
minimum-timeout = 60
}
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in 'doc/variables.txt'
#
exec {
wait = yes
input_pairs = request
shell_escape = yes
output = none
}
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the
request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are
ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the
configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy
request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser =>
USER_NAME="BobUser"
shell_escape = yes
}
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# not a reply item.
#
# The Pool-Name should be set to the ippool module instance
# name or to DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name :=
"students"
# DEFAULT Group == teachers, Pool-Name :=
"teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST
*********
# ********* THEN ERASE THE DB FILES
*********
#
ippool main_pool {
# range-start,range-stop:
# The start and end ip addresses for this pool.
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask:
# The network mask used for this pool.
netmask = 255.255.255.0
# cache-size:
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache-size = 800
# session-db:
# The main db file used to allocate addresses.
session-db = ${db_dir}/db.ippool
# ip-index:
# Helper db index file used in multilink
ip-index = ${db_dir}/db.ipindex
# override:
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# with a Framed-IP-Address assigned here.
override = no
# maximum-timeout:
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum-timeout = 0
# key:
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
#key = "%{NAS-IP-Address} %{NAS-Port}"
}
# $INCLUDE sqlippool.conf
# OTP token support. Not included by default.
# $INCLUDE otp.conf
#
# Kerberos. See doc/rlm_krb5 for minimal docs.
#
# krb5 {
# keytab = /path/to/keytab
# service_principal = name_of_principle
# }
#
# Module implementing a DIFFERENT policy language.
# The syntax here is NOT "unlang", but something else.
#
# See the "policy.txt" file for documentation and examples.
#
policy {
# The only configuration item is a filename containing
# the policies to execute.
#
# When "policy" is listed in a section (e.g.
"authorize"),
# it will run a policy named for that section.
#
filename = ${confdir}/policy.txt
}
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
expiration
logintime
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
#
# Policies that can be applied in multiple places are listed
# globally. That way, they can be defined once, and referred
# to multiple times.
#
######################################################################
$INCLUDE policy.conf
######################################################################
#
# As of 2.0.0, the "authorize", "authenticate", etc. sections
# are in separate configuration files, per virtual host.
#
######################################################################
######################################################################
#
# Include all enabled virtual hosts.
#
# The following directory is searched for files that match
# the regex:
#
# /[a-zA-Z0-9_.]+/
#
# The files are then included here, just as if they were cut
# and pasted into this file.
#
# See "sites-enabled/default" for some additional documentation.
#
$INCLUDE sites-enabled/
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id: eap.conf,v 1.24 2008/02/26 09:32:29 aland Exp $
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the "eap2" module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a
time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
#default_eap_type = md5
default_eap_type = peap
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When
given
# a User-Name attribute in an Access-Accept, it copies
one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
#md5 {
#}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments.
See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's
authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
#leap {
#}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in
plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# Otherwise, when the server first starts in debugging
# mode, test certificates will be created. See the
# "make_cert_command" below for details, and the README
# file in raddb/certs
#
# These test certificates SHOULD NOT be used in a
normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# See also:
#
#
http://www.dslreports.com/forum/remark,9286052~mode=flat
#
tls {
#
# These is used to simplify later
configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = cnsradius
#private_key_file = ${certdir}/ns1.pem
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
#certificate_file =
${certdir}/cnsradius02.ads.****.org.pem
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for
authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you
do
# not use client certificates, and you do not
want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
#CA_file = ${cadir}/****CA.pem
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same
directory.
# 2) Execute 'c_rehash <CA certs&CRLs
Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path =
/path/to/directory/with/ca_certs/and/crls/
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer =
"/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier.
#
# make_cert_command = "${certdir}/bootstrap"
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
#default_eap_type = md5
default_eap_type = gtc
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = yes
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
#use_tunneled_reply = no
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
#copy_request_to_tunnel = no
#use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
#proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of
MS-CHAPv2
# in EAP. There is another (incompatible)
implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does
not
# currently support.
#
mschapv2 {
}
}
2
2