Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
February 2015
- 97 participants
- 119 discussions
Re: FreeRadius - Warning in windows when try connect to a Wi-Fi network (PEAP/MSCHAPv2)
by Rui Ribeiro 13 Feb '15
by Rui Ribeiro 13 Feb '15
13 Feb '15
Hello Helder,
This is a known issue about the Terena certificates being tied to an
intermediate CA. I would like also to talk with you about other issues,
since I am helping people in the PT EDUROAM federation. Please have a look
at your linkedin messages for my personal mobile.
Regards
> Message: 3
> Date: Fri, 13 Feb 2015 09:00:19 +0000
> From: Helder Santos <hsantos(a)ipbrick.com>
> To: freeradius-users(a)lists.freeradius.org
> Subject: FreeRadius - Warning in windows when try connect to a Wi-Fi
> network (PEAP/MSCHAPv2)
> Message-ID: <54DDBD23.8000708(a)ipbrick.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
>
> Hi,
>
> I setup the FreeRadius EAP module and an AP to authenticate with
> PEAP/MSCHAPv2. However when I connect with any laptop (Windows 7),
> appears the following warning:
>
> "Details Radius Server: xpto Root CA: AddTrust External CA Root The
> server xpto presented a valid certifiate issued by "AddTrust External CA
> Root", but "AddTrus External CA Root" is not configured as a valid trus
> anchor for this profile."
>
> I attached a image with this warning.
> If I ignore the warning, I can connect to the Wi-Fi network, however I
> want understand why this happen and I want that the warning not appear
> any more in other laptops.
>
> I have done several searches but could not solve this problem.
>
> Server details:
> - The server certificate is signed by COMODO
> - OS: Debian Wheezy
> - FreeRadius v2.1.12
>
> I attached the eap.conf and the windows 7 warning.
>
> Can anyone help me solve this problem?
>
> Regards,
> Helder
>
> --
Rui Ribeiro
Senior Sysadm
ISCTE-IUL
https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
1
0
FreeRadius - Warning in windows when try connect to a Wi-Fi network (PEAP/MSCHAPv2)
by Helder Santos 13 Feb '15
by Helder Santos 13 Feb '15
13 Feb '15
Hi,
I setup the FreeRadius EAP module and an AP to authenticate with
PEAP/MSCHAPv2. However when I connect with any laptop (Windows 7),
appears the following warning:
"Details Radius Server: xpto Root CA: AddTrust External CA Root The
server xpto presented a valid certifiate issued by "AddTrust External CA
Root", but "AddTrus External CA Root" is not configured as a valid trus
anchor for this profile."
I attached a image with this warning.
If I ignore the warning, I can connect to the Wi-Fi network, however I
want understand why this happen and I want that the warning not appear
any more in other laptops.
I have done several searches but could not solve this problem.
Server details:
- The server certificate is signed by COMODO
- OS: Debian Wheezy
- FreeRadius v2.1.12
I attached the eap.conf and the windows 7 warning.
Can anyone help me solve this problem?
Regards,
Helder
2
1
Hello to all,
First of all,before sending this message, I have read the previous
ones about the same problem. As far as I can understand, we have to
have our NAS to send accounting packets. Also, we need to uncomment
sradutmp and radutmp in radiusd.conf to start processing of accouting
packets. Additionally, we need freeradius -X command for
troubleshooting. To sum up, these are the basic rules that I have got.
To mention my work detailly, on GNS3, I have one c7200 cisco router as
NAS(for administration access to router only, not to provide an
internet connection) and a freeradius server on ubuntu server 14.04. I
configured my NAS to send accounting update per one minute. In
/var/log/freeradius/radacct/(ip of the nas)/detail-(date), I can read
a txt file where some accounting infos are written but when I issue
"radwho" command, I can not see anything but the titles for
non-written accounting details. I also issued freeradius -X command
and got "ready to process request", my server can properly process
authentication requests also.
However, I'm not completely unsuccessful to get any output from
radwho. I had done some configurations on freeradius and managed to
get proper outputs with radwho on the same topology and system.
Unfortunately, my server got disfunctioned when I had tried to
configure it for active directory authentication. I could only
recovered it by re-installing then I lost and forgot what I did to use
radwho.
I can't remember what I did to get radwho output before I lost whole
configuration and what I can't notice now.
Regards.
Mert Uzun
Istanbul Technical University
Electrical Engineering 2nd Degree Undergraduate
--
Mert Uzun
Elektrik Mühendisliği Bölümü-2. Sınıf Öğrencisi
2
1
12 Feb '15
Hello there,
I set up CentOS 7 server with package freeradius-3.0.1-6.el7.x86_64 as
an upgrade for working setup on ancient computer with CentOS 4
(freeradius-1.1.3). I'm using eduroam-like authentication with SQL
backend (Cisco WLC, 802.1X with PEAP and MSCHAPv2). There is no
forwarding realms etc, just only one radius server running with minimal
changes in the default configuration files.
User from file is defined by:
testuser Cleartext-Password := "pass"
...and works ok:
radtest testuser pass 127.0.0.1:1812 0 testing123
User in SQL works only when SQL database has loginname without realm.
radtest -t mschap user(a)domain.com pass 127.0.0.1:1812 0 testing123
(no groups defined, just one line in radcheck table like file above has)
But when the request is coming from my Cisco WLC, the raduis daemon is
loosing username during handshake. I saw some posts about bugs in this
older freeradius and I tried to ask at
https://bugzilla.redhat.com/show_bug.cgi?id=1120234 with a half of luck
- updated freeradius will be included in the coming RHEL 7.1 update, but
package is not yet available (and the day of 7.1 release is unknown).
My question is if there is a workaround for this. Log is attached below.
Thank you a lot. Milan
My changes to default configuration:
======================
--- /etc/raddb/mods-available/sql.orig 2014-06-10 03:00:57.000000000
+0200
+++ /etc/raddb/mods-available/sql 2015-02-11 21:31:23.560744418 +0100
@@ -55,21 +55,21 @@
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
- driver = "rlm_sql_null"
+ driver = "rlm_sql_postgresql"
# The dialect of SQL you want to use, this should usually match
# the driver you selected above.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
- dialect = "mysql"
+ dialect = "postgresql"
# Connection info:
#
-# server = "localhost"
+ server = ""
# port = 3306
-# login = "radius"
-# password = "radpass"
+ login = "radius"
+ password = "secretpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
--- /etc/raddb/mods-available/eap.orig 2014-06-10 03:00:57.000000000
+0200
+++ /etc/raddb/mods-available/eap 2015-02-12 12:19:16.857216797 +0100
@@ -173,8 +173,8 @@
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
tls-config tls-common {
- private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ #private_key_password = whatever
+ private_key_file = ${certdir}/www.pslib.cz-private-2014-12-13.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -186,7 +186,7 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/server.pem
+ certificate_file =
${certdir}/www.pslib.cz-1418430573-2014-12-13.pem
# Trusted Root CA list
#
@@ -203,7 +203,7 @@
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- ca_file = ${cadir}/ca.pem
+ ca_file = ${cadir}/tcs-ca-bundle-2014-12-13.pem
#
# If OpenSSL supports TLS-PSK, then we can use
--- /etc/raddb/mods-config/files/authorize.orig 2014-06-10
03:01:08.000000000 +0200
+++ /etc/raddb/mods-config/files/authorize 2015-02-11
22:05:36.245744594 +0100
@@ -1,3 +1,5 @@
+testuser Cleartext-Password := "pass"
+
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
--- /etc/raddb/sites-available/default.orig 2014-06-10
03:00:56.000000000 +0200
+++ /etc/raddb/sites-available/default 2015-02-12 12:15:13.644588916
+0100
@@ -345,7 +345,7 @@
#
# The ldap module reads passwords from the LDAP database.
- -ldap
+# -ldap
#
# Enforce daily limits on time spent logged in.
--- /etc/raddb/sites-available/inner-tunnel.orig 2014-06-10
03:00:56.000000000 +0200
+++ /etc/raddb/sites-available/inner-tunnel 2015-02-12
18:28:43.809046956 +0100
@@ -139,7 +146,7 @@
#
# The ldap module reads passwords from the LDAP database.
- -ldap
+# -ldap
#
# Enforce daily limits on time spent logged in.
--- /etc/raddb/clients.conf.orig 2014-06-10 03:00:57.000000000 +0200
+++ /etc/raddb/clients.conf 2015-02-12 10:34:54.436828421 +0100
@@ -278,3 +278,17 @@
# secret = testing123
# }
#}
+
+client podsit_ap {
+ secret = testing123
+ shortname = SkolniWiFi
+ ipaddr = 10.199.0.0
+ netmask = 24
+}
--- /etc/raddb/proxy.conf.orig 2014-06-10 03:00:57.000000000 +0200
+++ /etc/raddb/proxy.conf 2015-02-12 12:18:21.168988853 +0100
@@ -629,7 +629,7 @@
#DEFAULT Proxy-To-Realm := "realm_name"
#
#
-realm example.com {
+realm domain.com {
#
# Realms point to pools of home servers.
#
@@ -714,11 +714,11 @@
# This realm is for requests which don't have an explicit realm
# prefix or suffix. User names like "bob" will match this one.
#
-#realm NULL {
+realm NULL {
# authhost = radius.company.com:1600
# accthost = radius.company.com:1601
# secret = testing123
-#}
+}
#
# This realm is for ALL OTHER requests.
Output of radiusd -X
===============
radiusd: FreeRADIUS Version 3.0.1, for host x86_64-redhat-linux-gnu,
built on Jun 10 2014 at 01:00:46
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/sql
including configuration file
/etc/raddb/mods-config/sql/main/postgresql/queries.conf
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 76800
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm domain.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client podsit_ap {
ipaddr = 10.199.0.0
netmask = 24
require_message_authenticator = no
secret = "WiFiKlinetiSPSSE"
shortname = "SkolniWiFi"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client notebook {
ipaddr = 10.0.0.0
netmask = 8
require_message_authenticator = no
secret = "TestTovaci"
shortname = "SkolniWiFi"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file
/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 4096
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file =
"/etc/raddb/certs/www.domain.com-private-2014-12-13.pem"
certificate_file =
"/etc/raddb/certs/www.domain.com-1418430573-2014-12-13.pem"
ca_file = "/etc/raddb/certs/tcs-ca-bundle-2014-12-13.pem"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_exec
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "no"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_linelog
# Instantiating module "linelog" from file
/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Instantiating module "ntlm_auth" from file
/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
pap {
auto_header = no
normalise = yes
}
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file
/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file
/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Instantiating module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_sql
# Instantiating module "sql" from file /etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_postgresql"
server = ""
port = ""
login = "radius"
password = "secretpass"
radius_db = "radius"
read_groups = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret,
server FROM nas"
authorize_check_query = "SELECT id, UserName, Attribute, Value,
Op FROM radcheck WHERE Username = '%{SQL-User-Name}'
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value,
Op FROM radreply WHERE Username = '%{SQL-User-Name}'
ORDER BY id"
authorize_group_check_query = "SELECT id, GroupName, Attribute,
Value, op FROM radgroupcheck WHERE GroupName =
'%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, GroupName, Attribute,
Value, op FROM radgroupreply WHERE GroupName =
'%{Sql-Group}' ORDER BY id"
group_membership_query = "SELECT GroupName FROM radusergroup
WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
simul_count_query = ""
simul_verify_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
}
post-auth {
reference = ".query"
}
rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql)
loaded and linked
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_delay = 5
idle_timeout = 60
spread = no
}
rlm_sql (sql): Opening additional connection (0)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13733
rlm_sql (sql): Opening additional connection (1)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13734
rlm_sql (sql): Opening additional connection (2)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13735
rlm_sql (sql): Opening additional connection (3)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13736
rlm_sql (sql): Opening additional connection (4)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13737
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module filter_username
# Loading preacct {...}
# Loading virtual module acct_unique
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Loading virtual module remove_reply_message_if_eap
# Loading virtual module remove_reply_message_if_eap
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.199.0.11 port 32768, id=77,
length=272
User-Name = 'testuser(a)domain.com'
Calling-Station-Id = 'e0-63-e5-08-8e-ba'
Called-Station-Id = '00-19-a9-cd-01-80:RADIUS'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=0ac7000b0001bea554dcca79'
NAS-IP-Address = 10.199.0.11
NAS-Identifier = 'wlc.domain.com'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '5'
EAP-Message =
0x0201002301766f6a746563682e6b727973746f662e726f6a656b4070736c69622e637a
Message-Authenticator = 0x81e3207284393aa152b52eadb937667d
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'testuser(a)domain.com'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /(a)\\./)
(0) ? if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Looking up realm "domain.com" for User-Name =
"testuser(a)domain.com"
(0) suffix : Found realm "domain.com"
(0) suffix : Adding Stripped-User-Name = "testuser"
(0) suffix : Adding Realm = "domain.com"
(0) suffix : Proxying request from user testuser to realm domain.com
(0) suffix : Preparing to proxy authentication request to realm
"domain.com"
(0) [suffix] = updated
(0) eap : Request is supposed to be proxied to Realm domain.com. Not
doing EAP.
(0) [eap] = noop
(0) [files] = noop
(0) sql : expand: "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
-> 'testuser'
(0) sql : SQL-User-Name set to 'testuser'
rlm_sql (sql): Reserved connection (4)
(0) sql : expand: "SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" ->
'SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE
Username = 'testuser' ORDER BY id'
rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute, Value,
Op FROM radcheck WHERE Username = 'testuser' ORDER BY id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
(0) sql : User found in radcheck table
(0) sql : Check items matched
(0) sql : expand: "SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" ->
'SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE
Username = 'testuser' ORDER BY id'
rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute, Value,
Op FROM radreply WHERE Username = 'testuser' ORDER BY id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(0) sql : expand: "SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority" -> 'SELECT GroupName FROM
radusergroup WHERE UserName='testuser' ORDER BY priority'
rlm_sql (sql): Executing query: 'SELECT GroupName FROM radusergroup
WHERE UserName='testuser' ORDER BY priority'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released connection (4)
rlm_sql (sql): Closing connection (0): Too many free connections (5 > 3)
rlm_sql_postgresql: Socket destructor called, closing socket
(0) [-sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) WARNING: Empty pre-proxy section. Using default return values.
(0) Proxying request to home server 127.0.0.1 port 1812
Sending Access-Request of id 42 from 0.0.0.0 port 1814 to 127.0.0.1 port
1812
User-Name = 'testuser'
Calling-Station-Id = 'e0-63-e5-08-8e-ba'
Called-Station-Id = '00-19-a9-cd-01-80:RADIUS'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=0ac7000b0001bea554dcca79'
NAS-IP-Address = 10.199.0.11
NAS-Identifier = 'wlc.domain.com'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '5'
EAP-Message =
0x0201002301766f6a746563682e6b727973746f662e726f6a656b4070736c69622e637a
Message-Authenticator = 0x81e3207284393aa152b52eadb937667d
Proxy-State = 0x3737
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=42,
length=267
User-Name = 'testuser'
Calling-Station-Id = 'e0-63-e5-08-8e-ba'
Called-Station-Id = '00-19-a9-cd-01-80:RADIUS'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=0ac7000b0001bea554dcca79'
NAS-IP-Address = 10.199.0.11
NAS-Identifier = 'wlc.domain.com'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '5'
EAP-Message =
0x0201002301766f6a746563682e6b727973746f662e726f6a656b4070736c69622e637a
Message-Authenticator = 0xd9851db90200815680297d2f3fbce603
Proxy-State = 0x3737
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) ? if (User-Name != "%{tolower:%{User-Name}}")
(1) expand: "%{tolower:%{User-Name}}" -> 'testuser'
(1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) ? if (User-Name =~ / /)
(1) ? if (User-Name =~ / /) -> FALSE
(1) ? if (User-Name =~ /@.*@/ )
(1) ? if (User-Name =~ /@.*@/ ) -> FALSE
(1) ? if (User-Name =~ /\\.\\./ )
(1) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(1) ? if (User-Name =~ /\\.$/)
(1) ? if (User-Name =~ /\\.$/) -> FALSE
(1) ? if (User-Name =~ /(a)\\./)
(1) ? if (User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(1) suffix : Found realm "NULL"
(1) suffix : Adding Stripped-User-Name = "testuser"
(1) suffix : Adding Realm = "NULL"
(1) suffix : Authentication realm is LOCAL.
(1) [suffix] = ok
(1) eap : EAP packet type response id 1 length 35
(1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Identity does not match User-Name, setting from EAP Identity.
(1) eap : Failed in handler
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user.
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) sql : expand: ".query" -> '.query'
(1) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(1) sql : expand: "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
-> 'testuser'
(1) sql : SQL-User-Name set to 'testuser'
(1) sql : expand: "INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW())" -> 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES('testuser', 'Chap-Password',
'Access-Reject', NOW())'
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES('testuser', 'Chap-Password',
'Access-Reject', NOW())'
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released connection (4)
(1) [-sql] = ok
(1) attr_filter.access_reject : expand: "%{User-Name}" -> 'testuser'
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) eap : Identity does not match User-Name, setting from EAP Identity.
(1) eap : Failed to get handler, probably already removed, not inserting
EAP-Failure
(1) [eap] = noop
(1) remove_reply_message_if_eap remove_reply_message_if_eap {
(1) ? if (reply:EAP-Message && reply:Reply-Message)
(1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(1) else else {
(1) [noop] = noop
(1) } # else else = noop
(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Finished request 1.
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Expecting proxy response no later than 20 seconds from now
Waking up in 0.1 seconds.
(1) Sending delayed reject
Sending Access-Reject of id 42 from 127.0.0.1 port 1812 to 127.0.0.1
port 1814
Proxy-State = 0x3737
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=42,
length=24
Proxy-State = 0x3737
(0) # Executing section post-proxy from file
/etc/raddb/sites-enabled/default
(0) post-proxy {
(0) eap : No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql : expand: ".query" -> '.query'
(0) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(0) sql : expand: "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
-> 'testuser'
(0) sql : SQL-User-Name set to 'testuser'
(0) sql : expand: "INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW())" -> 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES('testuser(a)domain.com', 'Chap-Password',
'Access-Reject', NOW())'
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES('testuser(a)domain.com', 'Chap-Password',
'Access-Reject', NOW())'
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released connection (4)
rlm_sql (sql): Closing connection (1): Too many free connections (4 > 3)
rlm_sql_postgresql: Socket destructor called, closing socket
(0) [-sql] = ok
(0) attr_filter.access_reject : expand: "%{User-Name}" ->
'testuser(a)domain.com'
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request was previously rejected, inserting EAP-Failure
(0) [eap] = updated
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) ? if (reply:EAP-Message && reply:Reply-Message)
(0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 10.199.0.11 port 32768, id=77,
length=272
(0) Discarding duplicate request from client SkolniWiFi port 32768 - ID:
77 due to delayed reject
(0) Sending delayed reject
Sending Access-Reject of id 77 from 10.200.0.3 port 1812 to 10.199.0.11
port 32768
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 42 with timestamp +5
Waking up in 1.0 seconds.
(0) Cleaning up request packet ID 77 with timestamp +5
Ready to process requests.
--
Milan Keršláger
http://www.pslib.cz/ke/
http://www.nti.tul.cz/wiki/Milan.Kerslager
3
3
Hi there,
Just starting use freeradius, on the freebsd - pfsense ( captiveportal ) -
mysql
On mysql radcheck table:
Expiration := 12 Feb 2015 19:39:00
Session-Timeout := 90
Max-Daily-Session := 60 , About time limitation its ok ,
But, when i try use attribute for quota ( by Acct-Input-Octets ), its
nothing happend.
I think this depend with description: (Accounting-Request
<http://freeradius.org/rfc/rfc2866.html#Accounting-Request> ) - ( Radius
dont getting bandwith usage )
5.3. Acct-Input-Octets
Description
This attribute indicates how many octets have been received from
the port over the course of this service being provided, and can
only be present in Accounting-Request
<http://freeradius.org/rfc/rfc2866.html#Accounting-Request> records where
the Acct-
Status-Type is set to Stop.
Regards.
Murat.
2
1
Hi. I know this is a trivial and old question, but I've checked back and forth and cannot figure out what I am doing wrong.
This is the user in SQL:
Radcheck
id username attribute op value
14123 MAXSPDGROUP MD5-Password := 485b93396235830f29f049c462a97a60
Radusergroup
id username groupname priority
182424 MAXSPDGROUP noaccess 99
182423 MAXSPDGROUP c_yop1 30
Radgroupcheck
id groupname attribute op value
22 c_yop1 NAS-Identifier =~ yop101|yop102|int04
3 noaccess Auth-Type = Reject
Radgroupreply
id groupname attribute op value
45 c_yop1 Idle-Timeout = 300
46 c_yop1 Acct-Interim-Interval = 240
73 c_yop1 WISPr-Bandwidth-Max-Up = 20
When I make a request:
echo "User-Name=MAXSPDGROUP,password=MAXSPDGROUP,NAS-Identifier=yop101,NAS-IP-Address=10.12.22.159" | /usr/bin/radclient localhost:1812 auth radsecret
The reply doesn't contain the Radgroupreply attributes: Received response ID 248, code 2, length = 20.
According to the docs [1]: "The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes'"
The user IS found in radcheck, password match, read_groups is yes, so why those replies are not sent back to the request, since the NAS-Identifier regexp matches?
Reading on the docs: "For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied."
So even if the "noaccess" group don't match, the c_yop1 does and it should return the corresponding group reply items.
I know there must be something wrong but I cannot figure out. Any hint is welcome.
Thanks
Following here request's debug:
freeradius: FreeRADIUS Version 2.2.6, for host x86_64-pc-linux-gnu, built on Feb 12 2015 at 12:10:02
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/sql/mysql/ippool-dhcp.conf
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/raw
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/control-socket
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/status
including configuration file /etc/freeradius/sites-enabled/inav-dynclients
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
authhost = LOCAL
accthost = LOCAL
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "radsecret"
shortname = "localhost"
nastype = "other"
}
client dymamic {
ipaddr = 0.0.0.0
netmask = 0
require_message_authenticator = no
dynamic_clients = "dynamic_client_server"
lifetime = 12600
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Linked to module rlm_raw
Module: Instantiating module "raw" from file /etc/freeradius/modules/raw
}
radiusd: #### Loading Virtual Servers ####
server { # from file
modules {
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
allow_retry = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radius"
password = "HFFU7Ms9d4"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/freeradius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 25
lifetime = 0
max_queries = 0
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' OR groupname = '%{HuntGroup-Name}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' OR groupname = '%{HuntGroup-Name}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = 'NAS-Reboot', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND calledstationid = '%{Called-Station-Id}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): starting 5
rlm_sql (sql): Attempting to connect rlm_sql_mysql #5
rlm_sql_mysql: Starting connect to MySQL server for #5
rlm_sql (sql): Connected new DB handle, #5
rlm_sql (sql): starting 6
rlm_sql (sql): Attempting to connect rlm_sql_mysql #6
rlm_sql_mysql: Starting connect to MySQL server for #6
rlm_sql (sql): Connected new DB handle, #6
rlm_sql (sql): starting 7
rlm_sql (sql): Attempting to connect rlm_sql_mysql #7
rlm_sql_mysql: Starting connect to MySQL server for #7
rlm_sql (sql): Connected new DB handle, #7
rlm_sql (sql): starting 8
rlm_sql (sql): Attempting to connect rlm_sql_mysql #8
rlm_sql_mysql: Starting connect to MySQL server for #8
rlm_sql (sql): Connected new DB handle, #8
rlm_sql (sql): starting 9
rlm_sql (sql): Attempting to connect rlm_sql_mysql #9
rlm_sql_mysql: Starting connect to MySQL server for #9
rlm_sql (sql): Connected new DB handle, #9
rlm_sql (sql): starting 10
rlm_sql (sql): Attempting to connect rlm_sql_mysql #10
rlm_sql_mysql: Starting connect to MySQL server for #10
rlm_sql (sql): Connected new DB handle, #10
rlm_sql (sql): starting 11
rlm_sql (sql): Attempting to connect rlm_sql_mysql #11
rlm_sql_mysql: Starting connect to MySQL server for #11
rlm_sql (sql): Connected new DB handle, #11
rlm_sql (sql): starting 12
rlm_sql (sql): Attempting to connect rlm_sql_mysql #12
rlm_sql_mysql: Starting connect to MySQL server for #12
rlm_sql (sql): Connected new DB handle, #12
rlm_sql (sql): starting 13
rlm_sql (sql): Attempting to connect rlm_sql_mysql #13
rlm_sql_mysql: Starting connect to MySQL server for #13
rlm_sql (sql): Connected new DB handle, #13
rlm_sql (sql): starting 14
rlm_sql (sql): Attempting to connect rlm_sql_mysql #14
rlm_sql_mysql: Starting connect to MySQL server for #14
rlm_sql (sql): Connected new DB handle, #14
rlm_sql (sql): starting 15
rlm_sql (sql): Attempting to connect rlm_sql_mysql #15
rlm_sql_mysql: Starting connect to MySQL server for #15
rlm_sql (sql): Connected new DB handle, #15
rlm_sql (sql): starting 16
rlm_sql (sql): Attempting to connect rlm_sql_mysql #16
rlm_sql_mysql: Starting connect to MySQL server for #16
rlm_sql (sql): Connected new DB handle, #16
rlm_sql (sql): starting 17
rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
rlm_sql_mysql: Starting connect to MySQL server for #17
rlm_sql (sql): Connected new DB handle, #17
rlm_sql (sql): starting 18
rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
rlm_sql_mysql: Starting connect to MySQL server for #18
rlm_sql (sql): Connected new DB handle, #18
rlm_sql (sql): starting 19
rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
rlm_sql_mysql: Starting connect to MySQL server for #19
rlm_sql (sql): Connected new DB handle, #19
rlm_sql (sql): starting 20
rlm_sql (sql): Attempting to connect rlm_sql_mysql #20
rlm_sql_mysql: Starting connect to MySQL server for #20
rlm_sql (sql): Connected new DB handle, #20
rlm_sql (sql): starting 21
rlm_sql (sql): Attempting to connect rlm_sql_mysql #21
rlm_sql_mysql: Starting connect to MySQL server for #21
rlm_sql (sql): Connected new DB handle, #21
rlm_sql (sql): starting 22
rlm_sql (sql): Attempting to connect rlm_sql_mysql #22
rlm_sql_mysql: Starting connect to MySQL server for #22
rlm_sql (sql): Connected new DB handle, #22
rlm_sql (sql): starting 23
rlm_sql (sql): Attempting to connect rlm_sql_mysql #23
rlm_sql_mysql: Starting connect to MySQL server for #23
rlm_sql (sql): Connected new DB handle, #23
rlm_sql (sql): starting 24
rlm_sql (sql): Attempting to connect rlm_sql_mysql #24
rlm_sql_mysql: Starting connect to MySQL server for #24
rlm_sql (sql): Connected new DB handle, #24
Module: Linked to module rlm_counter
Module: Instantiating module "daily" from file /etc/freeradius/modules/counter
counter daily {
filename = "/etc/freeradius/db.daily"
key = "User-Name"
reset = "daily"
count-attribute = "Acct-Session-Time"
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
reply-name = "Session-Timeout"
allowed-servicetype = "Framed-User"
cache-size = 5000
}
rlm_counter: Counter attribute Daily-Session-Time is number 11273
rlm_counter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 1423782000 [2015-02-13 00:00:00]
Module: Linked to module rlm_sqlcounter
Module: Instantiating module "noresetcounter" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter noresetcounter {
counter-name = "Max-All-Session-Time"
check-name = "Max-All-Session"
reply-name = "Session-Timeout"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}'"
reset = "never"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute Max-All-Session is number 11276
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 0 [2015-02-12 12:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 0 [2015-02-12 12:00:00]
Module: Linked to module rlm_always
Module: Instantiating module "reject" from file /etc/freeradius/modules/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
Module: Instantiating module "dailycounter" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter dailycounter {
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
reply-name = "Session-Timeout"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(acctsessiontime - GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{%k}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"
reset = "daily"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute Max-Daily-Session is number 11274
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 1423782000 [2015-02-13 00:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 1423695600 [2015-02-12 00:00:00]
Module: Instantiating module "dailycounterlocation" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter dailycounterlocation {
counter-name = "Max-Daily-Session-Location"
check-name = "Max-Daily-Session-Location"
reply-name = "Session-Timeout"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(acctsessiontime - GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{%k}' AND (UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b') AND calledstationid = '%{Called-Station-Id}' "
reset = "daily"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute Max-Daily-Session-Location is number 954138731
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 1423782000 [2015-02-13 00:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 1423695600 [2015-02-12 00:00:00]
Module: Instantiating module "monthlycounter" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter monthlycounter {
counter-name = "Monthly-Session-Time"
check-name = "Max-Monthly-Session"
reply-name = "Session-Timeout"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(acctsessiontime - GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='%{%k}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"
reset = "monthly"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute Max-Monthly-Session is number 11278
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 1425164400 [2015-03-01 00:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 1422745200 [2015-02-01 00:00:00]
Module: Instantiating module "counterChilliSpotMaxTotalOctets" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter counterChilliSpotMaxTotalOctets {
counter-name = "ChilliSpot-Max-All-Octets"
check-name = "ChilliSpot-Max-All-Octets"
reply-name = "ChilliSpot-Max-All-Octets"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(acctinputoctets) + SUM(acctoutputoctets) FROM radacct WHERE username='%{%k}'"
reset = "never"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute ChilliSpot-Max-All-Octets is number 954138730
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 0 [2015-02-12 12:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 0 [2015-02-12 12:00:00]
Module: Instantiating module "counterChilliSpotMaxTotalOctetsDaily" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter counterChilliSpotMaxTotalOctetsDaily {
counter-name = "ChilliSpot-Max-Daily-Octets"
check-name = "ChilliSpot-Max-Daily-Octets"
reply-name = "ChilliSpot-Max-All-Octets"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
reset = "daily"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute ChilliSpot-Max-Daily-Octets is number 954138727
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 1423782000 [2015-02-13 00:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 1423695600 [2015-02-12 00:00:00]
Module: Instantiating module "counterChilliSpotMaxTotalOctetsWeekly" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter counterChilliSpotMaxTotalOctetsWeekly {
counter-name = "ChilliSpot-Max-Weekly-Octets"
check-name = "ChilliSpot-Max-Weekly-Octets"
reply-name = "ChilliSpot-Max-Total-Octets"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
reset = "weekly"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute ChilliSpot-Max-Weekly-Octets is number 954138729
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 1423954800 [2015-02-15 00:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 1423436400 [2015-02-09 00:00:00]
Module: Instantiating module "counterChilliSpotMaxTotalOctetsMonthly" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter counterChilliSpotMaxTotalOctetsMonthly {
counter-name = "ChilliSpot-Max-Monthly-Octets"
check-name = "ChilliSpot-Max-Monthly-Octets"
reply-name = "ChilliSpot-Max-Total-Octets"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
reset = "weekly"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute ChilliSpot-Max-Monthly-Octets is number 954138728
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 1423954800 [2015-02-15 00:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 1423436400 [2015-02-09 00:00:00]
Module: Instantiating module "chillispot_max_bytes_in" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter chillispot_max_bytes_in {
counter-name = "ChilliSpot-Max-Input-Octets"
check-name = "ChilliSpot-Max-Input-Octets"
reply-name = "ChilliSpot-Max-Input-Octets"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(acctinputoctets) FROM radacct WHERE username='%{%k}'"
reset = "never"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute ChilliSpot-Max-Input-Octets is number 954138625
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 0 [2015-02-12 12:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 0 [2015-02-12 12:00:00]
Module: Instantiating module "chillispot_max_bytes_out" from file /etc/freeradius/sql/mysql/counter.conf
sqlcounter chillispot_max_bytes_out {
counter-name = "ChilliSpot-Max-Output-Octets"
check-name = "ChilliSpot-Max-Output-Octets"
reply-name = "ChilliSpot-Max-Output-Octets"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(acctoutputoctets) FROM radacct WHERE username='%{%k}'"
reset = "never"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Check attribute ChilliSpot-Max-Output-Octets is number 954138626
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Next reset 0 [2015-02-12 12:00:00]
rlm_sqlcounter: Current Time: 1423739792 [2015-02-12 12:16:32], Prev reset 0 [2015-02-12 12:00:00]
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server status { # from file /etc/freeradius/sites-enabled/status
modules {
Module: Creating Autz-Type = Status-Server
Module: Checking authorize {...} for more modules to load
Module: Instantiating module "ok" from file /etc/freeradius/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
} # modules
} # server
server dynamic_client_server { # from file /etc/freeradius/sites-enabled/inav-dynclients
modules {
Module: Checking authorize {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/freeradius/freeradius.sock"
}
}
listen {
type = "status"
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "mysecret"
}
}
... adding new socket proxy address * port 51107
... adding new socket proxy address * port 35460
... adding new socket proxy address * port 39125
... adding new socket proxy address * port 33472
... adding new socket proxy address * port 35308
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/freeradius/freeradius.sock
Listening on status address 127.0.0.1 port 18120 as server status
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 56272, id=248, length=65
User-Name = "MAXSPDGROUP"
User-Password = "MAXSPDGROUP"
NAS-Identifier = "yop101"
NAS-IP-Address = 10.12.22.159
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++update request {
sql_xlat
expand: %{Stripped-User-Name} ->
... expanding second conditional
expand: %{User-Name} -> MAXSPDGROUP
expand: %{%{User-Name}:-DEFAULT} -> MAXSPDGROUP
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> MAXSPDGROUP
sql_set_user escaped user --> 'MAXSPDGROUP'
expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='10.12.22.159'
rlm_sql (sql): Reserving sql socket id: 24
sql_xlat finished
rlm_sql (sql): Released sql socket id: 24
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> yop101
++} # update request = noop
++? if ("%{sql:UPDATE radacct SET AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND), AcctTerminateCause='Clear-Stale-Session' WHERE UserName='%{User-Name}' AND CallingStationId='%{Calling-Station-Id}' AND AcctStopTime is null}")
sql_xlat
expand: %{Stripped-User-Name} ->
... expanding second conditional
expand: %{User-Name} -> MAXSPDGROUP
expand: %{%{User-Name}:-DEFAULT} -> MAXSPDGROUP
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> MAXSPDGROUP
sql_set_user escaped user --> 'MAXSPDGROUP'
expand: UPDATE radacct SET AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND), AcctTerminateCause='Clear-Stale-Session' WHERE UserName='%{User-Name}' AND CallingStationId='%{Calling-Station-Id}' AND AcctStopTime is null -> UPDATE radacct SET AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND), AcctTerminateCause='Clear-Stale-Session' WHERE UserName='MAXSPDGROUP' AND CallingStationId='' AND AcctStopTime is null
rlm_sql (sql): Reserving sql socket id: 23
rlm_sql (sql): SQL query affected no rows
rlm_sql (sql): Released sql socket id: 23
expand: %{sql:UPDATE radacct SET AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND), AcctTerminateCause='Clear-Stale-Session' WHERE UserName='%{User-Name}' AND CallingStationId='%{Calling-Station-Id}' AND AcctStopTime is null} -> 0
? Evaluating ("%{sql:UPDATE radacct SET AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND), AcctTerminateCause='Clear-Stale-Session' WHERE UserName='%{User-Name}' AND CallingStationId='%{Calling-Station-Id}' AND AcctStopTime is null}") -> FALSE
++? if ("%{sql:UPDATE radacct SET AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND), AcctTerminateCause='Clear-Stale-Session' WHERE UserName='%{User-Name}' AND CallingStationId='%{Calling-Station-Id}' AND AcctStopTime is null}") -> FALSE
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "MAXSPDGROUP", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "MAXSPDGROUP"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++[files] = noop
[sql] expand: %{Stripped-User-Name} -> MAXSPDGROUP
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> MAXSPDGROUP
[sql] sql_set_user escaped user --> 'MAXSPDGROUP'
rlm_sql (sql): Reserving sql socket id: 22
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'MAXSPDGROUP' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'MAXSPDGROUP' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'MAXSPDGROUP' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' OR groupname = '%{HuntGroup-Name}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'c_yop1' OR groupname = 'yop101' ORDER BY id
[sql] expand: %{NAS-Identifier} -> yop101
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' OR groupname = '%{HuntGroup-Name}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'noaccess' OR groupname = 'yop101' ORDER BY id
rlm_sql (sql): Released sql socket id: 22
++[sql] = ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
++[expiration] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
++[logintime] = noop
[pap] Normalizing MD5-Password from hex encoding
++[pap] = updated
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounterlocation] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[counterChilliSpotMaxTotalOctets] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[counterChilliSpotMaxTotalOctetsDaily] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[counterChilliSpotMaxTotalOctetsWeekly] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[counterChilliSpotMaxTotalOctetsMonthly] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[chillispot_max_bytes_in] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[chillispot_max_bytes_out] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
+} # group authorize = updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group PAP {
[pap] login attempt with password "MAXSPDGROUP"
[pap] Using MD5 encryption.
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql] expand: %{Stripped-User-Name} -> MAXSPDGROUP
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> MAXSPDGROUP
[sql] sql_set_user escaped user --> 'MAXSPDGROUP'
[sql] expand: %{User-Password} -> MAXSPDGROUP
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'MAXSPDGROUP', 'MAXSPDGROUP', 'Access-Accept', '2015-02-12 12:16:40')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'MAXSPDGROUP', 'MAXSPDGROUP', 'Access-Accept', '2015-02-12 12:16:40')
rlm_sql (sql): Reserving sql socket id: 21
rlm_sql (sql): Released sql socket id: 21
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 248 to 127.0.0.1 port 56272
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 248 with timestamp +8
Ready to process requests.
[1] http://wiki.freeradius.org/modules/Rlm_sql#SQL-Schema-and-usage
--
Lorenzo Milesi - lorenzo.milesi(a)yetopen.it
YetOpen S.r.l. - http://www.yetopen.it/
1
1
Hi,
First time posting here. I have just started out and am trying to get a FreeRadius 3.0.6 server working with Samba 4.1.16. Specifically authorising against Samba’s LDB backend.
So what I have got working is FreeRadius binding correctly to Samba’s LDB ldap server as well as the correct user objects being found when running a test with radtest.
Below is the request output from FreeRadius:
(0) Received Access-Request Id 150 from 127.0.0.1:39860 to 127.0.0.1:1812 length 83
(0) User-Name = ’test'
(0) User-Password = ‘password'
(0) NAS-IP-Address = 192.168.6.221
(0) NAS-Port = 0
(0) Message-Authenticator = 0x5a261850779b1ad52861b77dc4914cb0
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) (null) {
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (sAMAccountName=test)
(0) ldap: EXPAND OU=Users,DC=example,DC=com
(0) ldap: --> OU=Users,DC=example,DC=com
(0) ldap: Performing search in 'OU=Users,DC=example,DC=com' with filter '(sAMAccountName=test)', scope 'sub'
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN “CN=test,OU=Users,DC=example,DC=com"
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type
WARNING: (0) pap: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # (null) = ok
ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test/password] (from client vpn port 0)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) (null) {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) } # (null) = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 150 from 127.0.0.1:1812 to 127.0.0.1:39860 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 150 with timestamp +4
Ready to process requests
As you can see I am not sure why it fails at the pap stage and what is going on. I think it may have something to do with the user password hash not being retrieved from ldap but can’t be sure and from the searching I have done FreeRadius would seem to provide and error if this was the case.
The sites-enable/default looks like the following:
authorize {
preprocess
# auth_log
chap
mschap
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
# suffix
files
}
accounting {
detail
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
And my ldap config is as follows:
ldap {
server = '192.168.6.221'
identity = 'CN=FreeRadius,OU=Users,DC=example,DC=com'
password = radpassword
base_dn = 'OU=Users,DC=example,DC=com'
user {
base_dn = 'OU=Users,DC=example,DC=com'
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
Any help would be greatly appreciated.
Kind Regards
Thom
1
0
Hi,
I currently run a Cisco ASA 5510 firewall. Authentication take place via a Windows server with Cisco ACS software. Once the authentication has taken place, the ACS downloads an Access Control List (ACL) to the firewall that then restricts that user access to a single IP Address or in some cases multiple IP addresses. I only have about 20 users but this might grow to 50. I also get a few basic reports of failed and successful logins and how long the user was attached to the network.
Is FreeRadius capable of doing this authentication and able to restrict access on the network and generate the basic reports?
Regards
John
Corobrik (Pty) Ltd
Reg No 2007/021571/07
P O Box 201367 Durban North KZN 4016
Tel +27 31 560 3111
Alt +27 87 359 3111
Fax +27 31 565 1532
This e-mail and all contents are subject to the following disclaimer:
http://www.corobrik.co.za/disclaimer-and-legal-notices
2
1
Hi
We have been running Freeradius with 802.1x (peap-mschapv2) against
edirectory authentication for a number of years. Currently running on
sles 11 sp3 - freeradius-server-2.2.5-11.1 - but I have tested with
older freeradius package that ships with SLES 11 SP3.
Setup similar to
https://www.novell.com/support/kb/doc.php?id=7009035
We have recently noticed that authentication is failing when users are
using the £ sign character in their password (and also § found on
macbook keyboards) - it seems to work fine with other characters -
!"$%^123&*()_+-=[]{};'#:@~,./<>?\| for example.
What I see in logs is
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: lsxtestaas(a)lshtm.ac.uk
[mschap] Client is using MS-CHAPv2 for lsxtestaas(a)lshtm.ac.uk, we need
NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
However as soon as I remove £ sign auth is working fine.
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [lsxtestaas(a)lshtm.ac.uk] (from client aruba port 0 cli
C48508CCE903 via TLS tunnel)
It also works if you use £ rather than just the £ within the password
when authing from a supplicant (tested with android & Windows)-
suggesting some kind of encoding issue??. The cleartext password
returned from eDirectory seems fine.
[ldap] Added the eDirectory password ****£**** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Any thoughts would be appreciated.
Thanks
Mark
5
4
Keep getting this error:
Wed Feb 11 11:32:21 2015 : Error: /etc/freeradius/clients.conf[210]: No such home_server or home_server_pool "my-coa"
I've tried my best to read through it all.
1) Here's my section in clients.conf:
client 15.234.166.129 {
secret = abc
shortname = abc
nastype = other
coa_server = my-coa
}
2) Here's my section in sites-available/originate-coa:
home_server my-coa {
type = coa
ipaddr = 15.234.166.129
port = 3799
secret = testing1234
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool coa {
type = fail-over
home_server = my-coa
}
3) I could not understand the directions here:
# CoA packets can be originated when a normal Access-Request or
# Accounting-Request packet is received. Simply update the
# "coa" list:
#
update coa {
User-Name = "%{User-Name}"
Acct-Session-Id = "%{Acct-Session-Id}"
NAS-IP-Address = "%{NAS-IP-Address}"
}
#
# And the CoA packet will be sent. You can also send Disconnect
# packets by using "update disconnect { ...".
#
# This "update coa" entry can be placed in any section (authorize,
# preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA
Was I supposed to uncomment that "update coa" section?
Copy and paste it somewhere else? I couldn't figure out what is meant by "can be placed in any other section"
authorize/preacct, etc.
It seems like it's not even looking at sites-available/originate-coa ?
Thank you,
Scott Reeve
2
1