Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
February 2016
- 87 participants
- 129 discussions
Good afternoon.
I've been searching for an answer this issue on a new install of freeradius
on CentOS 7, installed from RPMs. As far as I can see, what I enter for the
ldap filter is not being used by the server, but I'm hopeful I've missed
some detail in the configuration.
Here' the key error in the output from radiusd -X.
*(0) ERROR: ldap : (uid=%u)*
*(0) ERROR: ldap : ^ Invalid variable expansion*
*(0) ERROR: ldap : Unable to create filter*
[root@kukulcan raddb]# grep -r '%u'
[root@kukulcan raddb]# grep -r '\%u'
[root@kukulcan raddb]# radiusd -v
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built
on Mar 5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
[root@kukulcan raddb]# yum list freeradius\*
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.host-engine.com
* extras: centos.den.host-engine.com
* updates: centos.mirror.ndchost.com
Installed Packages
freeradius.x86_64 3.0.4-6.el7
@base
freeradius-devel.x86_64 3.0.4-6.el7
@base
freeradius-doc.x86_64 3.0.4-6.el7
@base
freeradius-krb5.x86_64 3.0.4-6.el7
@base
freeradius-ldap.x86_64 3.0.4-6.el7
@base
freeradius-mysql.x86_64 3.0.4-6.el7
@base
freeradius-perl.x86_64 3.0.4-6.el7
@base
freeradius-postgresql.x86_64 3.0.4-6.el7
@base
freeradius-python.x86_64 3.0.4-6.el7
@base
freeradius-sqlite.x86_64 3.0.4-6.el7
@base
freeradius-unixODBC.x86_64 3.0.4-6.el7
@base
freeradius-utils.x86_64 3.0.4-6.el7
@base
Available Packages
freeradius-devel.i686 3.0.4-6.el7
base
/etc/raddb/mods-enables/ldap:
[...]
ldap {
server = "ldap.eckerd.edu"
identity = "cn=directory manager"
password = *********
basedn = "dc=eckerd,dc=edu"
* filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"*
#base_filter = "(objectclass=radiusprofile)"
[...]
[root@kukulcan ~]# grep '%u' /etc/raddb/mods-enabled/ldap
[root@kukulcan ~]#
LDAP output from radiusd -X
[...]
# Loaded module rlm_ldap
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "ldap.eckerd.edu"
port = 389
password = <<< secret >>>
identity = "cn=directory manager"
user {
* filter = "(uid=%u)"*
scope = "sub"
base_dn = ""
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap: Falling back to build time libldap version info. Query for
LDAP_OPT_API_INFO returned: -1
rlm_ldap: libldap vendor: OpenLDAP version: 20439
rlm_ldap (ldap): Couldn't find configuration for accounting, will return
NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return
NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 5
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
[...]
Received Access-Request Id 44 from 127.0.0.1:44847 to 127.0.0.1:1812 length
77
User-Name = 'moorewr'
User-Password = 'foobar'
NAS-IP-Address = 198.187.214.151
NAS-Port = 0
Message-Authenticator = 0x6a42189a2e73e4a2d624012f4ab82ce3
(0) Received Access-Request packet from host 127.0.0.1 port 44847, id=44,
length=77
(0) User-Name = 'moorewr'
(0) User-Password = 'foobar'
(0) NAS-IP-Address = 198.187.214.151
(0) NAS-Port = 0
(0) Message-Authenticator = 0x6a42189a2e73e4a2d624012f4ab82ce3
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
rlm_ldap (ldap): Reserved connection (4)
*(0) ERROR: ldap : (uid=%u)*
*(0) ERROR: ldap : ^ Invalid variable expansion*
*(0) ERROR: ldap : Unable to create filter*
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 259
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 259
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 259
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 259
seconds
rlm_ldap (ldap): You probably need to lower "min"
(0) [ldap] = invalid
(0) } # authorize = invalid
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> moorewr
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 44847, id=44,
length=0
Sending Access-Reject Id 44 from 127.0.0.1:1812 to 127.0.0.1:44847
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 44 with timestamp +259
--
+-----------------------------------------------------------------+
Walter R. Moore -- Sr. Systems Administrator, Eckerd College
moorewr(a)eckerd.edu -- http://home.eckerd.edu/~moorewr
"It was glorious to see -- if your heart were iron,
And you could keep from grieving at all the pain" - The Iliad (13.355)
I'm on twitter: http://twitter.com/moorewreckerd
***Reminder! ITS will never ask you to e-mail your password!***
3
9
[freeRADIUS 3.0.11 : Error: Could not link driver rlm_sql_oracle: libclntsh.so.11.1: cannot open shared object file: No such file or directory
by Vincent MARCEL 09 Feb '16
by Vincent MARCEL 09 Feb '16
09 Feb '16
Hello dear radius users,
I have compiled radius 3.0.11 radius server from tarball downloaded at http://freeradius.org/
I have configured sql module, then at lauched I get this error :
Tue Feb 9 11:07:58 2016 : Error: Could not link driver rlm_sql_oracle: libclntsh.so.11.1: cannot open shared object file: No such file or directory
Tue Feb 9 11:07:58 2016 : Error: Make sure it (and all its dependent libraries!) are in the search path of your system's ld
Why that and how may I fix it ?
Best regards,
Vincent MARCEL
2
1
Hello!
“-r: not found” and “sh: 0: Illegal option –r” was an error with snmpwalk. I compiled FreeRadius without SNMP installed.
So, I installed SNMP. The “-r” error disappeared, but unfortunately the same error still occurs:
(0) Received Access-Request Id 100 from 192.168.0.1:55429 to 192.168.0.98:1812 length 144
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15731333
(0) NAS-Port-Type = Ethernet
(0) User-Name = "test"
(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(0) Called-Station-Id = "service1"
(0) NAS-Port-Id = "bridge1"
(0) CHAP-Challenge = 0xbd3a9c8b7601f363a824eaac74bd8e10
(0) CHAP-Password = 0x018481e984212401f879eae27379964cf4
(0) NAS-Identifier = "Main_Router"
(0) NAS-IP-Address = 192.168.0.1
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "123456"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Conditional check items matched
(0) sql: Group "1": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Merging reply items
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "test" authenticated successfully
(0) [chap] = ok
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Reserved connection (2)
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0) EXPAND %{string:Class}
(0) -->
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(0) else {
(0) update request {
(0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> aeaca7a4ec4f29c5b435e1e56cd6d541
(0) &Acct-Unique-Session-Id := aeaca7a4ec4f29c5b435e1e56cd6d541
(0) } # update request = noop
(0) EXPAND %{User-Name}
(0) --> test
(0) EXPAND %{Acct-Session-ID}
(0) --> 81900848
(0) EXPAND %{NAS-IPv6-Address}
(0) -->
(0) EXPAND %{NAS-IP-Address}
(0) --> 192.168.0.1
(0) EXPAND %{NAS-Identifier}
(0) -->
(0) EXPAND %{NAS-Port-ID}
(0) -->
(0) EXPAND %{NAS-Port}
(0) --> 0
(0) } # else = noop
(0) } # policy acct_unique = noop
back to square one...
Please, need some help.
Below is my entire log (no more “-r” errors):
Server was built with:
accounting : yes
authentication : yes
ascend-binary-attributes : yes
coa : yes
control-socket : yes
detail : yes
dhcp : yes
dynamic-clients : yes
osfc2 : no
proxy : yes
regex-pcre : no
regex-posix : yes
regex-posix-extended : yes
session-management : yes
stats : yes
tcp : yes
threads : yes
tls : yes
unlang : yes
vmps : yes
developer : no
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 1.0.1p release
Endianness:
little
Compilation flags:
cppflags : -isystem /usr/local/include/
cflags : -I/root/freeradius/freeradius-server-3.0.11 -I/root/freeradius/freeradius-server-3.0.11/src -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/build.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/features.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h -fno-strict-aliasing -g -O2 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
ldflags : -L/usr/local/lib -Wl,-rpath,/usr/local/lib
libs : -lcrypto -lssl -ltalloc -lexecinfo -lpthread -lreadline
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
# Creating Auth-Type = eap
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "root"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 5.6.25
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.0.1 (123231) to global clients list
rlm_sql (192.168.0.1): Client "123231" (sql) added
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 33259
Listening on proxy address :: port 26258
Ready to process requests
(0) Received Access-Request Id 100 from 192.168.0.1:55429 to 192.168.0.98:1812 length 144
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15731333
(0) NAS-Port-Type = Ethernet
(0) User-Name = "test"
(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(0) Called-Station-Id = "service1"
(0) NAS-Port-Id = "bridge1"
(0) CHAP-Challenge = 0xbd3a9c8b7601f363a824eaac74bd8e10
(0) CHAP-Password = 0x018481e984212401f879eae27379964cf4
(0) NAS-Identifier = "Main_Router"
(0) NAS-IP-Address = 192.168.0.1
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "123456"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Conditional check items matched
(0) sql: Group "1": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Merging reply items
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "test" authenticated successfully
(0) [chap] = ok
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Reserved connection (2)
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0) EXPAND %{string:Class}
(0) -->
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(0) else {
(0) update request {
(0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> aeaca7a4ec4f29c5b435e1e56cd6d541
(0) &Acct-Unique-Session-Id := aeaca7a4ec4f29c5b435e1e56cd6d541
(0) } # update request = noop
(0) EXPAND %{User-Name}
(0) --> test
(0) EXPAND %{Acct-Session-ID}
(0) --> 81900848
(0) EXPAND %{NAS-IPv6-Address}
(0) -->
(0) EXPAND %{NAS-IP-Address}
(0) --> 192.168.0.1
(0) EXPAND %{NAS-Identifier}
(0) -->
(0) EXPAND %{NAS-Port-ID}
(0) -->
(0) EXPAND %{NAS-Port}
(0) --> 0
(0) } # else = noop
(0) } # policy acct_unique = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) } # preacct = ok
(0) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(0) accounting {
(0) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(0) detail: --> /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160209
(0) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160209
(0) detail: EXPAND %t
(0) detail: --> Tue Feb 9 05:09:41 2016
(0) [detail] = ok
(0) [unix] = ok
(0) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(0) sql: --> type.stop.query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'
(0) sql: --> UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1455001781), acctsessiontime = 0, acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 | '0', acctterminatecause = '', connectinfo_stop = '' WHERE AcctUniqueId = 'aeaca7a4ec4f29c5b435e1e56cd6d541'
(0) sql: Executing query: UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1455001781), acctsessiontime = 0, acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 | '0', acctterminatecause = '', connectinfo_stop = '' WHERE AcctUniqueId = 'aeaca7a4ec4f29c5b435e1e56cd6d541'
rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0
(0) sql: SQL query returned: success
(0) sql: 0 record(s) updated
(0) sql: Trying next query...
(0) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(0) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('81900848', 'aeaca7a4ec4f29c5b435e1e56cd6d541', 'test', '', '192.168.0.1', '0', '', FROM_UNIXTIME(1455001781 - 0), FROM_UNIXTIME(1455001781), FROM_UNIXTIME(1455001781), 0, '', '', '', '0' << 32 | '0', '0' << 32 | '0', '', '', '', 'Framed-User', 'PPP', '')
(0) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('81900848', 'aeaca7a4ec4f29c5b435e1e56cd6d541', 'test', '', '192.168.0.1', '0', '', FROM_UNIXTIME(1455001781 - 0), FROM_UNIXTIME(1455001781), FROM_UNIXTIME(1455001781), 0, '', '', '', '0' << 32 | '0', '0' << 32 | '0', '', '', '', 'Framed-User', 'PPP', '')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
(0) [sql] = ok
(0) [exec] = noop
(0) attr_filter.accounting_response: EXPAND %{User-Name}
(0) attr_filter.accounting_response: --> test
(0) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(0) [attr_filter.accounting_response] = updated
(0) } # accounting = updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) } # session = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x018481e984212401f879eae27379964cf4', 'Access-Accept', '2016-02-09 05:09:41')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x018481e984212401f879eae27379964cf4', 'Access-Accept', '2016-02-09 05:09:41')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 100 from 192.168.0.98:1812 to 192.168.0.1:55429 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
Waking up in 9.9 seconds.
(1) Received Accounting-Request Id 101 from 192.168.0.1:59018 to 192.168.0.98:1813 length 147
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) NAS-Port = 15731333
(1) NAS-Port-Type = Ethernet
(1) User-Name = "test"
(1) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(1) Called-Station-Id = "service1"
(1) NAS-Port-Id = "bridge1"
(1) Acct-Session-Id = "81900849"
(1) Framed-IP-Address = 0.0.0.0
(1) Acct-Authentic = RADIUS
(1) Event-Timestamp = "Feb 8 2016 18:48:07 BRST"
(1) Acct-Status-Type = Start
(1) NAS-Identifier = "Main_Router"
(1) Acct-Delay-Time = 0
(1) NAS-IP-Address = 192.168.0.1
(1) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) policy acct_unique {
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(1) EXPAND %{string:Class}
(1) -->
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(1) else {
(1) update request {
(1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> f7d16a7d01689686f3af959b4c2467af
(1) &Acct-Unique-Session-Id := f7d16a7d01689686f3af959b4c2467af
(1) } # update request = noop
(1) EXPAND %{User-Name}
(1) --> test
(1) EXPAND %{Acct-Session-ID}
(1) --> 81900849
(1) EXPAND %{NAS-IPv6-Address}
(1) -->
(1) EXPAND %{NAS-IP-Address}
(1) --> 192.168.0.1
(1) EXPAND %{NAS-Identifier}
(1) --> Main_Router
(1) EXPAND %{NAS-Port-ID}
(1) --> bridge1
(1) EXPAND %{NAS-Port}
(1) --> 15731333
(1) } # else = noop
(1) } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
(1) } # preacct = ok
(1) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(1) accounting {
(1) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail: --> /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160209
(1) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160209
(1) detail: EXPAND %t
(1) detail: --> Tue Feb 9 05:09:42 2016
(1) [detail] = ok
(1) [unix] = ok
(1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) sql: --> type.start.query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND %{User-Name}
(1) sql: --> test
(1) sql: SQL-User-Name set to 'test'
(1) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(1) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('81900849', 'f7d16a7d01689686f3af959b4c2467af', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454964487), FROM_UNIXTIME(1454964487), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')
(1) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('81900849', 'f7d16a7d01689686f3af959b4c2467af', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454964487), FROM_UNIXTIME(1454964487), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(1) [sql] = ok
(1) [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response: --> test
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) } # accounting = updated
(1) Sent Accounting-Response Id 101 from 192.168.0.98:1813 to 192.168.0.1:59018 length 0
(1) Finished request
(1) Cleaning up request packet ID 101 with timestamp +10
Waking up in 9.9 seconds.
(0) Cleaning up request packet ID 100 with timestamp +9
Ready to process requests
^C
Best Regards
Fabricio
---
Este email foi escaneado pelo Avast antivírus.
http://www.avast.com
2
1
Hello again! Did some more test:
I downloaded the lastest version from GitHub.
Then i edited default file:
authorize {
…
sql
…
}
accounting {
…
sql
…
}
session {
…
sql
…
}
post-auth {
…
sql
…
}
Post-Auth-Type REJECT {
sql
}
Then I removed the ## from simultaneous check in mysql/main/queries.conf, populated mysql tables, etc.
First connection was ok!
The second connection gave me the same result: different unique after simultaneous check:
(0) Received Access-Request Id 233 from 192.168.0.1:39989 to 192.168.0.40:1812 via eth0 length 144
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15731317
(0) NAS-Port-Type = Ethernet
(0) User-Name = "test"
(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(0) Called-Station-Id = "service1"
(0) NAS-Port-Id = "bridge1"
(0) CHAP-Challenge = 0xeaa20e68b1ce1510e03697f296297e91
(0) CHAP-Password = 0x010387f06bf0f7858174499425ed1ad889
(0) NAS-Identifier = "Main_Router"
(0) NAS-IP-Address = 192.168.0.1
(0) Running section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) preprocess (ok)
(0) chap - &control:Auth-Type := CHAP
(0) chap (ok)
(0) mschap (noop)
(0) eap - No EAP-Message, not doing EAP
(0) eap (noop)
(0) sql - EXPAND %{User-Name}
(0) sql - --> test
(0) sql - SQL-User-Name set to 'test'
(0) sql - Reserved connection (1)
(0) sql - EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql - --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql - Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql - User found in radcheck table
(0) sql - Conditional check items matched, merging assignment check items
(0) sql - &Cleartext-Password := "123456"
(0) sql - EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql - --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql - Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql - EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql - --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql - Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql - User found in the group table
(0) sql - EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql-sql-Group}' ORDER BY id
(0) sql - --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '10' ORDER BY id
(0) sql - Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '10' ORDER BY id
(0) sql - Group "10": Conditional check items matched
(0) sql - Group "10": Merging assignment check items
(0) sql - &Simultaneous-Use := 1
(0) sql - EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql-sql-Group}' ORDER BY id
(0) sql - --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '10' ORDER BY id
(0) sql - Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '10' ORDER BY id
(0) sql - Group "10": Merging reply items
(0) sql - Released connection (1)
rlm_sql (sql) - Need 4 more connections to reach 10 spares
rlm_sql (sql) - Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.28-0ubuntu0.14.04.1, protocol version 10
(0) sql (ok)
(0) expiration (noop)
(0) logintime (noop)
(0) pap - WARNING: Auth-Type already set. Not setting to PAP
(0) pap (noop)
(0) } # authorize (ok)
(0) Using 'Auth-Type = CHAP' for authenticate {...}
(0) Running Auth-Type CHAP from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap - Comparing with "known good" Cleartext-Password
(0) chap - CHAP user "test" authenticated successfully
(0) chap (ok)
(0) } # Auth-Type CHAP (ok)
(0) Running section session from file /usr/local/etc/raddb/sites-enabled/default
(0) session {
(0) sql - EXPAND %{User-Name}
(0) sql - --> test
(0) sql - SQL-User-Name set to 'test'
(0) sql - Reserved connection (2)
(0) sql - EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql - --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql - Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql - EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql - --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql - Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
sh: 0: Illegal option -r
(0) Running section preacct from file /usr/local/etc/raddb/sites-enabled/default
(0) preacct {
(0) preprocess (ok)
(0) acct_unique {
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0) EXPAND %{string:Class}
(0) -->
(0) ...
(0) }
(0) else {
(0) update request {
(0) EXPAND %{md5:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> e046c6f56a3f80e5cb993d93198b266a
(0) &Acct-Unique-Session-Id := e046c6f56a3f80e5cb993d93198b266a
(0) } # update request (noop)
(0) EXPAND %{User-Name}
(0) -->
(0) EXPAND %{Acct-Multi-Session-ID}
(0) -->
(0) EXPAND %{NAS-IPv6-Address}
(0) -->
(0) EXPAND %{NAS-IP-Address}
(0) --> 192.168.0.1
(0) EXPAND %{NAS-Identifier}
(0) -->
(0) EXPAND %{NAS-Port-ID}
(0) -->
(0) EXPAND %{NAS-Port}
(0) -->
(0) } # else (noop)
(0) } # acct_unique (noop)
(0) } # preacct (ok)
Again the values are blank.
But something is weird:
sh: 0: Illegal option -r
Whats is this error? Where did it came from?
I did NOT change any queries, I just added the SQL options in default site.
Please, need some help.
Below is my entire log:
FreeRADIUS Version 3.1.0
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
/usr/local/etc/raddb/mods-enabled/linelog[114]: Reference "${..pool}" not found
/usr/local/etc/raddb/mods-enabled/linelog[127]: Reference "${..pool}" not found
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/vendor
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
continuation_timeout = 15
max_requests = 16384
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "CVE-2014-0160"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dynamic = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Found debugger attached
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
queue_priority = "default"
auto_limit_acct = no
}
listen {
type = "auth"
ipaddr = *
port = 0
recv_buff = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
recv_buff = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
recv_buff = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
recv_buff = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
recv_buff = 0
}
radiusd: #### Loading modules ####
modules {
# Loaded module "rlm_expiration"
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module "rlm_exec"
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module "rlm_eap"
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
require_client_cert = yes
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module "rlm_digest"
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module "rlm_linelog"
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
destination = "file"
delimiter = " "
file {
filename = "/usr/local/var/log/radius/linelog"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
port = 514
timeout = 2.000000
}
udp {
port = 514
timeout = 2.000000
}
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
destination = "file"
delimiter = " "
file {
filename = "/usr/local/var/log/radius/linelog-accounting"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loaded module "rlm_attr_filter"
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
relaxed = no
}
# Loaded module "rlm_sql"
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "root"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
group_attribute = "sql-sql-Group"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql-sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql-sql-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
query = "UPDATE radacct SET acctstarttime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), connectinfo_start = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '%{Connect-Info}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql) - Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute sql-sql-Group
# Loaded module "rlm_pap"
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module "rlm_detail"
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module "rlm_realm"
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module "rlm_dhcp"
# Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp
# Loaded module "rlm_dynamic_clients"
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module "rlm_expr"
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module "rlm_soh"
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module "rlm_utf8"
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module "rlm_files"
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module "rlm_replicate"
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module "rlm_unix"
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module "rlm_preprocess"
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module "rlm_unpack"
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module "rlm_always"
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module "rlm_passwd"
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module "rlm_mschap"
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module "rlm_radutmp"
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module "rlm_cache"
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module "rlm_logintime"
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module "rlm_chap"
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
instantiate {
}
} # modules
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_mysql - libmysql version: 5.5.47
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql) - Attempting to connect to database "radius"
rlm_sql (sql) - Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
connect_timeout = 3.000000
retry_delay = 30
spread = no
}
rlm_sql (sql) - Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.28-0ubuntu0.14.04.1, protocol version 10
rlm_sql (sql) - Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.28-0ubuntu0.14.04.1, protocol version 10
rlm_sql (sql) - Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.28-0ubuntu0.14.04.1, protocol version 10
rlm_sql (sql) - Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.28-0ubuntu0.14.04.1, protocol version 10
rlm_sql (sql) - Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.28-0ubuntu0.14.04.1, protocol version 10
rlm_sql (sql) - Processing generate_sql_clients
rlm_sql (sql) - Query is: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql) - Reserved connection (0)
rlm_sql (sql) - Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql) - Adding client 192.168.0.1 (office) to global clients list
rlm_sql (sql) - Client "192.168.0.1" (office) added
rlm_sql (sql) - Released connection (0)
rlm_sql (sql) - Need 5 more connections to reach 10 spares
rlm_sql (sql) - Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.28-0ubuntu0.14.04.1, protocol version 10
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading file /usr/local/etc/raddb/mods-config/files/authorize
reading file /usr/local/etc/raddb/mods-config/files/accounting
reading file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap: using internal authentication
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache_eap - Driver rlm_cache_rbtree loaded and linked
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
radiusd: #### Loading Virtual Servers ####
server default { # from file /usr/local/etc/raddb/sites-enabled/default
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
Ignoring "ldap" (see raddb/mods-available/README.rst)
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 56903
Listening on proxy address :: port 41276
Ready to process requests
(0) Received Access-Request Id 233 from 192.168.0.1:39989 to 192.168.0.40:1812 via eth0 length 144
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15731317
(0) NAS-Port-Type = Ethernet
(0) User-Name = "test"
(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(0) Called-Station-Id = "service1"
(0) NAS-Port-Id = "bridge1"
(0) CHAP-Challenge = 0xeaa20e68b1ce1510e03697f296297e91
(0) CHAP-Password = 0x010387f06bf0f7858174499425ed1ad889
(0) NAS-Identifier = "Main_Router"
(0) NAS-IP-Address = 192.168.0.1
(0) Running section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) preprocess (ok)
(0) chap - &control:Auth-Type := CHAP
(0) chap (ok)
(0) mschap (noop)
(0) eap - No EAP-Message, not doing EAP
(0) eap (noop)
(0) sql - EXPAND %{User-Name}
(0) sql - --> test
(0) sql - SQL-User-Name set to 'test'
(0) sql - Reserved connection (1)
(0) sql - EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql - --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql - Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql - User found in radcheck table
(0) sql - Conditional check items matched, merging assignment check items
(0) sql - &Cleartext-Password := "123456"
(0) sql - EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql - --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql - Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql - EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql - --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql - Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql - User found in the group table
(0) sql - EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql-sql-Group}' ORDER BY id
(0) sql - --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '10' ORDER BY id
(0) sql - Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '10' ORDER BY id
(0) sql - Group "10": Conditional check items matched
(0) sql - Group "10": Merging assignment check items
(0) sql - &Simultaneous-Use := 1
(0) sql - EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql-sql-Group}' ORDER BY id
(0) sql - --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '10' ORDER BY id
(0) sql - Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '10' ORDER BY id
(0) sql - Group "10": Merging reply items
(0) sql - Released connection (1)
rlm_sql (sql) - Need 4 more connections to reach 10 spares
rlm_sql (sql) - Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.28-0ubuntu0.14.04.1, protocol version 10
(0) sql (ok)
(0) expiration (noop)
(0) logintime (noop)
(0) pap - WARNING: Auth-Type already set. Not setting to PAP
(0) pap (noop)
(0) } # authorize (ok)
(0) Using 'Auth-Type = CHAP' for authenticate {...}
(0) Running Auth-Type CHAP from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap - Comparing with "known good" Cleartext-Password
(0) chap - CHAP user "test" authenticated successfully
(0) chap (ok)
(0) } # Auth-Type CHAP (ok)
(0) Running section session from file /usr/local/etc/raddb/sites-enabled/default
(0) session {
(0) sql - EXPAND %{User-Name}
(0) sql - --> test
(0) sql - SQL-User-Name set to 'test'
(0) sql - Reserved connection (2)
(0) sql - EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql - --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql - Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql - EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql - --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql - Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
sh: 0: Illegal option -r
(0) Running section preacct from file /usr/local/etc/raddb/sites-enabled/default
(0) preacct {
(0) preprocess (ok)
(0) acct_unique {
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0) EXPAND %{string:Class}
(0) -->
(0) ...
(0) }
(0) else {
(0) update request {
(0) EXPAND %{md5:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> e046c6f56a3f80e5cb993d93198b266a
(0) &Acct-Unique-Session-Id := e046c6f56a3f80e5cb993d93198b266a
(0) } # update request (noop)
(0) EXPAND %{User-Name}
(0) -->
(0) EXPAND %{Acct-Multi-Session-ID}
(0) -->
(0) EXPAND %{NAS-IPv6-Address}
(0) -->
(0) EXPAND %{NAS-IP-Address}
(0) --> 192.168.0.1
(0) EXPAND %{NAS-Identifier}
(0) -->
(0) EXPAND %{NAS-Port-ID}
(0) -->
(0) EXPAND %{NAS-Port}
(0) -->
(0) } # else (noop)
(0) } # acct_unique (noop)
(0) } # preacct (ok)
(0) Running section accounting from file /usr/local/etc/raddb/sites-enabled/default
(0) accounting {
(0) sql - EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(0) sql - --> type..query
(0) sql - WARNING: No such configuration item .type..query
(0) sql (noop)
(0) exec (noop)
(0) attr_filter.accounting_response - EXPAND %{User-Name}
(0) attr_filter.accounting_response - -->
(0) attr_filter.accounting_response - Matched entry DEFAULT at line 12
(0) attr_filter.accounting_response (updated)
(0) } # accounting (updated)
(0) sql - Released connection (2)
(0) sql (ok)
(0) } # session (ok)
(0) Running section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) &reply: skipped: No values available
(0) } # update (noop)
(0) sql - EXPAND .query
(0) sql - --> .query
(0) sql - Using query template 'query'
(0) sql - Reserved connection (3)
(0) sql - EXPAND %{User-Name}
(0) sql - --> test
(0) sql - SQL-User-Name set to 'test'
(0) sql - EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql - --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x010387f06bf0f7858174499425ed1ad889', 'Access-Accept', '2016-02-09 03:07:53')
(0) sql - Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x010387f06bf0f7858174499425ed1ad889', 'Access-Accept', '2016-02-09 03:07:53')
(0) sql - SQL query returned: success
(0) sql - 1 record(s) updated
(0) sql - Released connection (3)
(0) sql (ok)
(0) exec (noop)
(0) remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) ...
(0) }
(0) else {
(0) noop (noop)
(0) } # else (noop)
(0) } # remove_reply_message_if_eap (noop)
(0) } # post-auth (ok)
(0) Sent Access-Accept Id 233 from 192.168.0.40:1812 to 192.168.0.1:39989 via eth0 length 0
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Accounting-Request Id 234 from 192.168.0.1:51015 to 192.168.0.40:1813 via eth0 length 147
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) NAS-Port = 15731317
(1) NAS-Port-Type = Ethernet
(1) User-Name = "test"
(1) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(1) Called-Station-Id = "service1"
(1) NAS-Port-Id = "bridge1"
(1) Acct-Session-Id = "81900839"
(1) Framed-IP-Address = 0.0.0.0
(1) Acct-Authentic = RADIUS
(1) Event-Timestamp = "Feb 8 2016 16:46:18 BRST"
(1) Acct-Status-Type = Start
(1) NAS-Identifier = "Main_Router"
(1) Acct-Delay-Time = 0
(1) NAS-IP-Address = 192.168.0.1
(1) Running section preacct from file /usr/local/etc/raddb/sites-enabled/default
(1) preacct {
(1) preprocess (ok)
(1) acct_unique {
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(1) EXPAND %{string:Class}
(1) -->
(1) ...
(1) }
(1) else {
(1) update request {
(1) EXPAND %{md5:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> 2d68eaaac29dc98ef59b7ac6c5fbdc67
(1) &Acct-Unique-Session-Id := 2d68eaaac29dc98ef59b7ac6c5fbdc67
(1) } # update request (noop)
(1) EXPAND %{User-Name}
(1) --> test
(1) EXPAND %{Acct-Multi-Session-ID}
(1) -->
(1) EXPAND %{NAS-IPv6-Address}
(1) -->
(1) EXPAND %{NAS-IP-Address}
(1) --> 192.168.0.1
(1) EXPAND %{NAS-Identifier}
(1) --> Main_Router
(1) EXPAND %{NAS-Port-ID}
(1) --> bridge1
(1) EXPAND %{NAS-Port}
(1) --> 15731317
(1) } # else (noop)
(1) } # acct_unique (noop)
(1) } # preacct (ok)
(1) Running section accounting from file /usr/local/etc/raddb/sites-enabled/default
(1) accounting {
(1) sql - EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) sql - --> type.start.query
(1) sql - Using query template 'query'
(1) sql - Reserved connection (4)
(1) sql - EXPAND %{User-Name}
(1) sql - --> test
(1) sql - SQL-User-Name set to 'test'
(1) sql - EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(1) sql - --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('81900839', '2d68eaaac29dc98ef59b7ac6c5fbdc67', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454957178), FROM_UNIXTIME(1454957178), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')
(1) sql - Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('81900839', '2d68eaaac29dc98ef59b7ac6c5fbdc67', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454957178), FROM_UNIXTIME(1454957178), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')
(1) sql - SQL query returned: success
(1) sql - 1 record(s) updated
(1) sql - Released connection (4)
(1) sql (ok)
(1) exec (noop)
(1) attr_filter.accounting_response - EXPAND %{User-Name}
(1) attr_filter.accounting_response - --> test
(1) attr_filter.accounting_response - Matched entry DEFAULT at line 12
(1) attr_filter.accounting_response (updated)
(1) } # accounting (updated)
(1) Sent Accounting-Response Id 234 from 192.168.0.40:1813 to 192.168.0.1:51015 via eth0 length 0
(1) Finished request
(1) Cleaning up request packet ID 234 with timestamp +9
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 233 with timestamp +9
Ready to process requests
^C
Regards
Fabricio
---
Este email foi escaneado pelo Avast antivírus.
http://www.avast.com
1
0
Back to version 3.0.9 (I'm over 18 hours testing) I changed policy.d/accouting:
was:
update request {
&Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
}
changed to:
update request {
&Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{NAS-IP-Address}}"
}
So I simulated the problem again and radacct worked FINE: it did NOT create a new line (because uniqueid was the same!) and put the ACCTSTOPTIME as expected.
But ANOTHER PROBLEM OCCURRED: radipppol was NOT updated!
Inside sqlippool.conf I have: pool_key = "%{NAS-Port}"
So the pool_key is Nas-Port, ok!
Let´s see the query:
(0) sqlippool_v4: EXPAND %{User-Name}
(0) sqlippool_v4: --> test
(0) sqlippool_v4: SQL-User-Name set to 'test'
(0) sqlippool_v4: EXPAND START TRANSACTION
(0) sqlippool_v4: --> START TRANSACTION
(0) sqlippool_v4: Executing query: START TRANSACTION
(0) sqlippool_v4: EXPAND UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'
(0) sqlippool_v4: --> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '192.168.0.1' AND pool_key = '0' AND username = 'test' AND callingstationid = '' AND framedipaddress = '1.1.1.1'
(0) sqlippool_v4: Executing query: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '192.168.0.1' AND pool_key = '0' AND username = 'test' AND callingstationid = '' AND framedipaddress = '1.1.1.1'
rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0
(0) sqlippool_v4: EXPAND COMMIT
(0) sqlippool_v4: --> COMMIT
(0) sqlippool_v4: Executing query: COMMIT
(0) sqlippool_v4: EXPAND Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})
(0) sqlippool_v4: --> Released IP 1.1.1.1 (did cli user test)
rlm_sql (sql): Released connection (0)
(0) [sqlippool_v4] = ok
pool_key should not be ZERO!
Here is my conclusion:
When a user tries to connect there is a simultaneous check:
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
When there is NO other connections (99% of the time), everything works fine.
But when this query returns a connection, Freeradius looses NAS-Identifier, NAS-Port-ID and NAS-Port, so It cannot close radacct and radipool. This is NOT behavior of version 2.1.12!
2.1.12 and 3.0.9 have the SAME behavior: close radacct and free the IP from radippool. But, because there is no NAS-Identifier, NAS-Port-ID and NAS-Port the UPDATE queries does nothing.
When sites sites-enabled/default/preacct is called from a accounting-request, it works fine. But when is called in a access-request, after the simultaneous check, it did not get the NAS-Identifier, NAS-Port-ID and NAS-Port parameters. Look this log (I put some asterisks at the beginning of the important lines):
(0) Received Access-Request Id 222 from 192.168.0.1:49006 to 192.168.0.99:1812 length 144
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15729440
(0) NAS-Port-Type = Ethernet
(0) User-Name = "test"
(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(0) Called-Station-Id = "service1"
(0) NAS-Port-Id = "bridge1"
(0) CHAP-Challenge = 0x01cb327edb3e8c32494b0b6e6c10b09d
(0) CHAP-Password = 0x01b3833103457a7f1707baa01e0c6dfa28
(0) NAS-Identifier = "Main_Router"
(0) NAS-IP-Address = 192.168.0.1
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 182
(0) [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "123456"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '10' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '10' ORDER BY id
(0) sql: Group "10": Conditional check items matched
(0) sql: Group "10": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: Pool-Name := "pool_ativo"
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '10' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '10' ORDER BY id
(0) sql: Group "10": Merging reply items
(0) sql: Mikrotik-Delegated-IPv6-Pool := "PD"
rlm_sql (sql): Released connection (1)
rlm_sql (sql): 0 of 6 connections in use. Need more spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "test" authenticated successfully
(0) [chap] = ok
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
*** (0) session {
*** (0) EXPAND %{NAS-Port}
*** (0) --> 15729440
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Reserved connection (2)
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
*** (0) preacct {
*** (0) EXPAND %{NAS-Port}
*** (0) --> 0
(0) [preprocess] = ok
(0) policy acct_unique {
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0) EXPAND %{string:Class}
(0) -->
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(0) else {
(0) update request {
(0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{NAS-IP-Address}}
(0) --> ff97493ea4bc763492c5bd1544f13823
(0) &Acct-Unique-Session-Id := ff97493ea4bc763492c5bd1544f13823
(0) } # update request = noop
(0) EXPAND %{User-Name}
(0) --> test
(0) EXPAND %{Acct-Session-ID}
(0) --> 819000e3
(0) EXPAND %{NAS-IPv6-Address}
(0) -->
(0) EXPAND %{NAS-IP-Address}
(0) --> 192.168.0.1
(0) EXPAND %{NAS-Identifier}
(0) -->
(0) EXPAND %{NAS-Port-ID}
(0) -->
(0) EXPAND %{NAS-Port}
(0) --> 0
(0) } # else = noop
(0) } # policy acct_unique = noop
Nas-Port is ok in session, but zero in preacct:
(0) session {
(0) EXPAND %{NAS-Port}
(0) --> 15729440
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Reserved connection (2)
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(0) preacct {
(0) EXPAND %{NAS-Port}
(0) --> 0
Alan, thanks for your reply! You said that Access-Request should not go to preacct section. I looked into version 2:
[sql] expand: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 15729406,Client-IP-Address = 192.168.0.1,NAS-IP-Address = 192.168.0.1,Acct-Session-Id = "819000c2",User-Name = "test"'
[acct_unique] Acct-Unique-Session-ID = "5cc3e8235801dd84".
++[acct_unique] returns ok
It seems that after a positive “simultaneous check” FreeRadius go to preacct to close the old connection. Nas-Port value was passed to preacct in version 2.1.12.
Well, that´s It, looking for help...
Regards
Fabricio
---
Este email foi escaneado pelo Avast antivírus.
http://www.avast.com
1
0
Hello! Last post was messed up because HTML format was on. So, I´ll try again. Sorry about that.
I'm having a strange problem with acct_unique module and simultaneous connections.
In my first attempt is ok. The FreeRadius generates acctuniqueid smoothly:
(1) Received Accounting-Request Id 251 from 192.168.0.1:45287 to 192.168.0.98:1813 length 147
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) NAS-Port = 15729401
(1) NAS-Port-Type = Ethernet
(1) User-Name = "test"
(1) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(1) Called-Station-Id = "service1"
(1) NAS-Port-Id = "bridge1"
(1) Acct-Session-Id = "819000bd"
(1) Framed-IP-Address = 0.0.0.0
(1) Acct-Authentic = RADIUS
(1) Event-Timestamp = "Feb 7 2016 19:54:52 BRST"
(1) Acct-Status-Type = Start
(1) NAS-Identifier = "Main_Router"
(1) Acct-Delay-Time = 0
(1) NAS-IP-Address = 192.168.0.1
(1) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) policy acct_unique {
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(1) EXPAND %{string:Class}
(1) -->
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(1) else {
(1) update request {
(1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> 1a64f851542b58ee9e9bddec7c24d202
(1) &Acct-Unique-Session-Id := 1a64f851542b58ee9e9bddec7c24d202
(1) } # update request = noop
(1) EXPAND %{User-Name}
(1) --> test
(1) EXPAND %{Acct-Session-ID}
(1) --> 819000bd
(1) EXPAND %{NAS-IPv6-Address}
(1) -->
(1) EXPAND %{NAS-IP-Address}
(1) --> 192.168.0.1
(1) EXPAND %{NAS-Identifier}
(1) --> Main_Router
(1) EXPAND %{NAS-Port-ID}
(1) --> bridge1
(1) EXPAND %{NAS-Port}
(1) --> 15729401
(1) }
Then simulated an error: Quit FreeRadius, then I disconnected the client. Then I turned on the server and the client connected again.
I did this simulation because this kind of situation occurs in real life (loosing accounting STOP between NAS and FreeRadius). I run version 2.1.12 for many years and when this error occurs, FreeRadius solves the problem automatically , which is not happening now in 3.0.11.
I detected an error in radacct : it created a new entry with the same Acct-Session-ID in the database instead of putting the acctstoptime the first connection.
I realized that acctuniqueid was created differently:
(0) Received Access-Request Id 253 from 192.168.0.1:36215 to 192.168.0.98:1812 length 144
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15729402
(0) NAS-Port-Type = Ethernet
(0) User-Name = "test"
(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(0) Called-Station-Id = "service1"
(0) NAS-Port-Id = "bridge1"
(0) CHAP-Challenge = 0x14fabff364f33d09f97a7992e7658be9
(0) CHAP-Password = 0x011ad42c708f1b1279142669b5d1d20f23
(0) NAS-Identifier = "Main_Router"
(0) NAS-IP-Address = 192.168.0.1
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "123456"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Conditional check items matched
(0) sql: Group "1": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Merging reply items
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "test" authenticated successfully
(0) [chap] = ok
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Reserved connection (2)
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
-r: not found
(0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0) EXPAND %{string:Class}
(0) -->
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(0) else {
(0) update request {
(0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> 28b1b845bc61bf9ac3794bceaff7f323
(0) &Acct-Unique-Session-Id := 28b1b845bc61bf9ac3794bceaff7f323
(0) } # update request = noop
(0) EXPAND %{User-Name}
(0) --> test
(0) EXPAND %{Acct-Session-ID}
(0) --> 819000bd
(0) EXPAND %{NAS-IPv6-Address}
(0) -->
(0) EXPAND %{NAS-IP-Address}
(0) --> 192.168.0.1
(0) EXPAND %{NAS-Identifier}
(0) -->
(0) EXPAND %{NAS-Port-ID}
(0) -->
(0) EXPAND %{NAS-Port}
(0) --> 0
(0) }
Note that the NAS-Identifier, NAS-Port-ID and NAS-Port parameters are empty despite the package coming with the information!
This is generating a new entry into radacct because md5 changes... I don´t know why these values are lost when entering into preacct section.
The first attempt gave me 1a64f851542b58ee9e9bddec7c24d202 as MD5, the second attempt MD5 was 28b1b845bc61bf9ac3794bceaff7f323.
My question is this:
Why, in the above log, NAS-IP-Address, NAS-Identifier, NAS-Port-ID are EMPTY and NAS-Port is ZERO when all this information came into the Access-Request Id 253?
************the first attempt (all lines now)**************
(0) Received Access-Request Id 250 from 192.168.0.1:59232 to 192.168.0.98:1812 length 144
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15729401
(0) NAS-Port-Type = Ethernet
(0) User-Name = "test"
(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(0) Called-Station-Id = "service1"
(0) NAS-Port-Id = "bridge1"
(0) CHAP-Challenge = 0xa5063c70996debf802df861c46e79cf4
(0) CHAP-Password = 0x019fb70c0c541fc544356832e78f10d47b
(0) NAS-Identifier = "Main_Router"
(0) NAS-IP-Address = 192.168.0.1
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "123456"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Conditional check items matched
(0) sql: Group "1": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Merging reply items
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "test" authenticated successfully
(0) [chap] = ok
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Reserved connection (2)
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) } # session = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x019fb70c0c541fc544356832e78f10d47b', 'Access-Accept', '2016-02-08 06:16:27')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x019fb70c0c541fc544356832e78f10d47b', 'Access-Accept', '2016-02-08 06:16:27')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 250 from 192.168.0.98:1812 to 192.168.0.1:59232 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Accounting-Request Id 251 from 192.168.0.1:45287 to 192.168.0.98:1813 length 147
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) NAS-Port = 15729401
(1) NAS-Port-Type = Ethernet
(1) User-Name = "test"
(1) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(1) Called-Station-Id = "service1"
(1) NAS-Port-Id = "bridge1"
(1) Acct-Session-Id = "819000bd"
(1) Framed-IP-Address = 0.0.0.0
(1) Acct-Authentic = RADIUS
(1) Event-Timestamp = "Feb 7 2016 19:54:52 BRST"
(1) Acct-Status-Type = Start
(1) NAS-Identifier = "Main_Router"
(1) Acct-Delay-Time = 0
(1) NAS-IP-Address = 192.168.0.1
(1) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) policy acct_unique {
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(1) EXPAND %{string:Class}
(1) -->
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(1) else {
(1) update request {
(1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> 1a64f851542b58ee9e9bddec7c24d202
(1) &Acct-Unique-Session-Id := 1a64f851542b58ee9e9bddec7c24d202
(1) } # update request = noop
(1) EXPAND %{User-Name}
(1) --> test
(1) EXPAND %{Acct-Session-ID}
(1) --> 819000bd
(1) EXPAND %{NAS-IPv6-Address}
(1) -->
(1) EXPAND %{NAS-IP-Address}
(1) --> 192.168.0.1
(1) EXPAND %{NAS-Identifier}
(1) --> Main_Router
(1) EXPAND %{NAS-Port-ID}
(1) --> bridge1
(1) EXPAND %{NAS-Port}
(1) --> 15729401
(1) } # else = noop
(1) } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
(1) } # preacct = ok
(1) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(1) accounting {
(1) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail: --> /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208
(1) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208
(1) detail: EXPAND %t
(1) detail: --> Mon Feb 8 06:16:27 2016
(1) [detail] = ok
(1) [unix] = ok
(1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) sql: --> type.start.query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(1) sql: EXPAND %{User-Name}
(1) sql: --> test
(1) sql: SQL-User-Name set to 'test'
(1) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(1) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000bd', '1a64f851542b58ee9e9bddec7c24d202', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454882092), FROM_UNIXTIME(1454882092), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')
(1) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000bd', '1a64f851542b58ee9e9bddec7c24d202', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454882092), FROM_UNIXTIME(1454882092), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(1) [sql] = ok
(1) [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response: --> test
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) } # accounting = updated
(1) Sent Accounting-Response Id 251 from 192.168.0.98:1813 to 192.168.0.1:45287 length 0
(1) Finished request
(1) Cleaning up request packet ID 251 with timestamp +5
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 250 with timestamp +5
Ready to process requests
************the second attempt (all lines now)**************
(0) Received Access-Request Id 253 from 192.168.0.1:36215 to 192.168.0.98:1812 length 144
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15729402
(0) NAS-Port-Type = Ethernet
(0) User-Name = "test"
(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(0) Called-Station-Id = "service1"
(0) NAS-Port-Id = "bridge1"
(0) CHAP-Challenge = 0x14fabff364f33d09f97a7992e7658be9
(0) CHAP-Password = 0x011ad42c708f1b1279142669b5d1d20f23
(0) NAS-Identifier = "Main_Router"
(0) NAS-IP-Address = 192.168.0.1
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "123456"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Conditional check items matched
(0) sql: Group "1": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id
(0) sql: Group "1": Merging reply items
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "test" authenticated successfully
(0) [chap] = ok
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Reserved connection (2)
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
-r: not found
(0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0) EXPAND %{string:Class}
(0) -->
(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(0) else {
(0) update request {
(0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> 28b1b845bc61bf9ac3794bceaff7f323
(0) &Acct-Unique-Session-Id := 28b1b845bc61bf9ac3794bceaff7f323
(0) } # update request = noop
(0) EXPAND %{User-Name}
(0) --> test
(0) EXPAND %{Acct-Session-ID}
(0) --> 819000bd
(0) EXPAND %{NAS-IPv6-Address}
(0) -->
(0) EXPAND %{NAS-IP-Address}
(0) --> 192.168.0.1
(0) EXPAND %{NAS-Identifier}
(0) -->
(0) EXPAND %{NAS-Port-ID}
(0) -->
(0) EXPAND %{NAS-Port}
(0) --> 0
(0) } # else = noop
(0) } # policy acct_unique = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) } # preacct = ok
(0) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(0) accounting {
(0) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(0) detail: --> /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208
(0) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208
(0) detail: EXPAND %t
(0) detail: --> Mon Feb 8 06:17:14 2016
(0) [detail] = ok
(0) [unix] = ok
(0) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(0) sql: --> type.stop.query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'
(0) sql: --> UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1454919434), acctsessiontime = 0, acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 | '0', acctterminatecause = '', connectinfo_stop = '' WHERE AcctUniqueId = '28b1b845bc61bf9ac3794bceaff7f323'
(0) sql: Executing query: UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1454919434), acctsessiontime = 0, acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 | '0', acctterminatecause = '', connectinfo_stop = '' WHERE AcctUniqueId = '28b1b845bc61bf9ac3794bceaff7f323'
rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0
(0) sql: SQL query returned: success
(0) sql: 0 record(s) updated
(0) sql: Trying next query...
(0) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(0) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000bd', '28b1b845bc61bf9ac3794bceaff7f323', 'test', '', '192.168.0.1', '0', '', FROM_UNIXTIME(1454919434 - 0), FROM_UNIXTIME(1454919434), FROM_UNIXTIME(1454919434), 0, '', '', '', '0' << 32 | '0', '0' << 32 | '0', '', '', '', 'Framed-User', 'PPP', '')
(0) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000bd', '28b1b845bc61bf9ac3794bceaff7f323', 'test', '', '192.168.0.1', '0', '', FROM_UNIXTIME(1454919434 - 0), FROM_UNIXTIME(1454919434), FROM_UNIXTIME(1454919434), 0, '', '', '', '0' << 32 | '0', '0' << 32 | '0', '', '', '', 'Framed-User', 'PPP', '')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) [exec] = noop
(0) attr_filter.accounting_response: EXPAND %{User-Name}
(0) attr_filter.accounting_response: --> test
(0) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(0) [attr_filter.accounting_response] = updated
(0) } # accounting = updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) } # session = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(0) sql: EXPAND %{User-Name}
(0) sql: --> test
(0) sql: SQL-User-Name set to 'test'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x011ad42c708f1b1279142669b5d1d20f23', 'Access-Accept', '2016-02-08 06:17:14')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x011ad42c708f1b1279142669b5d1d20f23', 'Access-Accept', '2016-02-08 06:17:14')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 253 from 192.168.0.98:1812 to 192.168.0.1:36215 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Accounting-Request Id 254 from 192.168.0.1:58808 to 192.168.0.98:1813 length 147
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) NAS-Port = 15729402
(1) NAS-Port-Type = Ethernet
(1) User-Name = "test"
(1) Calling-Station-Id = "C0:4A:00:87:C6:D9"
(1) Called-Station-Id = "service1"
(1) NAS-Port-Id = "bridge1"
(1) Acct-Session-Id = "819000be"
(1) Framed-IP-Address = 0.0.0.0
(1) Acct-Authentic = RADIUS
(1) Event-Timestamp = "Feb 7 2016 19:55:39 BRST"
(1) Acct-Status-Type = Start
(1) NAS-Identifier = "Main_Router"
(1) Acct-Delay-Time = 0
(1) NAS-IP-Address = 192.168.0.1
(1) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) policy acct_unique {
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(1) EXPAND %{string:Class}
(1) -->
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(1) else {
(1) update request {
(1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> ece4bc8c0478e3bc6030a3666e0a14d7
(1) &Acct-Unique-Session-Id := ece4bc8c0478e3bc6030a3666e0a14d7
(1) } # update request = noop
(1) EXPAND %{User-Name}
(1) --> test
(1) EXPAND %{Acct-Session-ID}
(1) --> 819000be
(1) EXPAND %{NAS-IPv6-Address}
(1) -->
(1) EXPAND %{NAS-IP-Address}
(1) --> 192.168.0.1
(1) EXPAND %{NAS-Identifier}
(1) --> Main_Router
(1) EXPAND %{NAS-Port-ID}
(1) --> bridge1
(1) EXPAND %{NAS-Port}
(1) --> 15729402
(1) } # else = noop
(1) } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
(1) } # preacct = ok
(1) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(1) accounting {
(1) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail: --> /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208
(1) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208
(1) detail: EXPAND %t
(1) detail: --> Mon Feb 8 06:17:14 2016
(1) [detail] = ok
(1) [unix] = ok
(1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) sql: --> type.start.query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND %{User-Name}
(1) sql: --> test
(1) sql: SQL-User-Name set to 'test'
(1) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(1) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000be', 'ece4bc8c0478e3bc6030a3666e0a14d7', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454882139), FROM_UNIXTIME(1454882139), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')
(1) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000be', 'ece4bc8c0478e3bc6030a3666e0a14d7', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454882139), FROM_UNIXTIME(1454882139), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(1) [sql] = ok
(1) [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response: --> test
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) } # accounting = updated
(1) Sent Accounting-Response Id 254 from 192.168.0.98:1813 to 192.168.0.1:58808 length 0
(1) Finished request
(1) Cleaning up request packet ID 254 with timestamp +7
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 253 with timestamp +7
Ready to process requests
************my confs (all lines)**************
root@radius:/usr/local/etc/raddb/mods-available # radiusd -X
Server was built with:
accounting : yes
authentication : yes
ascend-binary-attributes : yes
coa : yes
control-socket : yes
detail : yes
dhcp : yes
dynamic-clients : yes
osfc2 : no
proxy : yes
regex-pcre : no
regex-posix : yes
regex-posix-extended : yes
session-management : yes
stats : yes
tcp : yes
threads : yes
tls : yes
unlang : yes
vmps : yes
developer : no
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 1.0.1p release
Endianness:
little
Compilation flags:
cppflags : -isystem /usr/local/include/
cflags : -I/root/freeradius/freeradius-server-3.0.11 -I/root/freeradius/freeradius-server-3.0.11/src -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/build.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/features.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h -fno-strict-aliasing -g -O2 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
ldflags : -L/usr/local/lib -Wl,-rpath,/usr/local/lib
libs : -lcrypto -lssl -ltalloc -lexecinfo -lpthread -lreadline
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
# Creating Auth-Type = eap
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "root"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 5.6.25
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.0.1 (123231) to global clients list
rlm_sql (192.168.0.1): Client "123231" (sql) added
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 33450
Listening on proxy address :: port 27993
Ready to process requests
Thank you!
Best Regards
Fabricio
---
Este email foi escaneado pelo Avast antivírus.
http://www.avast.com
2
1
Hello, here is the second attempt (I simulated the conection error), when user tries to connect but there is a radacct entry with no acctstoptime. Now I´m using version 2.1.12:
rad_recv: Access-Request packet from host 192.168.0.1 port 53431, id=12, length=144
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 15729407
NAS-Port-Type = Ethernet
User-Name = "test"
Calling-Station-Id = "C0:4A:00:87:C6:D9"
Called-Station-Id = "service1"
NAS-Port-Id = "bridge1"
CHAP-Challenge = 0xbbb25ba0071ac1a6179ec6c9b217200a
CHAP-Password = 0x01d1ce7fdbaa9f50707871fdfc009c6b4a
NAS-Identifier = "Main_Router"
NAS-IP-Address = 192.168.0.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '15' ORDER BY id
[sql] User found in group 15
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '15' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "test" with CHAP password
[chap] Using clear text password "123456" for user test authentication.
[chap] chap user test authenticated succesfully
++[chap] returns ok
++? if (reject && Framed-Protocol == PPP)
? Evaluating (reject ) -> FALSE
? Skipping (Framed-Protocol == PPP)
++? if (reject && Framed-Protocol == PPP) -> FALSE
++? if (invalid && Framed-Protocol == PPP)
? Evaluating (invalid ) -> FALSE
? Skipping (Framed-Protocol == PPP)
++? if (invalid && Framed-Protocol == PPP) -> FALSE
# Executing section session from file /usr/local/etc/raddb/sites-enabled/default
+- entering group session {...}
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
[sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 15729406,Client-IP-Address = 192.168.0.1,NAS-IP-Address = 192.168.0.1,Acct-Session-Id = "819000c2",User-Name = "test"'
[acct_unique] Acct-Unique-Session-ID = "5cc3e8235801dd84".
++[acct_unique] returns ok
Look above, NAS-Port is not ZERO (it got the value from Access-Request) so, 5cc3e8235801dd84 will be the same unique already existing in the database!
I´ll try the last version from GutHub now.
Regards
Fabricio Viana
---
Este email foi escaneado pelo Avast antivírus.
http://www.avast.com
1
0
Hi,
I would like to know whether or not the following configuration *can* work,
and if so, what I need to know to get it to work.
I have gotten peap/mschapv2 to work from the standard users file, so that
is all working.
What I want to do know is pass all the logic to a perl script, however
eveytime I do that I get the following error
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
rlm_perl: PERL USERNAME ryan(a)test.com
rlm_perl: PERL USERNAME test
rlm_perl: Added pair Cleartext-Password = test
rlm_perl: Added pair State = 0x6a981b696a90018e48312d75606ef989
rlm_perl: Added pair MS-CHAP-User-Name = ryan(a)test.com
rlm_perl: Added pair MS-CHAP-Challenge = 0x263fa419e8c59a51b8f7bda3b0dbd476
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair User-Name = ryan(a)test.com
rlm_perl: Added pair EAP-Message =
0x020800541a0208004f3197d01dac5bed333c13a1b2a4139575a600000000000000002509ca1d6892684e813e061da39c12bcc360d638c9bb2504007279616e40636f6e6e656374656473706163652e636f2e7a61
rlm_perl: Added pair MS-CHAP2-Response =
0x087997d01dac5bed333c13a1b2a4139575a600000000000000002509ca1d6892684e813e061da39c12bcc360d638c9bb2504
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair Cleartext-Password = test
rlm_perl: Added pair h323-credit-amount = 100
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[dot1x] = updated
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: ryan(a)test.com
[mschap] Client is using MS-CHAPv2 for ryan(a)test.com, we need NT-Password
*[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.*
*[mschap] FAILED: MS-CHAP2-Response is incorrect*
some more
# Executing group from file /etc/raddb/sites-enabled/8021x
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
So.
How can I fix this?
Here is my inner-tunnel authorize section
authorize {
chap
*dot1x*
mschap
}
and the dot1x module calls a script called dot1x.pl
The script is *so* basic right now, all I want it to do is to update the
Cleartext-password attribute so that the user can authenticate.
Currently it looks like this
sub authorize {
# For debugging purposes only
# &log_request_attributes;
#debugging
&radiusd::radlog(1,"PERL USERNAME " . $RAD_REQUEST{'User-Name'});
&radiusd::radlog(1,"PERL USERNAME " .
$RAD_REQUEST{'Cleartext-Password'});
#trying to update the cleartext-password to the one the user enters.
$RAD_REQUEST{'Cleartext-Password'} = "test";
$RAD_REPLY{'Cleartext-Password'} = 'test';
return RLM_MODULE_UPDATED;
}
any advice would be great
4
7
Hello!
I'm having a strange problem with acct_unique module and simultaneous connections.
In my first attempt is ok. The FreeRadius generates acctuniqueid smoothly:
(1) Received Accounting-Request Id 251 from 192.168.0.1:45287 to 192.168.0.98:1813 length 147(1) Service-Type = Framed-User(1) Framed-Protocol = PPP(1) NAS-Port = 15729401(1) NAS-Port-Type = Ethernet(1) User-Name = "test"(1) Calling-Station-Id = "C0:4A:00:87:C6:D9"(1) Called-Station-Id = "service1"(1) NAS-Port-Id = "bridge1"(1) Acct-Session-Id = "819000bd"(1) Framed-IP-Address = 0.0.0.0(1) Acct-Authentic = RADIUS(1) Event-Timestamp = "Feb 7 2016 19:54:52 BRST"(1) Acct-Status-Type = Start(1) NAS-Identifier = "Main_Router"(1) Acct-Delay-Time = 0(1) NAS-IP-Address = 192.168.0.1(1) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default(1) preacct {(1) [preprocess] = ok(1) policy acct_unique {(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {(1) EXPAND %{string:Class}(1) -->(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE(1) else {(1) update request {(1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}(1) --> 1a64f851542b58ee9e9bddec7c24d202(1) &Acct-Unique-Session-Id := 1a64f851542b58ee9e9bddec7c24d202(1) } # update request = noop(1) EXPAND %{User-Name}(1) --> test(1) EXPAND %{Acct-Session-ID}(1) --> 819000bd(1) EXPAND %{NAS-IPv6-Address}(1) -->(1) EXPAND %{NAS-IP-Address}(1) --> 192.168.0.1(1) EXPAND %{NAS-Identifier}(1) --> Main_Router(1) EXPAND %{NAS-Port-ID}(1) --> bridge1(1) EXPAND %{NAS-Port}(1) --> 15729401(1) }
Then simulated an error: Quit FreeRadius, then I disconnected the client. Then I turned on the server and the client connected again.
But there was an error in radacct : it created a new entry with the same Acct-Session-ID in the database instead of putting the acctstoptime the first connection.
I realized that acctuniqueid was created differently:
(0) Received Access-Request Id 253 from 192.168.0.1:36215 to 192.168.0.98:1812 length 144(0) Service-Type = Framed-User(0) Framed-Protocol = PPP(0) NAS-Port = 15729402(0) NAS-Port-Type = Ethernet(0) User-Name = "test"(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"(0) Called-Station-Id = "service1"(0) NAS-Port-Id = "bridge1"(0) CHAP-Challenge = 0x14fabff364f33d09f97a7992e7658be9(0) CHAP-Password = 0x011ad42c708f1b1279142669b5d1d20f23(0) NAS-Identifier = "Main_Router"(0) NAS-IP-Address = 192.168.0.1(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default(0) authorize {(0) policy filter_username {(0) if (&User-Name) {(0) if (&User-Name) -> TRUE(0) if (&User-Name) {(0) if (&User-Name =~ / /) {(0) if (&User-Name =~ / /) -> FALSE(0) if (&User-Name =~ /@[^@]*@/ ) {(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(0) if (&User-Name =~ /\.\./ ) {(0) if (&User-Name =~ /\.\./ ) -> FALSE(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(0) if (&User-Name =~ /\.$/) {(0) if (&User-Name =~ /\.$/) -> FALSE(0) if (&User-Name =~ /(a)\./) {(0) if (&User-Name =~ /(a)\./) -> FALSE(0) } # if (&User-Name) = notfound(0) } # policy filter_username = notfound(0) [preprocess] = ok(0) chap: &control:Auth-Type := CHAP(0) [chap] = ok(0) [mschap] = noop(0) [digest] = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "test", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) eap: No EAP-Message, not doing EAP(0) [eap] = noop(0) files: users: Matched entry DEFAULT at line 181(0) [files] = ok(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'rlm_sql (sql): Reserved connection (1)(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id(0) sql: User found in radcheck table(0) sql: Conditional check items matched, merging assignment check items(0) sql: Cleartext-Password := "123456"(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority(0) sql: User found in the group table(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id(0) sql: Group "1": Conditional check items matched(0) sql: Group "1": Merging assignment check items(0) sql: Simultaneous-Use := 1(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id(0) sql: Group "1": Merging reply itemsrlm_sql (sql): Released connection (1)rlm_sql (sql): Need 4 more connections to reach 10 sparesrlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10(0) [sql] = ok(0) [expiration] = noop(0) [logintime] = noop(0) pap: WARNING: Auth-Type already set. Not setting to PAP(0) [pap] = noop(0) } # authorize = ok(0) Found Auth-Type = CHAP(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default(0) Auth-Type CHAP {(0) chap: Comparing with "known good" Cleartext-Password(0) chap: CHAP user "test" authenticated successfully(0) [chap] = ok(0) } # Auth-Type CHAP = ok(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default(0) session {(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULLrlm_sql (sql): Reserved connection (2)(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL-r: not found(0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default(0) preacct {(0) [preprocess] = ok(0) policy acct_unique {(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {(0) EXPAND %{string:Class}(0) -->(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE(0) else {(0) update request {(0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}(0) --> 28b1b845bc61bf9ac3794bceaff7f323(0) &Acct-Unique-Session-Id := 28b1b845bc61bf9ac3794bceaff7f323(0) } # update request = noop(0) EXPAND %{User-Name}(0) --> test(0) EXPAND %{Acct-Session-ID}(0) --> 819000bd(0) EXPAND %{NAS-IPv6-Address}(0) -->(0) EXPAND %{NAS-IP-Address}(0) --> 192.168.0.1(0) EXPAND %{NAS-Identifier}(0) -->(0) EXPAND %{NAS-Port-ID}(0) -->(0) EXPAND %{NAS-Port}(0) --> 0(0) }
Note that the NAS-Identifier, NAS-Port-ID and NAS-Port parameters are empty despite the package coming with the information!
This is generating a new entry into radacct because md5 changes...
Could someone please help me?
************the first attempt**************
(0) Received Access-Request Id 250 from 192.168.0.1:59232 to 192.168.0.98:1812 length 144(0) Service-Type = Framed-User(0) Framed-Protocol = PPP(0) NAS-Port = 15729401(0) NAS-Port-Type = Ethernet(0) User-Name = "test"(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"(0) Called-Station-Id = "service1"(0) NAS-Port-Id = "bridge1"(0) CHAP-Challenge = 0xa5063c70996debf802df861c46e79cf4(0) CHAP-Password = 0x019fb70c0c541fc544356832e78f10d47b(0) NAS-Identifier = "Main_Router"(0) NAS-IP-Address = 192.168.0.1(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default(0) authorize {(0) policy filter_username {(0) if (&User-Name) {(0) if (&User-Name) -> TRUE(0) if (&User-Name) {(0) if (&User-Name =~ / /) {(0) if (&User-Name =~ / /) -> FALSE(0) if (&User-Name =~ /@[^@]*@/ ) {(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(0) if (&User-Name =~ /\.\./ ) {(0) if (&User-Name =~ /\.\./ ) -> FALSE(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(0) if (&User-Name =~ /\.$/) {(0) if (&User-Name =~ /\.$/) -> FALSE(0) if (&User-Name =~ /(a)\./) {(0) if (&User-Name =~ /(a)\./) -> FALSE(0) } # if (&User-Name) = notfound(0) } # policy filter_username = notfound(0) [preprocess] = ok(0) chap: &control:Auth-Type := CHAP(0) [chap] = ok(0) [mschap] = noop(0) [digest] = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "test", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) eap: No EAP-Message, not doing EAP(0) [eap] = noop(0) files: users: Matched entry DEFAULT at line 181(0) [files] = ok(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'rlm_sql (sql): Reserved connection (1)(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id(0) sql: User found in radcheck table(0) sql: Conditional check items matched, merging assignment check items(0) sql: Cleartext-Password := "123456"(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority(0) sql: User found in the group table(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id(0) sql: Group "1": Conditional check items matched(0) sql: Group "1": Merging assignment check items(0) sql: Simultaneous-Use := 1(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id(0) sql: Group "1": Merging reply itemsrlm_sql (sql): Released connection (1)rlm_sql (sql): Need 4 more connections to reach 10 sparesrlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10(0) [sql] = ok(0) [expiration] = noop(0) [logintime] = noop(0) pap: WARNING: Auth-Type already set. Not setting to PAP(0) [pap] = noop(0) } # authorize = ok(0) Found Auth-Type = CHAP(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default(0) Auth-Type CHAP {(0) chap: Comparing with "known good" Cleartext-Password(0) chap: CHAP user "test" authenticated successfully(0) [chap] = ok(0) } # Auth-Type CHAP = ok(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default(0) session {(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULLrlm_sql (sql): Reserved connection (2)(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULLrlm_sql (sql): Released connection (2)(0) [sql] = ok(0) } # session = ok(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default(0) post-auth {(0) update {(0) No attributes updated(0) } # update = noop(0) sql: EXPAND .query(0) sql: --> .query(0) sql: Using query template 'query'rlm_sql (sql): Reserved connection (3)(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x019fb70c0c541fc544356832e78f10d47b', 'Access-Accept', '2016-02-08 06:16:27')(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x019fb70c0c541fc544356832e78f10d47b', 'Access-Accept', '2016-02-08 06:16:27')(0) sql: SQL query returned: success(0) sql: 1 record(s) updatedrlm_sql (sql): Released connection (3)(0) [sql] = ok(0) [exec] = noop(0) policy remove_reply_message_if_eap {(0) if (&reply:EAP-Message && &reply:Reply-Message) {(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(0) else {(0) [noop] = noop(0) } # else = noop(0) } # policy remove_reply_message_if_eap = noop(0) } # post-auth = ok(0) Sent Access-Accept Id 250 from 192.168.0.98:1812 to 192.168.0.1:59232 length 0(0) Framed-Protocol = PPP(0) Framed-Compression = Van-Jacobson-TCP-IP(0) Finished requestWaking up in 4.9 seconds.(1) Received Accounting-Request Id 251 from 192.168.0.1:45287 to 192.168.0.98:1813 length 147(1) Service-Type = Framed-User(1) Framed-Protocol = PPP(1) NAS-Port = 15729401(1) NAS-Port-Type = Ethernet(1) User-Name = "test"(1) Calling-Station-Id = "C0:4A:00:87:C6:D9"(1) Called-Station-Id = "service1"(1) NAS-Port-Id = "bridge1"(1) Acct-Session-Id = "819000bd"(1) Framed-IP-Address = 0.0.0.0(1) Acct-Authentic = RADIUS(1) Event-Timestamp = "Feb 7 2016 19:54:52 BRST"(1) Acct-Status-Type = Start(1) NAS-Identifier = "Main_Router"(1) Acct-Delay-Time = 0(1) NAS-IP-Address = 192.168.0.1(1) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default(1) preacct {(1) [preprocess] = ok(1) policy acct_unique {(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {(1) EXPAND %{string:Class}(1) -->(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE(1) else {(1) update request {(1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}(1) --> 1a64f851542b58ee9e9bddec7c24d202(1) &Acct-Unique-Session-Id := 1a64f851542b58ee9e9bddec7c24d202(1) } # update request = noop(1) EXPAND %{User-Name}(1) --> test(1) EXPAND %{Acct-Session-ID}(1) --> 819000bd(1) EXPAND %{NAS-IPv6-Address}(1) -->(1) EXPAND %{NAS-IP-Address}(1) --> 192.168.0.1(1) EXPAND %{NAS-Identifier}(1) --> Main_Router(1) EXPAND %{NAS-Port-ID}(1) --> bridge1(1) EXPAND %{NAS-Port}(1) --> 15729401(1) } # else = noop(1) } # policy acct_unique = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "test", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) [files] = noop(1) } # preacct = ok(1) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default(1) accounting {(1) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d(1) detail: --> /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208(1) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208(1) detail: EXPAND %t(1) detail: --> Mon Feb 8 06:16:27 2016(1) [detail] = ok(1) [unix] = ok(1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}(1) sql: --> type.start.query(1) sql: Using query template 'query'rlm_sql (sql): Reserved connection (4)(1) sql: EXPAND %{User-Name}(1) sql: --> test(1) sql: SQL-User-Name set to 'test'(1) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')(1) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000bd', '1a64f851542b58ee9e9bddec7c24d202', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454882092), FROM_UNIXTIME(1454882092), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')(1) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000bd', '1a64f851542b58ee9e9bddec7c24d202', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454882092), FROM_UNIXTIME(1454882092), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')(1) sql: SQL query returned: success(1) sql: 1 record(s) updatedrlm_sql (sql): Released connection (4)(1) [sql] = ok(1) [exec] = noop(1) attr_filter.accounting_response: EXPAND %{User-Name}(1) attr_filter.accounting_response: --> test(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12(1) [attr_filter.accounting_response] = updated(1) } # accounting = updated(1) Sent Accounting-Response Id 251 from 192.168.0.98:1813 to 192.168.0.1:45287 length 0(1) Finished request(1) Cleaning up request packet ID 251 with timestamp +5Waking up in 4.9 seconds.(0) Cleaning up request packet ID 250 with timestamp +5Ready to process requests
************the second attempt**************
(0) Received Access-Request Id 253 from 192.168.0.1:36215 to 192.168.0.98:1812 length 144(0) Service-Type = Framed-User(0) Framed-Protocol = PPP(0) NAS-Port = 15729402(0) NAS-Port-Type = Ethernet(0) User-Name = "test"(0) Calling-Station-Id = "C0:4A:00:87:C6:D9"(0) Called-Station-Id = "service1"(0) NAS-Port-Id = "bridge1"(0) CHAP-Challenge = 0x14fabff364f33d09f97a7992e7658be9(0) CHAP-Password = 0x011ad42c708f1b1279142669b5d1d20f23(0) NAS-Identifier = "Main_Router"(0) NAS-IP-Address = 192.168.0.1(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default(0) authorize {(0) policy filter_username {(0) if (&User-Name) {(0) if (&User-Name) -> TRUE(0) if (&User-Name) {(0) if (&User-Name =~ / /) {(0) if (&User-Name =~ / /) -> FALSE(0) if (&User-Name =~ /@[^@]*@/ ) {(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(0) if (&User-Name =~ /\.\./ ) {(0) if (&User-Name =~ /\.\./ ) -> FALSE(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(0) if (&User-Name =~ /\.$/) {(0) if (&User-Name =~ /\.$/) -> FALSE(0) if (&User-Name =~ /(a)\./) {(0) if (&User-Name =~ /(a)\./) -> FALSE(0) } # if (&User-Name) = notfound(0) } # policy filter_username = notfound(0) [preprocess] = ok(0) chap: &control:Auth-Type := CHAP(0) [chap] = ok(0) [mschap] = noop(0) [digest] = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "test", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) eap: No EAP-Message, not doing EAP(0) [eap] = noop(0) files: users: Matched entry DEFAULT at line 181(0) [files] = ok(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'rlm_sql (sql): Reserved connection (1)(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id(0) sql: User found in radcheck table(0) sql: Conditional check items matched, merging assignment check items(0) sql: Cleartext-Password := "123456"(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority(0) sql: User found in the group table(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '1' ORDER BY id(0) sql: Group "1": Conditional check items matched(0) sql: Group "1": Merging assignment check items(0) sql: Simultaneous-Use := 1(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '1' ORDER BY id(0) sql: Group "1": Merging reply itemsrlm_sql (sql): Released connection (1)rlm_sql (sql): Need 4 more connections to reach 10 sparesrlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10(0) [sql] = ok(0) [expiration] = noop(0) [logintime] = noop(0) pap: WARNING: Auth-Type already set. Not setting to PAP(0) [pap] = noop(0) } # authorize = ok(0) Found Auth-Type = CHAP(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default(0) Auth-Type CHAP {(0) chap: Comparing with "known good" Cleartext-Password(0) chap: CHAP user "test" authenticated successfully(0) [chap] = ok(0) } # Auth-Type CHAP = ok(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default(0) session {(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULLrlm_sql (sql): Reserved connection (2)(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL-r: not found(0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default(0) preacct {(0) [preprocess] = ok(0) policy acct_unique {(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {(0) EXPAND %{string:Class}(0) -->(0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE(0) else {(0) update request {(0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}(0) --> 28b1b845bc61bf9ac3794bceaff7f323(0) &Acct-Unique-Session-Id := 28b1b845bc61bf9ac3794bceaff7f323(0) } # update request = noop(0) EXPAND %{User-Name}(0) --> test(0) EXPAND %{Acct-Session-ID}(0) --> 819000bd(0) EXPAND %{NAS-IPv6-Address}(0) -->(0) EXPAND %{NAS-IP-Address}(0) --> 192.168.0.1(0) EXPAND %{NAS-Identifier}(0) -->(0) EXPAND %{NAS-Port-ID}(0) -->(0) EXPAND %{NAS-Port}(0) --> 0(0) } # else = noop(0) } # policy acct_unique = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "test", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) [files] = noop(0) } # preacct = ok(0) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default(0) accounting {(0) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d(0) detail: --> /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208(0) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208(0) detail: EXPAND %t(0) detail: --> Mon Feb 8 06:17:14 2016(0) [detail] = ok(0) [unix] = ok(0) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}(0) sql: --> type.stop.query(0) sql: Using query template 'query'rlm_sql (sql): Reserved connection (3)(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'(0) sql: EXPAND UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'(0) sql: --> UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1454919434), acctsessiontime = 0, acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 | '0', acctterminatecause = '', connectinfo_stop = '' WHERE AcctUniqueId = '28b1b845bc61bf9ac3794bceaff7f323'(0) sql: Executing query: UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1454919434), acctsessiontime = 0, acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 | '0', acctterminatecause = '', connectinfo_stop = '' WHERE AcctUniqueId = '28b1b845bc61bf9ac3794bceaff7f323'rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0(0) sql: SQL query returned: success(0) sql: 0 record(s) updated(0) sql: Trying next query...(0) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')(0) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000bd', '28b1b845bc61bf9ac3794bceaff7f323', 'test', '', '192.168.0.1', '0', '', FROM_UNIXTIME(1454919434 - 0), FROM_UNIXTIME(1454919434), FROM_UNIXTIME(1454919434), 0, '', '', '', '0' << 32 | '0', '0' << 32 | '0', '', '', '', 'Framed-User', 'PPP', '')(0) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000bd', '28b1b845bc61bf9ac3794bceaff7f323', 'test', '', '192.168.0.1', '0', '', FROM_UNIXTIME(1454919434 - 0), FROM_UNIXTIME(1454919434), FROM_UNIXTIME(1454919434), 0, '', '', '', '0' << 32 | '0', '0' << 32 | '0', '', '', '', 'Framed-User', 'PPP', '')(0) sql: SQL query returned: success(0) sql: 1 record(s) updatedrlm_sql (sql): Released connection (3)(0) [sql] = ok(0) [exec] = noop(0) attr_filter.accounting_response: EXPAND %{User-Name}(0) attr_filter.accounting_response: --> test(0) attr_filter.accounting_response: Matched entry DEFAULT at line 12(0) [attr_filter.accounting_response] = updated(0) } # accounting = updatedrlm_sql (sql): Released connection (2)(0) [sql] = ok(0) } # session = ok(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default(0) post-auth {(0) update {(0) No attributes updated(0) } # update = noop(0) sql: EXPAND .query(0) sql: --> .query(0) sql: Using query template 'query'rlm_sql (sql): Reserved connection (4)(0) sql: EXPAND %{User-Name}(0) sql: --> test(0) sql: SQL-User-Name set to 'test'(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x011ad42c708f1b1279142669b5d1d20f23', 'Access-Accept', '2016-02-08 06:17:14')(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '0x011ad42c708f1b1279142669b5d1d20f23', 'Access-Accept', '2016-02-08 06:17:14')(0) sql: SQL query returned: success(0) sql: 1 record(s) updatedrlm_sql (sql): Released connection (4)(0) [sql] = ok(0) [exec] = noop(0) policy remove_reply_message_if_eap {(0) if (&reply:EAP-Message && &reply:Reply-Message) {(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(0) else {(0) [noop] = noop(0) } # else = noop(0) } # policy remove_reply_message_if_eap = noop(0) } # post-auth = ok(0) Sent Access-Accept Id 253 from 192.168.0.98:1812 to 192.168.0.1:36215 length 0(0) Framed-Protocol = PPP(0) Framed-Compression = Van-Jacobson-TCP-IP(0) Finished requestWaking up in 4.9 seconds.(1) Received Accounting-Request Id 254 from 192.168.0.1:58808 to 192.168.0.98:1813 length 147(1) Service-Type = Framed-User(1) Framed-Protocol = PPP(1) NAS-Port = 15729402(1) NAS-Port-Type = Ethernet(1) User-Name = "test"(1) Calling-Station-Id = "C0:4A:00:87:C6:D9"(1) Called-Station-Id = "service1"(1) NAS-Port-Id = "bridge1"(1) Acct-Session-Id = "819000be"(1) Framed-IP-Address = 0.0.0.0(1) Acct-Authentic = RADIUS(1) Event-Timestamp = "Feb 7 2016 19:55:39 BRST"(1) Acct-Status-Type = Start(1) NAS-Identifier = "Main_Router"(1) Acct-Delay-Time = 0(1) NAS-IP-Address = 192.168.0.1(1) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default(1) preacct {(1) [preprocess] = ok(1) policy acct_unique {(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {(1) EXPAND %{string:Class}(1) -->(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE(1) else {(1) update request {(1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}(1) --> ece4bc8c0478e3bc6030a3666e0a14d7(1) &Acct-Unique-Session-Id := ece4bc8c0478e3bc6030a3666e0a14d7(1) } # update request = noop(1) EXPAND %{User-Name}(1) --> test(1) EXPAND %{Acct-Session-ID}(1) --> 819000be(1) EXPAND %{NAS-IPv6-Address}(1) -->(1) EXPAND %{NAS-IP-Address}(1) --> 192.168.0.1(1) EXPAND %{NAS-Identifier}(1) --> Main_Router(1) EXPAND %{NAS-Port-ID}(1) --> bridge1(1) EXPAND %{NAS-Port}(1) --> 15729402(1) } # else = noop(1) } # policy acct_unique = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "test", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) [files] = noop(1) } # preacct = ok(1) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default(1) accounting {(1) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d(1) detail: --> /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208(1) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20160208(1) detail: EXPAND %t(1) detail: --> Mon Feb 8 06:17:14 2016(1) [detail] = ok(1) [unix] = ok(1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}(1) sql: --> type.start.query(1) sql: Using query template 'query'rlm_sql (sql): Reserved connection (0)(1) sql: EXPAND %{User-Name}(1) sql: --> test(1) sql: SQL-User-Name set to 'test'(1) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')(1) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000be', 'ece4bc8c0478e3bc6030a3666e0a14d7', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454882139), FROM_UNIXTIME(1454882139), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')(1) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('819000be', 'ece4bc8c0478e3bc6030a3666e0a14d7', 'test', '', '192.168.0.1', 'bridge1', 'Ethernet', FROM_UNIXTIME(1454882139), FROM_UNIXTIME(1454882139), NULL, '0', 'RADIUS', '', '', '0', '0', 'service1', 'C0:4A:00:87:C6:D9', '', 'Framed-User', 'PPP', '0.0.0.0')(1) sql: SQL query returned: success(1) sql: 1 record(s) updatedrlm_sql (sql): Released connection (0)(1) [sql] = ok(1) [exec] = noop(1) attr_filter.accounting_response: EXPAND %{User-Name}(1) attr_filter.accounting_response: --> test(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12(1) [attr_filter.accounting_response] = updated(1) } # accounting = updated(1) Sent Accounting-Response Id 254 from 192.168.0.98:1813 to 192.168.0.1:58808 length 0(1) Finished request(1) Cleaning up request packet ID 254 with timestamp +7Waking up in 4.9 seconds.(0) Cleaning up request packet ID 253 with timestamp +7Ready to process requests
************my confs**************
root@radius:/usr/local/etc/raddb/mods-available # radiusd -XServer was built with: accounting : yes authentication : yes ascend-binary-attributes : yes coa : yes control-socket : yes detail : yes dhcp : yes dynamic-clients : yes osfc2 : no proxy : yes regex-pcre : no regex-posix : yes regex-posix-extended : yes session-management : yes stats : yes tcp : yes threads : yes tls : yes unlang : yes vmps : yes developer : noServer core libs: freeradius-server : 3.0.11 talloc : 2.0.* ssl : 1.0.1p releaseEndianness: littleCompilation flags: cppflags : -isystem /usr/local/include/ cflags : -I/root/freeradius/freeradius-server-3.0.11 -I/root/freeradius/freeradius-server-3.0.11/src -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/build.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/features.h -include /root/freeradius/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h -fno-strict-aliasing -g -O2 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1 ldflags : -L/usr/local/lib -Wl,-rpath,/usr/local/lib libs : -lcrypto -lssl -ltalloc -lexecinfo -lpthread -lreadline
Copyright (C) 1999-2016 The FreeRADIUS server project and contributorsThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSEYou may redistribute copies of FreeRADIUS under the terms of theGNU General Public LicenseFor more information about these matters, see the file named COPYRIGHTStarting - reading configuration files ...including dictionary file /usr/local/share/freeradius/dictionaryincluding dictionary file /usr/local/share/freeradius/dictionary.dhcpincluding dictionary file /usr/local/share/freeradius/dictionary.vqpincluding dictionary file /usr/local/etc/raddb/dictionaryincluding configuration file /usr/local/etc/raddb/radiusd.confincluding configuration file /usr/local/etc/raddb/proxy.confincluding configuration file /usr/local/etc/raddb/clients.confincluding files in directory /usr/local/etc/raddb/mods-enabled/including configuration file /usr/local/etc/raddb/mods-enabled/alwaysincluding configuration file /usr/local/etc/raddb/mods-enabled/attr_filterincluding configuration file /usr/local/etc/raddb/mods-enabled/cache_eapincluding configuration file /usr/local/etc/raddb/mods-enabled/chapincluding configuration file /usr/local/etc/raddb/mods-enabled/detailincluding configuration file /usr/local/etc/raddb/mods-enabled/detail.logincluding configuration file /usr/local/etc/raddb/mods-enabled/digestincluding configuration file /usr/local/etc/raddb/mods-enabled/dhcpincluding configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clientsincluding configuration file /usr/local/etc/raddb/mods-enabled/eapincluding configuration file /usr/local/etc/raddb/mods-enabled/echoincluding configuration file /usr/local/etc/raddb/mods-enabled/execincluding configuration file /usr/local/etc/raddb/mods-enabled/expirationincluding configuration file /usr/local/etc/raddb/mods-enabled/exprincluding configuration file /usr/local/etc/raddb/mods-enabled/filesincluding configuration file /usr/local/etc/raddb/mods-enabled/linelogincluding configuration file /usr/local/etc/raddb/mods-enabled/logintimeincluding configuration file /usr/local/etc/raddb/mods-enabled/mschapincluding configuration file /usr/local/etc/raddb/mods-enabled/ntlm_authincluding configuration file /usr/local/etc/raddb/mods-enabled/papincluding configuration file /usr/local/etc/raddb/mods-enabled/passwdincluding configuration file /usr/local/etc/raddb/mods-enabled/preprocessincluding configuration file /usr/local/etc/raddb/mods-enabled/radutmpincluding configuration file /usr/local/etc/raddb/mods-enabled/realmincluding configuration file /usr/local/etc/raddb/mods-enabled/replicateincluding configuration file /usr/local/etc/raddb/mods-enabled/sohincluding configuration file /usr/local/etc/raddb/mods-enabled/sradutmpincluding configuration file /usr/local/etc/raddb/mods-enabled/unixincluding configuration file /usr/local/etc/raddb/mods-enabled/unpackincluding configuration file /usr/local/etc/raddb/mods-enabled/utf8including configuration file /usr/local/etc/raddb/mods-enabled/sqlincluding configuration file /usr/local/etc/raddb/mods-config/sql/main/mysql/queries.confincluding files in directory /usr/local/etc/raddb/policy.d/including configuration file /usr/local/etc/raddb/policy.d/abfab-trincluding configuration file /usr/local/etc/raddb/policy.d/accountingincluding configuration file /usr/local/etc/raddb/policy.d/canonicalizationincluding configuration file /usr/local/etc/raddb/policy.d/controlincluding configuration file /usr/local/etc/raddb/policy.d/cuiincluding configuration file /usr/local/etc/raddb/policy.d/debugincluding configuration file /usr/local/etc/raddb/policy.d/dhcpincluding configuration file /usr/local/etc/raddb/policy.d/eapincluding configuration file /usr/local/etc/raddb/policy.d/filterincluding configuration file /usr/local/etc/raddb/policy.d/operator-nameincluding files in directory /usr/local/etc/raddb/sites-enabled/including configuration file /usr/local/etc/raddb/sites-enabled/defaultincluding configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnelmain { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/radiusd"}main { name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" }}radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { }radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }Debugger not attached # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = digest # Creating Auth-Type = eapradiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dhcp # Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/usr/local/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/usr/local/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/usr/local/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" }Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 # Loaded module rlm_sql # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "root" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } }rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedCreating attribute SQL-Group instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filterreading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filterreading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filterreading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filterreading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filterreading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eaprlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.logrlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" ca_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/usr/local/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no }tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no }tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/filesreading pairlist file /usr/local/etc/raddb/mods-config/files/authorizereading pairlist file /usr/local/etc/raddb/mods-config/files/accountingreading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschaprlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwdrlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocessreading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroupsreading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sqlrlm_sql_mysql: libmysql version: 5.6.25 mysql { tls { } warnings = "auto" }rlm_sql (sql): Attempting to connect to database "radius"rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no }rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10rlm_sql (sql): Processing generate_sql_clientsrlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nasrlm_sql (sql): Reserved connection (0)rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nasrlm_sql (sql): Adding client 192.168.0.1 (123231) to global clients listrlm_sql (192.168.0.1): Client "123231" (sql) addedrlm_sql (sql): Released connection (0)rlm_sql (sql): Need 5 more connections to reach 10 sparesrlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10 } # modulesradiusd: #### Loading Virtual Servers ####server { # from file /usr/local/etc/raddb/radiusd.conf} # serverserver default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...}Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...}} # server defaultserver inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...}} # server inner-tunnelradiusd: #### Opening IP addresses and Ports ####listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "auth" ipaddr = 127.0.0.1 port = 18120}Listening on auth address * port 1812 bound to server defaultListening on acct address * port 1813 bound to server defaultListening on auth address :: port 1812 bound to server defaultListening on acct address :: port 1813 bound to server defaultListening on auth address 127.0.0.1 port 18120 bound to server inner-tunnelListening on proxy address * port 33450Listening on proxy address :: port 27993Ready to process requests
Thank you!
Best RegardsFabricio
2
1
Hello,
I have been trying to freeRADIUS Version 3.0.4 worling with EAP-TLS for a
while now. I was able to get PAP working using the guide
athttp://deployingradius.com/documents/configuration/pap.html.
However,
getting EAP-TLS to work has been a pain.
In my case I used the freeradius as installed by yum from the repos. Before
doing the guide at the link posted below I built the certs in
/etc/raddb/certs using make. No changes have been made to the .cnf files in
the certs directory since this was a test. The eapol_test config is also
posted below.
I then moved to the trying to EAP-TLS working using the guide
athttp://deployingradius.com/documents/configuration/eap.html. I
followed
this to the letter for the server. However, as will be shown in the
eapol_test config, my test had been ran from the radius host itself.
I have used radius as installed on pfsense in the past. However, I now wish
to have a standalone host to take care of this. I have spent 3 days trying
to get this to work. I am at a complete loss as what is wrong or how to
even find out at this point. I have already ran radius with radius -XX and
am not seeing that I know how to change. I would greatly appreciate some
help on this. The settings I have used are EXACTLY what i slisted in the
links.
eapol_test configuration :
network={
ssid="TEST-SSID"
eap=TLS
eapol_flags=0
key_mgmt=WPA-EAP
identity="user(a)example.com"
ca_cert="/etc/raddb/certs/ca_.pem"
client_cert="/etc/raddb/certs/user.pem"
private_key="/etc/raddb/certs/client.key"
private_key_passwd="whatever"
eapol_flags=3
}
SERVER DEBUG :
radiusd -X
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built
on Mar 5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client phobos {
ipaddr = 192.168.1.112
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_exec
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:2 Cistron compatibility checks for
entry test ...
[/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:196 Cistron compatibility checks
for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:2 Cistron compatibility checks for
entry test ...
[/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:196 Cistron compatibility checks
for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Instantiating module "ntlm_auth" from file
/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file
/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Instantiating module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
# Loaded module rlm_unpack
# Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 39462
Ready to process requests
Received Access-Request Id 0 from 127.0.0.1:49705 to 127.0.0.1:1812 length
140
User-Name = 'user(a)example.com'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x020000150175736572406578616d706c652e636f6d
Message-Authenticator = 0x76b26f355b7b52e26e30514efcc67e2e
(0) Received Access-Request packet from host 127.0.0.1 port 49705, id=0,
length=140
(0) User-Name = 'user(a)example.com'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x020000150175736572406578616d706c652e636f6d
(0) Message-Authenticator = 0x76b26f355b7b52e26e30514efcc67e2e
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\\./)
(0) if (&User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "example.com" for User-Name = "user(a)example.com"
(0) suffix : Found realm "example.com"
(0) suffix : Adding Stripped-User-Name = "user"
(0) suffix : Adding Realm = "example.com"
(0) suffix : Proxying request from user user to realm example.com
(0) suffix : Preparing to proxy authentication request to realm "example.com"
(0) [suffix] = updated
(0) eap : Request is supposed to be proxied to Realm example.com. Not
doing EAP.
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 51413
(0) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000
(0) Sending Access-Request packet to host 127.0.0.1 port 1812, id=88,
length=0
(0) User-Name = 'user'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x020000150175736572406578616d706c652e636f6d
(0) Message-Authenticator = 0x76b26f355b7b52e26e30514efcc67e2e
(0) Event-Timestamp = 'Feb 6 2016 19:29:04 CST'
(0) Stripped-User-Name = 'user'
(0) Realm = 'example.com'
(0) EAP-Type = Identity
(0) Proxy-State = 0x30
Sending Access-Request Id 88 from 0.0.0.0:51413 to 127.0.0.1:1812
User-Name = 'user'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x020000150175736572406578616d706c652e636f6d
Message-Authenticator = 0x76b26f355b7b52e26e30514efcc67e2e
Event-Timestamp = 'Feb 6 2016 19:29:04 CST'
Proxy-State = 0x30
Waking up in 0.3 seconds.
Received Access-Request Id 88 from 127.0.0.1:51413 to 127.0.0.1:1812 length
137
User-Name = 'user'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x020000150175736572406578616d706c652e636f6d
Message-Authenticator = 0xfb8d5412dd22bd658ba818ba16db12cc
Event-Timestamp = 'Feb 6 2016 19:29:04 CST'
Proxy-State = 0x30
(1) Received Access-Request packet from host 127.0.0.1 port 51413, id=88,
length=137
(1) User-Name = 'user'
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = '02-00-00-00-00-01'
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = 'CONNECT 11Mbps 802.11b'
(1) EAP-Message = 0x020000150175736572406578616d706c652e636f6d
(1) Message-Authenticator = 0xfb8d5412dd22bd658ba818ba16db12cc
(1) Event-Timestamp = 'Feb 6 2016 19:29:04 CST'
(1) Proxy-State = 0x30
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\\./)
(1) if (&User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "user", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : Peer sent code Response (2) ID 0 length 21
(1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Identity does not match User-Name, setting from EAP Identity
(1) eap : Failed in handler
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject : EXPAND %{User-Name}
(1) attr_filter.access_reject : --> user
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) eap : Identity does not match User-Name, setting from EAP Identity
(1) eap : Failed to get handler, probably already removed, not inserting
EAP-Failure
(1) [eap] = noop
(1) remove_reply_message_if_eap remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message)
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else else {
(1) [noop] = noop
(1) } # else else = noop
(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Expecting proxy response no later than 19.499783 seconds from now
Waking up in 0.4 seconds.
(1) Sending delayed response
(1) Sending Access-Reject packet to host 127.0.0.1 port 51413, id=88,
length=0
(1) Proxy-State = 0x30
Sending Access-Reject Id 88 from 127.0.0.1:1812 to 127.0.0.1:51413
Proxy-State = 0x30
Waking up in 3.9 seconds.
Received Access-Reject Id 88 from 127.0.0.1:1812 to 127.0.0.1:51413 length
23
Proxy-State = 0x30
(0) Received Access-Reject packet from host 127.0.0.1 port 1812, id=88,
length=23
(0) Proxy-State = 0x30
(0) # Executing section post-proxy from file
/etc/raddb/sites-enabled/default
(0) post-proxy {
(0) eap : No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> user(a)example.com
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request was previously rejected, inserting EAP-Failure
(0) [eap] = updated
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 49705, id=0,
length=0
(0) EAP-Message = 0x04000004
(0) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 0 from 127.0.0.1:1812 to 127.0.0.1:49705
EAP-Message = 0x04000004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.9 seconds.
(1) Cleaning up request packet ID 88 with timestamp +8
Waking up in 0.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +8
Ready to process requests
EAPOL_TEST OUTPUT :
eapol_test -c /root/eapol_tls_test.tls -A127.0.0.1 -a127.0.0.1 -p1812
-stesting123 -r1
Reading configuration file '/root/eapol_tls_test.tls'
Line: 1 - start of a new network block
ssid - hexdump_ascii(len=9):
54 45 53 54 2d 53 53 49 44 TEST-SSID
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00
00
eapol_flags=0 (0x0)
key_mgmt: 0x1
identity - hexdump_ascii(len=16):
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d user(a)example.com
ca_cert - hexdump_ascii(len=24):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 63 61 5f 2e 70 65 6d /ca_.pem
client_cert - hexdump_ascii(len=25):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 75 73 65 72 2e 70 65 6d /user.pem
private_key - hexdump_ascii(len=27):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 63 6c 69 65 6e 74 2e 6b 65 79 /client.key
private_key_passwd - hexdump_ascii(len=8):
77 68 61 74 65 76 65 72 whatever
eapol_flags=3 (0x3)
Priority group 0
id=0 ssid='TEST-SSID'
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:49705
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=16):
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d user(a)example.com
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=21)
TX EAP -> RADIUS - hexdump(len=21): 02 00 00 15 01 75 73 65 72 40 65 78 61
6d 70 6c 65 2e 63 6f 6d
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=16): 75 73 65 72
40 65 78 61 6d 70 6c 65 2e 63 6f 6d
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=140
Attribute 1 (User-Name) length=18
Value: 'user(a)example.com'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=23
Value: 02 00 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d
Attribute 80 (Message-Authenticator) length=18
Value: 76 b2 6f 35 5b 7b 52 e2 6e 30 51 4e fc c6 7e 2e
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=0 length=44
Attribute 79 (EAP-Message) length=6
Value: 04 00 00 04
Attribute 80 (Message-Authenticator) length=18
Value: 90 9d b7 6e 9e 92 4f c4 85 ba de 03 31 30 3f 49
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 2.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=0 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAPOL: EAP key not available
EAPOL: EAP key not available
MPPE keys OK: 0 mismatch: 2
FAILURE
Ollie Teasley
Linux Administrator
ISMELL.SHOES, LLC
3
7