Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2012
- 112 participants
- 163 discussions
Hello all,
I'm troubleshooting a new cell modem authentication attempt. Previous
cell modems from the same company work fine, but these new cell modem
are having an issues authenticating via CHAP even though the username
and password are correct and radcheck and ntradping work just fine.
We're thinking it might have to do with the CHAP challenge length that
gets sent by these new modems, or more specifically, the new radio
module in them. From packet captures, the same length gets sent every
time (59), but fails with the
[chap] Password check failed
++[chap] returns reject
every time. Successful attempts from other modems have varying length
up to 50 from what I've seen. Is there a higher level of debug I can
turn on to see what CHAP is failing even though the correct username
and password are being supplied or is there a CHAP setting somewhere
specifies maximum challenge length?
I'm told these modems were successfully tested against a Juniper
RADIUS server. Below is the debug output and my freeradius version.
Any help would be greatly appreciated.
Thanks!
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mktest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> mktest
[sql] sql_set_user escaped user --> 'mktest'
rlm_sql (sql): Reserving sql socket id: 9
[sql] expand: SELECT id, UserName, chk_Attribute, password, chk_op
FROM modemAuth WHERE UserName = '%{SQL-User-Name}' and status='active'
ORDER BY id -> SELECT id, UserName, chk_Attribute, password, chk_op
FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY
id
rlm_sql_mysql: query: SELECT id, UserName, chk_Attribute, password,
chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM
modemAuth WHERE UserName = '%{SQL-User-Name}' ORDER BY id -> SELECT
id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName
= 'mktest' ORDER BY id
rlm_sql_mysql: query: SELECT id, UserName, rpl_Attribute, IP, rpl_op
FROM modemAuth WHERE UserName = 'mktest' ORDER BY id
rlm_sql (sql): Released sql socket id: 9
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "mktest" with CHAP password
[chap] Using clear text password "1234567" for user mktest authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_chap: Wrong user password):
[mktest/<CHAP-Password>] (from client modemAuth port 60000 cli
xxxxxxxxxxx)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[sql] expand: %{User-Name} -> mktest
[sql] sql_set_user escaped user --> 'mktest'
[sql] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[sql] ... expanding second conditional
[sql] expand: Chap-Password -> Chap-Password
[sql] expand: INSERT into radpostauth (id, user, pass, reply, date)
values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user,
pass, reply, date) values ('', 'mktest', 'Chap-Password',
'Access-Reject', NOW())
[sql] expand: /data/radius/radsqltrace.sql -> /data/radius/radsqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id,
user, pass, reply, date) values ('', 'mktest', 'Chap-Password',
'Access-Reject', NOW())
rlm_sql (sql): Reserving sql socket id: 8
rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply,
date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW())
rlm_sql (sql): Released sql socket id: 8
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} -> mktest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 83 to 166.185.13.111 port 1645
Waking up in 4.9 seconds.
rpm -qi freeradius2
Name : freeradius2 Relocations: (not relocatable)
Version : 2.1.12 Vendor: CentOS
Release : 3.el5 Build Date: Wed 22 Feb
2012 08:08:30 PM UTC
Install Date: Mon 19 Mar 2012 07:05:05 PM UTC Build Host:
builder10.centos.org
Group : System Environment/Daemons Source RPM:
freeradius2-2.1.12-3.el5.src.rpm
Size : 5873621 License: GPLv2+ and LGPLv2+
Signature : DSA/SHA1, Wed 22 Feb 2012 08:22:13 PM UTC, Key ID a8a447dce8562897
URL : http://www.freeradius.org/
Summary : High-performance and highly configurable free RADIUS server
[root@RADIUS ~]# radtest -t chap mktest 1234567 localhost 0 testing123
Sending Access-Request of id 156 to 127.0.0.1 port 1812
User-Name = "mktest"
CHAP-Password = 0x9c87f965b84313794308aa6e7dac569e08
NAS-IP-Address = 192.168.149.201
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=156, length=26
Framed-IP-Address = 10.130.0.35
2
3
Hello,
I would like to default reject users who have a "/" or "\" in their
username. Often users will misconfigure their machines and Windows will send
the host\username, which will never be a valid login here.
Where is the best place to do this? I have tried to put this in the users
file, but I may not have the correct regex:
DEFAULT User-Name =~ /[0-9a-zA-Z\/\\]+/, Auth-Type := Reject
My match cases are:
host\username
host\\username
host/username
host //username
I do not want to sanitize these for the users.
Thanks,
Dave
--
View this message in context: http://freeradius.1045715.n5.nabble.com/users-file-rejex-tp5646378p5646378.…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
3
2
Hi,
after upgrading our server from 2.0.4 to 2.1.10 we see a change in the
auth logic - e.g. when processing proxied requests to a home server and
their replies. We need this feature to append some special attributes to
the accept-packet from the home server before sending it to the NAS.
1) Our config in 2.0.4 (the DEFAULT record is recognized before sending
the packet to the NAS):
proxy.conf:
===========
realm foo {
type = radius
authhost = 1.2.3.4
secret = hidden
nostrip
}
users file:
===========
DEFAULT User-Name =~ "test@foo"
MS-Primary-DNS-Server = "192.168.203.6",
MS-Secondary-DNS-Server = "192.168.203.1",
MS-Primary-NBNS-Server = "192.168.203.6"
sites-enabled/default:
======================
authorize {
...
files
...
}
test:
=====
# radtest test@foo password localhost:1812
# /usr/sbin/freeradiusd -X
...
rad_recv: Access-Request packet from host 127.0.0.1 port 51046, id=236,
length=74
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "foo" for User-Name = "test@foo"
rlm_realm: Found realm "foo"
rlm_realm: Adding Realm = "foo"
rlm_realm: Proxying request from user test to realm foo
rlm_realm: Preparing to proxy authentication request to realm "foo"
++[suffix] returns updated
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> test@foo
users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 228 to 1.2.3.4 port 1812
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
Proxy-State = 0x323336
Proxying request 50 to home server 1.2.3.4 port 1812
Sending Access-Request of id 228 to 1.2.3.4 port 1812
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
Proxy-State = 0x323336
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=228,
length=117
Proxy-State = 0x323336
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x0000000e
+- entering group post-proxy
rlm_eap: No pre-existing handler found
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> test@foo
users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [test@foo/password] (from client LOCALHOST port 123)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 236 to 127.0.0.1 port 51046
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x0000000e
MS-Primary-DNS-Server = 192.168.203.6
MS-Secondary-DNS-Server = 192.168.203.1
MS-Primary-NBNS-Server = 192.168.203.6
Finished request 50.
2) Our config in 2.1.10 (the DEFAULT record is ignored before sending
the packet to the NAS):
proxy.conf:
===========
realm foo {
type = radius
authhost = 1.2.3.4
secret = hidden
nostrip
}
users file:
===========
DEFAULT User-Name =~ "test@foo"
MS-Primary-DNS-Server = "192.168.203.6",
MS-Secondary-DNS-Server = "192.168.203.1",
MS-Primary-NBNS-Server = "192.168.203.6"
sites-enabled/default:
======================
authorize {
...
files
...
}
test:
=====
# radtest test@foo password localhost:1812
# /usr/sbin/freeradiusd -X
...
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49833, id=110,
length=74
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.55
NAS-Port = 123
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "foo" for User-Name = "test@foo"
[suffix] Found realm "foo"
[suffix] Adding Realm = "foo"
[suffix] Proxying request from user test to realm foo
[suffix] Preparing to proxy authentication request to realm "foo"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] expand: %{User-Name} -> test@foo
[files] users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 231 to 1.2.3.4 port 1812
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.55
NAS-Port = 123
Proxy-State = 0x313130
Proxying request 0 to home server 1.2.3.4 port 1812
Sending Access-Request of id 231 to 1.2.3.4 port 1812
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.55
NAS-Port = 123
Proxy-State = 0x313130
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=231,
length=117
Proxy-State = 0x313130
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x0000000e
# Executing section post-proxy from file
/etc/freeradius/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [test@foo] (from client LOCALHOST port 123)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 110 to 127.0.0.1 port 49833
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x0000000e
Finished request 0.
I tried it under 2.1.10 also with "files" in the "post-auth" section but
it did not work - I've got only one more message that tells me a "noop":
...
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[files] returns noop
++[exec] returns noop
...
So my question is how to assign the DEFAULT record to an reply packet
from a proxy in 2.1.10?
Thx,
Gerald
3
4
No I didn't do that, but I just tried and no success so far in getting the
rlm_raw module to install.
I've tried many things at configure: --with-experimental-modules
--with-rlm_raw --enable-rlm_raw --with-additional-modules=rlm_raw
--with-module=rlm_raw
I checked output after configure, make, and make install. The only mention
of rlm_raw is in configure output. It shows: "configuring in
src/modules/rlm_raw
(/home/egeier/Desktop/freeradius-1.1.7/scr/modules/rlm_raw)...."
No mention at all about rlm_raw after make or make install.
I find no errors or warnings about rlm_raw after configure, make, or make
install.
I'm using FR 1.1.7 (not production, just testing something) on Debian
Squeeze 64-bit.
Any other tricks to get modules working? Haven't found any documentation yet
about this and what attributes work with configure.
Thanks, Eric
-----Original Message-----
From: freeradius-users-bounces+me=egeier.com(a)lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier.com@lists.freeradius.org] On
Behalf Of Fajar A. Nugraha
Sent: Sunday, April 15, 2012 5:32 PM
To: FreeRadius users mailing list
Subject: Re: Building with 32-bit Module on 64-bit Machine
On Mon, Apr 16, 2012 at 1:31 AM, Eric Geier <me(a)egeier.com> wrote:
> Im trying to use rlm_raw and I tried to include it when manually
> building on 64-bit Debian but it wasnt in the lib folder after make
> install. I had put the module folder in src/modules and did include
> and enable for it and put with experimental too when I did the
> compile. this worked in the past on a 32-bit Debian...but not sure why its
not now.
Did you edit src/modules/stable to include rlm_raw? That would be the
easiest way to make sure the module is built. Also, look at configure logs.
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
2
1
hi,
is it possible to define a separate eap config with each virtual server?
in detail: i want to do 802.1x on some ports with with ONLY tls certs and on other ONLY with user/password and ttls.
but with one global eap.conf there always will be a fallback to the other eap method.
is it possible to do something like this?
thanks,chris
2
1
Hi!
I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though:
1. How to set up plain-text accounting.
I saw in the configuration that the log directory is set to /var/log/freeradius/radacct so I created the directory and made writable (777 to be sure) but alas, there are no logs.
2. How to get freeRADIUS to work with a DHCP server.
I'm not asking about the experimental built-in DHCP server, as it seems very limited, but is it possible to somehow log the IP addresses that each user is assigned? We need to know who was using a certain IP address at a certain time.
3. How to connect using Windows.
It's dead simple to connect to the network with linux, mac and smartphones but for Windows it seems impossible to find the right combination of settings. I haven't googled this issue so much, so maybe there's a simple answer. Also, it's a later problem.
Thankful for a response,
Johan
P.S. I have attached the radiusd.conf file at the end. I haven't changed much though.
------------------------------------
Johan Swetzén
johan(a)swetzen.com
radiusd.conf
------------------------------------
-*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
##
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
######################################################################
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See "man radiusd.conf" for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that "man" page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the "authorize", "authenticate", "accounting", etc. sections.
# See "man unlang" for details.
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
#
# name of the running server. See also the "-n" command-line option.
name = freeradius
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/lib/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid
# chroot: directory where the server does "chroot".
#
# The chroot is done very early in the process of starting the server.
# After the chroot has been performed it switches to the "user" listed
# below (which MUST be specified). If "group" is specified, it switchs
# to that group, too. Any other groups listed for the specified "user"
# in "/etc/group" are also added as part of this process.
#
# The current working directory (chdir / cd) is left *outside* of the
# chroot until all of the modules have been initialized. This allows
# the "raddb" directory to be left outside of the chroot. Once the
# modules have been initialized, it does a "chdir" to ${logdir}. This
# means that it should be impossible to break out of the chroot.
#
# If you are worried about security issues related to this use of chdir,
# then simply ensure that the "raddb" directory is inside of the chroot,
# end be sure to do "cd raddb" BEFORE starting the server.
#
# If the server is statically linked, then the only files that have
# to exist in the chroot are ${run_dir} and ${logdir}. If you do the
# "cd raddb" as discussed above, then the "raddb" directory has to be
# inside of the chroot directory, too.
#
#chroot = /path/to/chroot/directory
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to radius'.
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
# The server will also try to use "initgroups" to read /etc/groups.
# It will join all groups where "user" is a member. This can allow
# for some finer-grained access controls.
#
user = freerad
group = freerad
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# listen: Make the server listen on a particular IP address, and send
# replies out from that address. This directive is most useful for
# hosts with multiple IP addresses on one interface.
#
# If you want the server to listen on additional addresses, or on
# additionnal ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
# status listen for Status-Server packets. For examples,
# see raddb/sites-available/status
# coa listen for CoA-Request and Disconnect-Request
# packets. For examples, see the file
# raddb/sites-available/coa-server
#
type = auth
# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
#
# See also proxy.conf, and the "src_ipaddr" configuration entry
# in the sample "home_server" section. When you specify the
# source IP address for packets sent to a home server, the
# proxy listeners are automatically created.
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = *
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0
# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0
# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
# clients = per_socket_clients
}
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
destination = files
#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# If this configuration parameter is set, then log messages for
# a *request* go to this file, rather than to radius.log.
#
# i.e. This is a log file per request, once the server has accepted
# the request as being from a valid client. Messages that are
# not associated with a request still go to radius.log.
#
# Not all log messages in the server core have been updated to use
# this new internal API. As a result, some messages will still
# go to radius.log. Please submit patches to fix this behavior.
#
# The file name is expanded dynamically. You should ONLY user
# server-side attributes for the filename (e.g. things you control).
# Using this feature MAY also slow down the server substantially,
# especially if you do thinks like SQL calls as part of the
# expansion of the filename.
#
# The name of the log file should use attributes that don't change
# over the lifetime of a request, such as User-Name,
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
# messages will be distributed over multiple files.
#
# Logging can be enabled for an individual request by a special
# dynamic expansion macro: %{debug: 1}, where the debug level
# for this request is set to '1' (or 2, 3, etc.). e.g.
#
# ...
# update control {
# Tmp-String-0 = "%{debug:1}"
# }
# ...
#
# The attribute that the value is assigned to is unimportant,
# and should be a "throw-away" attribute with no side effects.
#
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = yes
# Log additional text at the end of the "Login OK" messages.
# for these to work, the "auth" and "auth_goopass" or "auth_badpass"
# configurations above have to be set to "yes".
#
# The strings below are dynamically expanded, which means that
# you can put anything you want in them. However, note that
# this expansion can be slow, and can negatively impact server
# performance.
#
# msg_goodpass = ""
# msg_badpass = ""
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
# See also raddb/sites-available/status
#
status_server = yes
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# for an example.
#
#
# As of 2.0.5, most of the module configurations are in a
# sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
# are loaded. The modules are initialized ONLY if they are
# referenced in a processing section, such as authorize,
# authenticate, accounting, pre/post-proxy, etc.
#
$INCLUDE ${confdir}/modules/
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
# $INCLUDE sql.conf
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# $INCLUDE sql/mysql/counter.conf
#
# IP addresses managed in an SQL table.
#
# $INCLUDE sqlippool.conf
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
expiration
logintime
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
#
# Policies that can be applied in multiple places are listed
# globally. That way, they can be defined once, and referred
# to multiple times.
#
######################################################################
$INCLUDE policy.conf
######################################################################
#
# Load virtual servers.
#
# This next $INCLUDE line loads files in the directory that
# match the regular expression: /[a-zA-Z0-9_.]+/
#
# It allows you to define new virtual servers simply by placing
# a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/
######################################################################
#
# All of the other configuration sections like "authorize {}",
# "authenticate {}", "accounting {}", have been moved to the
# the file:
#
# raddb/sites-available/default
#
# This is the "default" virtual server that has the same
# configuration as in version 1.0.x and 1.1.x. The default
# installation enables this virtual server. You should
# edit it to create policies for your local site.
#
# For more documentation on virtual servers, see:
#
# raddb/sites-available/README
#
######################################################################
5
4
Im trying to use rlm_raw and I tried to include it when manually building on 64-bit Debian but it wasnt in the lib folder after make install. I had put the module folder in src/modules and did include and enable for it and put with experimental too when I did the compile. this worked in the past on a 32-bit Debian...but not sure why its not now.
Thanks, Eric
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message --------
Subject: Re: Building with 32-bit Module on 64-bit Machine
From: "Fajar A. Nugraha" <list(a)fajar.net>
To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
CC:
On Sun, Apr 15, 2012 at 11:05 AM, Eric Geier <me(a)egeier.com> wrote:
> I can't find a 64-bit version of the experimental module
FR (from freeradius.org) is distributed as source. There's no "64-bit
version of the experimental module" in the source. You can build it as
either 32 or 64bit.
If you use a binary package, you should ask its maintainer directly.
> I want to include
> when manually building FR, but I want to run on a 64-bit machine. Is this
> possible?
I don't see why not. As long as you also have the necessary 64bit
dependencies (e.g. 64bit ruby is needed to build 64bit FR + rlm_ruby)
> Maybe I could force it to configure and make FR in 32-bit mode?
> But would it then be a pain to install the 32-bit versions of all the FR
> dependencies?
There are lots of experimental module. Which one do you want? You
might be able to find prebuilt binaries already.
For example, if you use Ubuntu/debian, see
http://wiki.1tux.org/wiki/Freeradius/Installation/Ubuntu-Debian
If you use RHEL/Centos/fedora, it should have rlm_wimax included in
official package even if it's officially marked as experimental.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2
1
http://wiki.freeradius.org/Git
Just added short page on remote server administation using git, maybe someone will find it useful.
-Arran
Arran Cudbard-Bell
a.cudbardb(a)freeradius.org
Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
1
0
This continues questions related to group processing not always
working as expected,
in particluar why group replies are not sent when the users are
members of groups
for which there are replies in radgroupreply.
I should mention that Alan's response to my previous post a couple weeks ago
was simply to run the server in debug and look at the queries...this is what
I've done here (I hope).
The queries printed out when starting the server in debug show the correct
authorize_group_reply_query, but it never gets run during an auth request.
I began with 2.1.8 on CentOS 5.8 - and have now moved to a clean
2.1.12 (stock) on
CentOS 6.0. All are using a MySQL backend built from the schema by
Mike Machado. The only
change to the tables is the addition of two fields to some tables,
'notes' and 'expires';
none of the FreeRADIUS queries have been altered.
Any help with how to get this working?
Thank you
- Andrew Long
Here are the queries for the user's auth request:
[sql] sql_set_user escaped user --> 'memwg150412'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand:
SELECT id, username, attribute, value, op FROM radcheck WHERE username
= '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck WHERE username
= 'memwg150412' ORDER BY id
rlm_sql_mysql: query:
SELECT id, username, attribute, value, op FROM radcheck WHERE username
= 'memwg150412' ORDER BY id
[sql] User found in radcheck table
[sql] expand:
SELECT id, username, attribute, value, op FROM radreply WHERE username
= '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply WHERE username
= 'memwg150412' ORDER BY id
rlm_sql_mysql: query:
SELECT id, username, attribute, value, op FROM radreply WHERE username
= 'memwg150412' ORDER BY id
[sql] expand:
SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username = 'memwg150412'
ORDER BY priority
rlm_sql_mysql: query:
SELECT groupname FROM radusergroup WHERE username = 'memwg150412'
ORDER BY priority
[sql] expand:
SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE
groupname = '%{Sql-Group}' ORDER BY id ->
SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE
groupname = 'wolfchase-guest-group' ORDER BY id
rlm_sql_mysql: query:
SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE
groupname = 'wolfchase-guest-group' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
and here is the reply sent:
Sending Access-Accept of id 215 to 192.168.245.1 port 58639
Nomadix-Bw-Down := 768
Nomadix-Bw-Up := 256
Finished request 0.
The problem is that these attributes are from radreply based on the
username, and processing
is not continuing to radgroupreply.
When I manually run:
'SELECT groupname FROM radusergroup WHERE username = 'memwg150412'
ORDER BY priority;'
MySQL returns:
"wolfchase-guest-group" and processing should continue to
radgroupreply (where there are
reply attributes), but never does.
In sql.conf, we have "read_groups = yes"
So the question: why are goups not being processed and how can I fix this?
###
Below is a complete debug from this session:
###
FreeRADIUS Version 2.1.12, for host i686-redhat-linux-gnu, built on
Feb 22 2012 at 15:07:38
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sqlcounter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
...snip...
client 192.168.245.0/24 {
require_message_authenticator = no
secret = "xxx"
shortname = "vmHost"
nastype = "other"
}
...snip...
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = "3306"
login = "radxxxxxx"
password = "radxxxxxx"
radius_db = "radius"
read_groups = yes
sqltrace = yes
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL
AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}'
WHERE acctsessionid = '%{Acct-Session-Id}' AND username
= '%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctsessiontime,
acctauthentic, connectinfo_start, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET
acctstarttime = '%S', acctstartdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay)
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND), '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32
| '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress,
callingstationid, framedprotocol
FROM radacct WHERE
username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radiusd@localhost:3306/radius2
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Linked to module rlm_sqlcounter
Module: Instantiating module "noresetcounter" from file
/etc/raddb/sqlcounter.conf
sqlcounter noresetcounter {
counter-name = "Max-All-Session-Time"
check-name = "Max-All-Session"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'"
reset = "never"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
rlm_sqlcounter: Reply attribute set to Session-Timeout.
rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 11273
rlm_sqlcounter: Check attribute Max-All-Session is number 11274
rlm_sqlcounter: Current Time: 1334416365 [2012-04-14 11:12:45], Next
reset 0 [2012-04-14 11:00:00]
rlm_sqlcounter: Current Time: 1334416365 [2012-04-14 11:12:45], Prev
reset 0 [2012-04-14 11:00:00]
Module: Instantiating module "dailycounter" from file
/etc/raddb/sqlcounter.conf
sqlcounter dailycounter {
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime >
'%b'"
reset = "daily"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
rlm_sqlcounter: Reply attribute set to Session-Timeout.
rlm_sqlcounter: Counter attribute Daily-Session-Time is number 11275
rlm_sqlcounter: Check attribute Max-Daily-Session is number 11276
rlm_sqlcounter: Current Time: 1334416365 [2012-04-14 11:12:45], Next
reset 1334462400 [2012-04-15 00:00:00]
rlm_sqlcounter: Current Time: 1334416365 [2012-04-14 11:12:45], Prev
reset 1334376000 [2012-04-14 00:00:00]
Module: Instantiating module "monthlycounter" from file
/etc/raddb/sqlcounter.conf
sqlcounter monthlycounter {
counter-name = "Monthly-Session-Time"
check-name = "Max-Monthly-Session"
key = "User-Name"
sqlmod-inst = "sqlcca3"
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime >
'%b'"
reset = "monthly"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
rlm_sqlcounter: Reply attribute set to Session-Timeout.
rlm_sqlcounter: Counter attribute Monthly-Session-Time is number 11277
rlm_sqlcounter: Check attribute Max-Monthly-Session is number 11278
rlm_sqlcounter: Current Time: 1334416365 [2012-04-14 11:12:45], Next
reset 1335844800 [2012-05-01 00:00:00]
rlm_sqlcounter: Current Time: 1334416365 [2012-04-14 11:12:45], Prev
reset 1333252800 [2012-04-01 00:00:00]
Module: Instantiating module "daypasscounter" from file
/etc/raddb/sqlcounter.conf
sqlcounter daypasscounter {
counter-name = "Day-Term-Code"
check-name = "Check-Login-Day"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT UNIX_TIMESTAMP(now()) -
UNIX_TIMESTAMP(min(AcctStartTime)) FROM radacct WHERE UserName='%{%k}'
LIMIT 1"
reset = "never"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
rlm_sqlcounter: Reply attribute set to Session-Timeout.
rlm_sqlcounter: Counter attribute Day-Term-Code is number 11279
rlm_sqlcounter: Check attribute Check-Login-Day is number 11280
rlm_sqlcounter: Current Time: 1334416365 [2012-04-14 11:12:45], Next
reset 0 [2012-04-14 11:00:00]
rlm_sqlcounter: Current Time: 1334416365 [2012-04-14 11:12:45], Prev
reset 0 [2012-04-14 11:00:00]
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
}
listen {
type = "acct"
ipaddr = *
port = 1813
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.245.1 port 58639,
id=215, length=51
User-Password = "wolfchase-guest"
User-Name = "memwg150412"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "memwg150412", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{User-Name} -> memwg150412
[sql] sql_set_user escaped user --> 'memwg150412'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'memwg150412' ORDER
BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'memwg150412'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'memwg150412' ORDER
BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'memwg150412'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'memwg150412' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'memwg150412' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'wolfchase-guest-group' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'wolfchase-guest-group' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[daypasscounter] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "wolfchase-guest"
[pap] Using clear text password "wolfchase-guest"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [memwg150412] (from client vmHost port 0)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> memwg150412
[sql] sql_set_user escaped user --> 'memwg150412'
[sql] expand: %{User-Password} -> wolfchase-guest
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'memwg150412',
'wolfchase-guest', 'Access-Accept',
'2012-04-14 11:12:53')
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'memwg150412',
'wolfchase-guest',
'Access-Accept', '2012-04-14 11:12:53')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'memwg150412',
'wolfchase-guest', 'Access-Accept',
'2012-04-14 11:12:53')
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 215 to 192.168.245.1 port 58639
Nomadix-Bw-Down := 768
Nomadix-Bw-Up := 256
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 215 with timestamp +8
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.245.1 port 65287,
id=120, length=49
User-Name = "ithce0412"
User-Password = "hiit_pass"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ithce0412", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{User-Name} -> ithce0412
[sql] sql_set_user escaped user --> 'ithce0412'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'ithce0412' ORDER
BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'ithce0412'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'ithce0412' ORDER
BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'ithce0412'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'ithce0412' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'ithce0412' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'ithce-guest-group' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'ithce-guest-group' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[daypasscounter] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "hiit_pass"
[pap] Using clear text password "hiit_pass"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [ithce0412] (from client vmHost port 0)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> ithce0412
[sql] sql_set_user escaped user --> 'ithce0412'
[sql] expand: %{User-Password} -> hiit_pass
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'ithce0412',
'hiit_pass', 'Access-Accept',
'2012-04-14 11:14:42')
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'ithce0412',
'hiit_pass', 'Access-Accept',
'2012-04-14 11:14:42')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'ithce0412',
'hiit_pass', 'Access-Accept', '2012-04-14
11:14:42')
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 120 to 192.168.245.1 port 65287
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 120 with timestamp +117
Ready to process requests.
1
1
This just replaces some wrong port numbers in comments. This incorrect 689 port has also made it onto the wiki, FWIW.
3
3