Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2016
- 79 participants
- 108 discussions
radacct MySQL table only gets filled with the last session values for a given user ( no history logging )
by oatech 16 Apr '16
by oatech 16 Apr '16
16 Apr '16
Client : Windows 10
NAS : Cisco SB WAP121
RADIUS Server : Debian 8 / FreeRADIUS Version 2.2.5, for host
x86_64-pc-linux-gnu,
Authentication : PEAP/MSCHAPv2
While the /varl/log/freeradius/radacct/192.168.1.2/detail-20160324 files
gets filled with correct data values for each user session :
sudo cat /var/log/freeradius/radacct/192.168.1.2/detail-20160324 | grep
Acct-Input-Octets
Acct-Input-Octets = 43976
Acct-Input-Octets = 845
Acct-Input-Octets = 394240
Acct-Input-Octets = 371260
Acct-Input-Octets = 24927
the radacct MySQL table only gets filled with the last session values for a
given user ( 24927 here ). There is no history logging :
mysql> select radacct.username, radacct.nasipaddress, radacct.acctstarttime,
radacct.acctstoptime, radacct.acctinputoctets, radacct.acctoutputoctets
from radacct;
+-----------+---------------+---------------------+---------------------+-----------------+------------------+
| username | nasipaddress | acctstarttime | acctstoptime |
acctinputoctets | acctoutputoctets |
+-----------+---------------+---------------------+---------------------+-----------------+------------------+
| User1 | 192.168.1.2 | 2016-03-24 08:44:46 | 2016-03-24 08:44:23 |
24927 | 20814 |
| User2 | 192.168.1.2 | 2016-03-24 08:40:33 | 2016-03-24 08:42:22 |
0 | 0 |
+-----------+---------------+---------------------+---------------------+-----------------+------------------+
2 rows in set (0.00 sec)
2 rows in set (0.00 sec)
Is this the normal expected behaviour ? I highy doubt it.
I must have done something wrong, but I'm using a very standard
Freeradius/MySQL install.
Any help would be greatly appreciated :-)
---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus
3
2
First - sorry for my English.
OpenWrt Chaos Calmer 15.05.1
freeradius 2.2.8-2
Installed:
freeradius2
freeradius2-common
freeradius2-democerts
freeradius2-mod-chap
freeradius2-mod-eap
freeradius2-mod-eap-mschapv2
freeradius2-mod-eap-peap
freeradius2-mod-eap-tls
freeradius2-mod-eap-ttls
freeradius2-mod-exec
freeradius2-mod-files
freeradius2-mod-mschap
freeradius2-mod-pap
freeradius2-mod-radutmp
freeradius2-mod-realm
freeradius2-utils
Problem:
All working, but I want use MAC-address based authentication.
I append "rewrite.calling_station_id" in "authorize {" section in "/etc/freeradius2/sites/default". That i get:
authorize {
rewrite.calling_station_id
eap {
ok = return
}
files
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
accounting {
exec
}
session {
radutmp
}
But I get error:
Module: Checking authorize {...} for more modules to load
/etc/freeradius2/sites/default[92]: Failed to find "rewrite.calling_station_id" in the "modules" section.
I solve this error.
In /etc/freeradius2/radiusd.conf, I uncomment:
#$INCLUDE policy.conf
After it I get this errors:
Module: Checking authorize {...} for more modules to load
Module: Loading virtual module rewrite.calling_station_id
/etc/freeradius2/policy.conf[250]: Failed to find "updated" in the "modules" section.
/etc/freeradius2/policy.conf[250]: Failed to parse "updated" entry.
/etc/freeradius2/policy.conf[246]: Failed to parse "if" subsection.
/etc/freeradius2/sites/default[69]: Errors parsing authorize section.
And now I dont know what can I do.
--
ilya Gafarov
5
16
Anyone see an issue with disabling TLS renegotiation by default?
As far as I can tell it's not explicitly required by any EAP flavour. Not mentioned in EAP-TLS RFC, which is what most methods base their TLS wrapper on.
Would seem to protect against 3SHAKE.
-Arran
Arran Cudbard-Bell <a.cudbardb(a)freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
2
1
Dear all,
I am working in a proof-of-concept and I need to configure a freeradius
server as a proxy. It should redirect all the queries to another server. I
have installed FreeRADIUS Version 2.1.12 in a Ubuntu 14.04.
First of all, I have created a client in clients.conf file:
client X.X.X.0/24{
secret = my-secret
shortname = private-network-2
}
As the proxy server should redirect all the queries to the home server, in
proxy.conf file I have only configured the realm DEFAULT as follows
realm DEFAULT{
authhost = X.X.X.X:1812
accthost = X.X.X.X:1813
secret = home-server-secret
nostrip
}
I have added nostrip option because the queries should reach the home
server with the realm.
The problem is that the queries reach the home server but without the
realm. Could you help me with this? Does anybodoy know what I am doing
wrong?
Thank you in advance for your help.
Best regards,
2
1
Hi,
I configured a freeradius server for proxying request to other radius
server.
I have a router (openwrt) and the idea is that wifi authenticate using
my radius server and my radius server proxy the request to other radius
server (I can't get much info of this server).
installed on OpenSUSE 13.2
freeradius-server-utils-3.0.11-93.1.x86_64
freeradius-server-libs-3.0.11-93.1.x86_64
freeradius-server-doc-3.0.11-93.1.x86_64
freeradius-server-3.0.11-93.1.x86_64
I have this probblem:
when I execute the command in my radius server:
radtest <USER> <PASSWORD> localhost 0 testing123
works fine proxy the request fine and I have "Received Access-Accept",
but when I try to connect via openwrt wifi, it proxy the request fine
but I got "Received Access-Reject"
I read in the log and I think what makes diffrence is the request that
is sent:
request that works is:
(10) Sent Access-Request Id 192 from 0.0.0.0:52999 to
<destination-radius-IP>:1812 length 92
(10) User-Name = "USER"
(10) User-Password = "PASSWD"
(10) NAS-IP-Address = <my-server-IP>
(10) NAS-Port = 0
(10) Message-Authenticator = 0xb11e070a06c7366aed5ca12968f70a00
(10) Event-Timestamp = "Apr 15 2016 09:50:20 UYT"
(10) Proxy-State = 0x3832
request that fails is:
(11) Sent Access-Request Id 46 from 0.0.0.0:52999 to
<destination-radius-IP>:1812 length 216
(11) User-Name = "USER"
(11) Called-Station-Id = "32-B5-C2-38-41-74:<WIFI-SSID>"
(11) NAS-Port-Type = Wireless-802.11
(11) NAS-Port = 1
(11) Calling-Station-Id = "78-4B-87-78-8C-FB"
(11) Connect-Info = "CONNECT 54Mbps 802.11g"
(11) Acct-Session-Id = "56FBFBAD-000000BD"
(11) WLAN-Pairwise-Cipher = 1027076
(11) WLAN-Group-Cipher = 1027076
(11) WLAN-AKM-Suite = 1027073
(11) Framed-MTU = 1400
(11) EAP-Message = 0x0291001101343137343233344066696e67
(11) Message-Authenticator = 0x78a31b183ce622957bdb13eaf6b3e984
(11) Event-Timestamp = "Apr 15 2016 10:10:14 UYT"
(11) NAS-IP-Address = <SOME-IP>
(11) Proxy-State = 0x3730
my question is:
How can I modify the request received from router (openwrt) to make it
looks like the working one?
sorry my english.
and thanks.
sds, Nicolás
2
1
We have been running 3.0.4 on CentOS, authenticating against
openldap 2.3.43 on Centos 5. That seemed to work reliably, but we needed
functionality only available in 3.0.11.
I build 3.0.12 as an RPM on CentOS 6 using the 3.0.12 tarball from
github and the 3.0.4 specfile as a template, so that the same
directories and settings were used as for 3.0.4.
We are using ldap on port 389 with start_tls
The client certificate is loaded from a PEM file in /etc/raddb/certs/
The server certificate is loaded from the NSS database
/etc/raddb/certs/cert8.db
Initially after radiusd is started, authentication works properly.
We see in debug output
...
(1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
...
rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLS: certificate '/etc/raddb/certs/xxx' successfully loaded from moznss database.
rlm_ldap (ldap): Bind successful
..(1) Sent Access-Accept Id 170
after running for a bit, with the same radius client request, we get
TLS: could not shutdown NSS - error -8053:NSS could not shutdown.
Objects are still in use..
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending
slots used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLS: could not initialize moznss - error -8018:Unknown PKCS #11 error..
TLS: could not perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.
rlm_ldap (ldap): Could not start TLS: Connect error
... (2) Sent Access-Reject Id 217
On the openldap server in debug mode, I get an error
TLS trace: SSL3 alert read:warning:close notify
ldap_read: want=8, got=0
Any ideas ?
The openldap logs are somewhat cryptic
--
Andrew Daviel, TRIUMF, Canada
4
6
Hi everybody
We have been using freeradius to authenticate about 1000 network users for quite some years without any issues. Last week we experienced problems with one of the NAS our network providers use. Please be aware of the fact that we do not have direct influence on the configuration of this machine. While roughly 100 NASs use PAP for authentication against our LDAP-datastore getting an access accept, this NAS uses CHAP, leading radius to reject the request. In consequence the network users frequenting this NAS fall back on a more expensive means of connection, creating additional cost for us.
In parallel to requesting the provider to fix this issue we are investigating now how to make LDAP work with CHAP. We followed FAQ to this link and others in this section
http://wiki.freeradius.org/guide/FAQ#how-do-i_how-do-i-make-chap-work-with-…
but found no real clue. We recreated the scenario in our testing environment and one guess so far is :
vt1radius:/etc/raddb # cat sites-enabled/vt1pppoe_localhost
# WEINM 2015-01-21 : vt1pppoe login realization
server vt1pppoe_login {
# WEINM 2015-01-21 : listen on 1825, auth only no acct
listen {
type = auth
ipaddr = 127.0.0.1
port = 1825
}
authorize {
ldap_vt1pppoe
if ((ok || updated) && (User-Password || CHAP-Password)) {
update {
control:Auth-Type = LDAP
}
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
}
vt1radius:/etc/raddb # cat mods-enabled/ldap_vt1pppoe
ldap ldap_vt1pppoe {
server = 10.193.1.144
identity = "cn=admin,dc=lotto-rlp,dc=de"
password = secret
update {
control:Password-With-Header += 'userPassword'
control:Cleartext-Password := 'userPassword'
}
user {
base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
tls {
start_tls = no
}
pool {
# Number of connections to start
start = 1
min = 1
max = ${thread[pool].max_servers}
spare = 10
uses = 300
lifetime = 0
idle_timeout = 60
}
}
resulting to
vt1radius:/etc/raddb/sites-enabled # radiusd -X
radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Dec 3 2014 at 10:31
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/ldap_dtag
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/ldap_vt1pppoe
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/ldap_ptlux
including configuration file /etc/raddb/mods-enabled/ldap_arcor
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/ptlux_localhost
including configuration file /etc/raddb/sites-enabled/dtag_localhost
including configuration file /etc/raddb/sites-enabled/vt1pppoe_localhost
including configuration file /etc/raddb/sites-enabled/arcor_localhost
including configuration file /etc/raddb/sites-enabled/proxy_decode_realm
main {
security {
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 2
max_requests = 30720
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server dtag_localhost {
ipaddr = 127.0.0.1
port = 1822
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server arcor_localhost {
ipaddr = 127.0.0.1
port = 1823
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server ptlux_localhost {
ipaddr = 127.0.0.1
port = 1824
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server vt1pppoe_localhost {
ipaddr = 127.0.0.1
port = 1825
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool dtag_pool {
type = fail-over
home_server = dtag_localhost
}
realm lotto-rlp {
auth_pool = dtag_pool
}
home_server_pool arcor_pool {
type = fail-over
home_server = arcor_localhost
}
realm lotto-rlp.de {
auth_pool = arcor_pool
}
home_server_pool ptlux_pool {
type = fail-over
home_server = ptlux_localhost
}
realm pt.lotto-rlp.de {
auth_pool = ptlux_pool
}
home_server_pool vt1pppoe_pool {
type = fail-over
home_server = vt1pppoe_localhost
}
realm lotto-rlp.vt1 {
auth_pool = vt1pppoe_pool
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client vt1pppoe1 {
ipaddr = 10.193.1.51
require_message_authenticator = no
secret = <<< secret >>>
shortname = "vt1pppoe1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
# Loaded module rlm_ldap
# Instantiating module "ldap_dtag" from file /etc/raddb/mods-enabled/ldap_dtag
ldap ldap_dtag {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_dtag): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_dtag): Opening additional connection (0)
rlm_ldap (ldap_dtag): Connecting to 10.193.1.144:389
rlm_ldap (ldap_dtag): Waiting for bind result...
rlm_ldap (ldap_dtag): Bind successful
# Loaded module rlm_exec
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Instantiating module "ldap_vt1pppoe" from file /etc/raddb/mods-enabled/ldap_vt1pppoe
ldap ldap_vt1pppoe {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_vt1pppoe): Opening additional connection (0)
rlm_ldap (ldap_vt1pppoe): Connecting to 10.193.1.144:389
rlm_ldap (ldap_vt1pppoe): Waiting for bind result...
rlm_ldap (ldap_vt1pppoe): Bind successful
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Instantiating module "ldap_ptlux" from file /etc/raddb/mods-enabled/ldap_ptlux
ldap ldap_ptlux {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=ptlux-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_ptlux): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_ptlux): Opening additional connection (0)
rlm_ldap (ldap_ptlux): Connecting to 10.193.1.144:389
rlm_ldap (ldap_ptlux): Waiting for bind result...
rlm_ldap (ldap_ptlux): Bind successful
# Instantiating module "ldap_arcor" from file /etc/raddb/mods-enabled/ldap_arcor
ldap ldap_arcor {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=arcor-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_arcor): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_arcor): Opening additional connection (0)
rlm_ldap (ldap_arcor): Connecting to 10.193.1.144:389
rlm_ldap (ldap_arcor): Waiting for bind result...
rlm_ldap (ldap_arcor): Bind successful
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
} # server default
server ptlux_login { # from file /etc/raddb/sites-enabled/ptlux_localhost
# Creating Auth-Type = LDAP
# Loading authenticate {...}
# Loading authorize {...}
} # server ptlux_login
server dtag_login { # from file /etc/raddb/sites-enabled/dtag_localhost
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server dtag_login
server vt1pppoe_login { # from file /etc/raddb/sites-enabled/vt1pppoe_localhost
# Loading authenticate {...}
# Loading authorize {...}
} # server vt1pppoe_login
server arcor_login { # from file /etc/raddb/sites-enabled/arcor_localhost
# Loading authenticate {...}
# Loading authorize {...}
} # server arcor_login
server decode_realm { # from file /etc/raddb/sites-enabled/proxy_decode_realm
# Loading authorize {...}
} # server decode_realm
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1824
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1822
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1825
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1823
}
listen {
type = "auth"
ipaddr = *
port = 1812
}
Listening on auth address 127.0.0.1 port 1824 as server ptlux_login
Listening on auth address 127.0.0.1 port 1822 as server dtag_login
Listening on auth address 127.0.0.1 port 1825 as server vt1pppoe_login
Listening on auth address 127.0.0.1 port 1823 as server arcor_login
Listening on auth address * port 1812 as server decode_realm
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 47272
Ready to process requests.
A PAP request to this server gets accepted :
client:
vt1radius:/etc/raddb # echo "User-Name = 88078(a)lotto-rlp.vt1 , USER-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 53 from 0.0.0.0:57005 to 127.0.0.1:1812
User-Name = '88078(a)lotto-rlp.vt1'
User-Password = 'jWd53332J0jCtWu'
Framed-Protocol = PPP
Received Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:57005 length 20
Packet summary:
Access-Accepts : 1
Access-Rejects : 0
Lost : 0
Passed filter : 1
Failed filter : 0
server:
Received Access-Request Id 53 from 127.0.0.1:57005 to 127.0.0.1:1812 length 65
User-Name = '88078(a)lotto-rlp.vt1'
User-Password = 'jWd53332J0jCtWu'
Framed-Protocol = PPP
(0) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> 88078(a)lotto-rlp.vt1
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /(a)\\./)
(0) if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) IPASS : No '/' in User-Name = "88078(a)lotto-rlp.vt1", looking up realm NULL
(0) IPASS : No such realm "NULL"
(0) [IPASS] = noop
(0) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078(a)lotto-rlp.vt1"
(0) suffix : Found realm "lotto-rlp.vt1"
(0) suffix : Adding Stripped-User-Name = "88078"
(0) suffix : Adding Realm = "lotto-rlp.vt1"
(0) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(0) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(0) [suffix] = updated
(0) } # authorize = updated
(0) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 121 from 0.0.0.0:47272 to 127.0.0.1:1825
User-Name = '88078'
User-Password = 'jWd53332J0jCtWu'
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
Message-Authenticator := 0x00
Proxy-State = 0x3533
Waking up in 0.3 seconds.
Received Access-Request Id 121 from 127.0.0.1:47272 to 127.0.0.1:1825 length 85
User-Name = '88078'
User-Password = 'jWd53332J0jCtWu'
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
Message-Authenticator = 0xa02d25ed4e815243b4aea79c8c70682c
Proxy-State = 0x3533
(1) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(1) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap_vt1pppoe : --> (uid=88078)
(1) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(1) ldap_vt1pppoe : Waiting for search result...
(1) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap_vt1pppoe : Processing user attributes
(1) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu''
(1) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(1) [ldap_vt1pppoe] = ok
(1) if ((ok || updated) && (User-Password || CHAP-Password))
(1) if ((ok || updated) && (User-Password || CHAP-Password)) -> TRUE
(1) if ((ok || updated) && (User-Password || CHAP-Password)) {
(1) update {
(1) control:Auth-Type = LDAP
(1) } # update = noop
(1) } # if ((ok || updated) && (User-Password || CHAP-Password)) = noop
(1) } # authorize = ok
(1) Found Auth-Type = LDAP
(1) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) Auth-Type LDAP {
(1) ldap : Login attempt by "88078"
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : Using user DN from request "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap : Waiting for bind result...
(1) ldap : Bind successful
(1) ldap : Bind as user "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de" was successful
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
(1) [ldap] = ok
(1) } # Auth-Type LDAP = ok
(1) Login OK: [88078] (from client localhost port 0)
Sending Access-Accept Id 121 from 127.0.0.1:1825 to 127.0.0.1:47272
Proxy-State = 0x3533
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Accept Id 121 from 127.0.0.1:1825 to 127.0.0.1:47272 length 24
Proxy-State = 0x3533
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [88078(a)lotto-rlp.vt1] (from client localhost port 0)
Sending Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:57005
(0) Finished request
Waking up in 0.3 seconds.
Waking up in 1.6 seconds.
(1) Cleaning up request packet ID 121 with timestamp +92
(0) Cleaning up request packet ID 53 with timestamp +92
Ready to process requests.
Doing the same with CHAP instead leads to a reject
client:
vt1radius:/etc/raddb # echo "User-Name = 88078(a)lotto-rlp.vt1 , CHAP-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 12 from 0.0.0.0:57335 to 127.0.0.1:1812
User-Name = '88078(a)lotto-rlp.vt1'
CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
Framed-Protocol = PPP
Received Access-Reject Id 12 from 127.0.0.1:1812 to 127.0.0.1:57335 length 20
(0) Expected Access-Accept got Access-Reject
Packet summary:
Access-Accepts : 0
Access-Rejects : 1
Lost : 0
Passed filter : 0
Failed filter : 1
server :
Received Access-Request Id 12 from 127.0.0.1:57335 to 127.0.0.1:1812 length 66
User-Name = '88078(a)lotto-rlp.vt1'
CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
Framed-Protocol = PPP
(2) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2) --> 88078(a)lotto-rlp.vt1
(2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /(a)\\./)
(2) if (User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) IPASS : No '/' in User-Name = "88078(a)lotto-rlp.vt1", looking up realm NULL
(2) IPASS : No such realm "NULL"
(2) [IPASS] = noop
(2) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078(a)lotto-rlp.vt1"
(2) suffix : Found realm "lotto-rlp.vt1"
(2) suffix : Adding Stripped-User-Name = "88078"
(2) suffix : Adding Realm = "lotto-rlp.vt1"
(2) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(2) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(2) [suffix] = updated
(2) } # authorize = updated
(2) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 95 from 0.0.0.0:47272 to 127.0.0.1:1825
User-Name = '88078'
CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
CHAP-Challenge = 0x52d88f63c38460ffbfb0f8d5c456c555
Message-Authenticator := 0x00
Proxy-State = 0x3132
Waking up in 0.3 seconds.
Received Access-Request Id 95 from 127.0.0.1:47272 to 127.0.0.1:1825 length 104
User-Name = '88078'
CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
CHAP-Challenge = 0x52d88f63c38460ffbfb0f8d5c456c555
Message-Authenticator = 0x3b9362d72f7dcf5365986f984cda2d43
Proxy-State = 0x3132
(3) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(3) authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(3) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap_vt1pppoe : --> (uid=88078)
(3) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(3) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(3) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(3) ldap_vt1pppoe : Waiting for search result...
(3) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(3) ldap_vt1pppoe : Processing user attributes
(3) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu''
(3) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(3) [ldap_vt1pppoe] = ok
(3) if ((ok || updated) && (User-Password || CHAP-Password))
(3) if ((ok || updated) && (User-Password || CHAP-Password)) -> TRUE
(3) if ((ok || updated) && (User-Password || CHAP-Password)) {
(3) update {
(3) control:Auth-Type = LDAP
(3) } # update = noop
(3) } # if ((ok || updated) && (User-Password || CHAP-Password)) = noop
(3) } # authorize = ok
(3) Found Auth-Type = LDAP
(3) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(3) Auth-Type LDAP {
(3) WARNING: ldap : You have set "Auth-Type := LDAP" somewhere.
(3) WARNING: ldap : *********************************************
(3) WARNING: ldap : * THAT CONFIGURATION IS WRONG. DELETE IT.
(3) WARNING: ldap : * YOU ARE PREVENTING THE SERVER FROM WORKING.
(3) WARNING: ldap : *********************************************
(3) ERROR: ldap : Attribute "User-Password" is required for authentication.
(3) [ldap] = invalid
(3) } # Auth-Type LDAP = invalid
(3) Failed to authenticate the user.
(3) Login incorrect (ldap: Attribute "User-Password" is required for authentication.): [88078] (from client localhost port 0)
(3) Using Post-Auth-Type Reject
(3) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(2) Expecting proxy response no later than 5 seconds from now
Waking up in 0.1 seconds.
(3) Sending delayed response
Sending Access-Reject Id 95 from 127.0.0.1:1825 to 127.0.0.1:47272
Proxy-State = 0x3132
Waking up in 0.9 seconds.
Received Access-Reject Id 95 from 127.0.0.1:1825 to 127.0.0.1:47272 length 24
Proxy-State = 0x3132
(2) Login incorrect (Home Server says so): [88078(a)lotto-rlp.vt1] (from client localhost port 0)
(2) Using Post-Auth-Type Reject
(2) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Cleaning up request packet ID 95 with timestamp +227
(2) Sending delayed response
Sending Access-Reject Id 12 from 127.0.0.1:1812 to 127.0.0.1:57335
Waking up in 0.9 seconds.
(2) Cleaning up request packet ID 12 with timestamp +227
Ready to process requests.
Another line of approach is
vt1radius:/etc/raddb/sites-enabled # cat vt1pppoe_localhost | grep "[a-z,A_Z,\}]"
# WEINM 2015-01-21 : vt1pppoe login realization
server vt1pppoe_login {
# WEINM 2015-01-21 : listen on 1825, auth only no acct
listen {
type = auth
ipaddr = 127.0.0.1
port = 1825
}
authorize {
ldap_vt1pppoe
if ((ok || updated) && User-Password) {
update {
control:Auth-Type = LDAP
}
}
if ((ok || updated) && CHAP-Password) {
update {
control:Auth-Type = CHAP
}
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
}
vt1radius:/etc/raddb/sites-enabled # radiusd -X
radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Dec 3 2014 at 10:31
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/ldap_dtag
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/ldap_vt1pppoe
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/ldap_ptlux
including configuration file /etc/raddb/mods-enabled/ldap_arcor
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/ptlux_localhost
including configuration file /etc/raddb/sites-enabled/dtag_localhost
including configuration file /etc/raddb/sites-enabled/vt1pppoe_localhost
including configuration file /etc/raddb/sites-enabled/arcor_localhost
including configuration file /etc/raddb/sites-enabled/proxy_decode_realm
main {
security {
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 2
max_requests = 30720
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server dtag_localhost {
ipaddr = 127.0.0.1
port = 1822
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server arcor_localhost {
ipaddr = 127.0.0.1
port = 1823
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server ptlux_localhost {
ipaddr = 127.0.0.1
port = 1824
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server vt1pppoe_localhost {
ipaddr = 127.0.0.1
port = 1825
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool dtag_pool {
type = fail-over
home_server = dtag_localhost
}
realm lotto-rlp {
auth_pool = dtag_pool
}
home_server_pool arcor_pool {
type = fail-over
home_server = arcor_localhost
}
realm lotto-rlp.de {
auth_pool = arcor_pool
}
home_server_pool ptlux_pool {
type = fail-over
home_server = ptlux_localhost
}
realm pt.lotto-rlp.de {
auth_pool = ptlux_pool
}
home_server_pool vt1pppoe_pool {
type = fail-over
home_server = vt1pppoe_localhost
}
realm lotto-rlp.vt1 {
auth_pool = vt1pppoe_pool
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client vt1pppoe1 {
ipaddr = 10.193.1.51
require_message_authenticator = no
secret = <<< secret >>>
shortname = "vt1pppoe1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
# Loaded module rlm_ldap
# Instantiating module "ldap_dtag" from file /etc/raddb/mods-enabled/ldap_dtag
ldap ldap_dtag {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_dtag): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_dtag): Opening additional connection (0)
rlm_ldap (ldap_dtag): Connecting to 10.193.1.144:389
rlm_ldap (ldap_dtag): Waiting for bind result...
rlm_ldap (ldap_dtag): Bind successful
# Loaded module rlm_exec
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Instantiating module "ldap_vt1pppoe" from file /etc/raddb/mods-enabled/ldap_vt1pppoe
ldap ldap_vt1pppoe {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_vt1pppoe): Opening additional connection (0)
rlm_ldap (ldap_vt1pppoe): Connecting to 10.193.1.144:389
rlm_ldap (ldap_vt1pppoe): Waiting for bind result...
rlm_ldap (ldap_vt1pppoe): Bind successful
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Instantiating module "ldap_ptlux" from file /etc/raddb/mods-enabled/ldap_ptlux
ldap ldap_ptlux {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=ptlux-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_ptlux): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_ptlux): Opening additional connection (0)
rlm_ldap (ldap_ptlux): Connecting to 10.193.1.144:389
rlm_ldap (ldap_ptlux): Waiting for bind result...
rlm_ldap (ldap_ptlux): Bind successful
# Instantiating module "ldap_arcor" from file /etc/raddb/mods-enabled/ldap_arcor
ldap ldap_arcor {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=arcor-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_arcor): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_arcor): Opening additional connection (0)
rlm_ldap (ldap_arcor): Connecting to 10.193.1.144:389
rlm_ldap (ldap_arcor): Waiting for bind result...
rlm_ldap (ldap_arcor): Bind successful
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
} # server default
server ptlux_login { # from file /etc/raddb/sites-enabled/ptlux_localhost
# Creating Auth-Type = LDAP
# Loading authenticate {...}
# Loading authorize {...}
} # server ptlux_login
server dtag_login { # from file /etc/raddb/sites-enabled/dtag_localhost
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server dtag_login
server vt1pppoe_login { # from file /etc/raddb/sites-enabled/vt1pppoe_localhost
# Loading authenticate {...}
# Loading authorize {...}
} # server vt1pppoe_login
server arcor_login { # from file /etc/raddb/sites-enabled/arcor_localhost
# Loading authenticate {...}
# Loading authorize {...}
} # server arcor_login
server decode_realm { # from file /etc/raddb/sites-enabled/proxy_decode_realm
# Loading authorize {...}
} # server decode_realm
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1824
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1822
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1825
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1823
}
listen {
type = "auth"
ipaddr = *
port = 1812
}
Listening on auth address 127.0.0.1 port 1824 as server ptlux_login
Listening on auth address 127.0.0.1 port 1822 as server dtag_login
Listening on auth address 127.0.0.1 port 1825 as server vt1pppoe_login
Listening on auth address 127.0.0.1 port 1823 as server arcor_login
Listening on auth address * port 1812 as server decode_realm
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 36069
Ready to process requests.
Reject as seen from client
vt1radius:/etc/raddb # echo "User-Name = 88078(a)lotto-rlp.vt1 , CHAP-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 57 from 0.0.0.0:38849 to 127.0.0.1:1812
User-Name = '88078(a)lotto-rlp.vt1'
CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
Framed-Protocol = PPP
Received Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:38849 length 20
(0) Expected Access-Accept got Access-Reject
Packet summary:
Access-Accepts : 0
Access-Rejects : 1
Lost : 0
Passed filter : 0
Failed filter : 1
server :
Received Access-Request Id 57 from 127.0.0.1:38849 to 127.0.0.1:1812 length 66
User-Name = '88078(a)lotto-rlp.vt1'
CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
Framed-Protocol = PPP
(0) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> 88078(a)lotto-rlp.vt1
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /(a)\\./)
(0) if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) IPASS : No '/' in User-Name = "88078(a)lotto-rlp.vt1", looking up realm NULL
(0) IPASS : No such realm "NULL"
(0) [IPASS] = noop
(0) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078(a)lotto-rlp.vt1"
(0) suffix : Found realm "lotto-rlp.vt1"
(0) suffix : Adding Stripped-User-Name = "88078"
(0) suffix : Adding Realm = "lotto-rlp.vt1"
(0) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(0) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(0) [suffix] = updated
(0) } # authorize = updated
(0) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 214 from 0.0.0.0:36069 to 127.0.0.1:1825
User-Name = '88078'
CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
CHAP-Challenge = 0x843194cd5adeebeedf6b33dfab7a7873
Message-Authenticator := 0x00
Proxy-State = 0x3537
Waking up in 0.3 seconds.
Received Access-Request Id 214 from 127.0.0.1:36069 to 127.0.0.1:1825 length 104
User-Name = '88078'
CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
CHAP-Challenge = 0x843194cd5adeebeedf6b33dfab7a7873
Message-Authenticator = 0x4eb73a374b5f5b8752e00b60f989d407
Proxy-State = 0x3537
(1) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(1) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap_vt1pppoe : --> (uid=88078)
(1) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(1) ldap_vt1pppoe : Waiting for search result...
(1) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap_vt1pppoe : Processing user attributes
(1) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu''
(1) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(1) [ldap_vt1pppoe] = ok
(1) if ((ok || updated) && User-Password)
(1) if ((ok || updated) && User-Password) -> FALSE
(1) if ((ok || updated) && CHAP-Password)
(1) if ((ok || updated) && CHAP-Password) -> TRUE
(1) if ((ok || updated) && CHAP-Password) {
(1) update {
(1) control:Auth-Type = CHAP
(1) } # update = noop
(1) } # if ((ok || updated) && CHAP-Password) = noop
(1) } # authorize = ok
(1) Found Auth-Type = CHAP
(1) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) Failed to authenticate the user.
(1) Login incorrect: [88078] (from client localhost port 0)
(1) Using Post-Auth-Type Reject
(1) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Expecting proxy response no later than 5 seconds from now
Waking up in 0.1 seconds.
(1) Sending delayed response
Sending Access-Reject Id 214 from 127.0.0.1:1825 to 127.0.0.1:36069
Proxy-State = 0x3537
Waking up in 0.9 seconds.
Received Access-Reject Id 214 from 127.0.0.1:1825 to 127.0.0.1:36069 length 24
Proxy-State = 0x3537
(0) Login incorrect (Home Server says so): [88078(a)lotto-rlp.vt1] (from client localhost port 0)
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Cleaning up request packet ID 214 with timestamp +58
(0) Sending delayed response
Sending Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:38849
Waking up in 0.9 seconds.
(0) Cleaning up request packet ID 57 with timestamp +58
Ready to process requests.
Now we are somewhat at a loss. Are we missing something
Best regards
Michael Wein
2
1
Hi experts,
In order to integrate to Active Directory, We have been using samba utils winbindd/net/ntlm_auth to integrate to Active Directory. Is there any other way to do integration? Can you give me some advice?
Thanks,John.
2
1
Hello All,
It appears that the LDAP pool configuration isn't reusing the LDAP
connections as configured. I am running the following version of FreeRADIUS:
>
> FreeRADIUS Version 3.0.12 (git #34f7ba7), built on Apr 6 2016 at 08:07:17
Below is the debug output of the pool initialization:
> rlm_ldap (ldap): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 32
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> spread = no
> }
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
Debug Output:
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.<domain>/DC=ForestDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://<domain>/CN=Configuration,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) Search returned no results
(7) Checking user object's memberOf attributes
(7) Waiting for bind result...
(7) Bind successful
(7) Performing unfiltered search in "<user-DN>", scope "base"
(7) Waiting for search result...
(7) No group membership attribute(s) found in user object
rlm_ldap (ldap): Deleting connection (2)
(7) User is not a member of "BOE"
(7) Searching for user in group "Admin-Users"
rlm_ldap (ldap): Reserved connection (3)
(7) Using user DN from request "<user-DN>"
(7) Checking for user in group objects
(7) EXPAND
(&(cn=Admin-Users)(objectClass=group)(&(objectClass=group)(member=%{Ldap-UserDn})))
(7) -->
(&(cn=Admin-Users)(objectClass=group)(&(objectClass=group)(member=)))
(7) Performing search in "<domain>" with filter
"(&(cn=Admin-Users)(objectClass=group)(&(objectClass=group)(member=)))",
scope "sub"
(7) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.<domain>/DC=DomainDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.<domain>/DC=ForestDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://<domain>/CN=Configuration,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) Search returned no results
(7) Checking user object's memberOf attributes
(7) Waiting for bind result...
(7) Bind successful
(7) Performing unfiltered search in "<user-DN>", scope "base"
(7) Waiting for search result...
(7) No group membership attribute(s) found in user object
rlm_ldap (ldap): Deleting connection (3)
(7) User is not a member of "Admin-Users"
(7) Searching for user in group "Admin-Computers"
rlm_ldap (ldap): Reserved connection (4)
(7) Using user DN from request "<user-DN>"
(7) Checking for user in group objects
(7) EXPAND
(&(cn=Admin-Computers)(objectClass=group)(&(objectClass=group)(member=%{Ldap-UserDn})))
(7) -->
(&(cn=Admin-Computers)(objectClass=group)(&(objectClass=group)(member=)))
(7) Performing search in "<domain>" with filter
"(&(cn=Admin-Computers)(objectClass=group)(&(objectClass=group)(member=)))",
scope "sub"
(7) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.<domain>/DC=DomainDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.<domain>/DC=ForestDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://<domain>/CN=Configuration,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) Search returned no results
(7) Checking user object's memberOf attributes
(7) Waiting for bind result...
(7) Bind successful
(7) Performing unfiltered search in "<user-DN>", scope "base"
(7) Waiting for search result...
(7) No group membership attribute(s) found in user object
rlm_ldap (ldap): Deleting connection (4)
--
Jonathan Gryak
Infrastructure Manager
Westport Public Schools
Technology Center
136 Riverside Avenue
Westport, CT 06880
(203) 341-1211
3
8
I am attempting to cache multiple LDAP groups for use post-authentication
This is an EAP-PEAP connection. Only the last group added to the cache is
available. How can I cache (and access) all of the groups?
I am running FreeRADIUS Version 3.0.12 (git #34f7ba7), built on Apr 6
2016 at 08:07:17. Below is the relevant debug output:
Expanding LDAP groups:
> (7) ldap: Adding cacheable user object memberships
> (7) ldap: &control:LDAP-Cached-Membership += "Group1"
> (7) ldap: &control:LDAP-Cached-Membership += "Group2"
> (7) ldap: &control:LDAP-Cached-Membership += "Group3"
> (7) ldap: &control:LDAP-Cached-Membership += "Group4"
> (7) ldap: &control:LDAP-Cached-Membership += "Group5"
> (7) ldap: &control:LDAP-Cached-Membership += "Group6"
> (7) ldap: &control:LDAP-Cached-Membership += "Group7"
> (7) ldap: &control:LDAP-Cached-Membership += "Group8"
Cache Update:
> (7) [ldap] = ok
> (7) } # if (notfound) = ok
> (7) cache: EXPAND %{User-Name}
> (7) cache: --> jgryak
> (7) cache: No cache entry found for "jgryak"
> (7) cache: Creating new cache entry
> (7) cache: EXPAND Cache last updated at %t
> (7) cache: --> Cache last updated at Thu Apr 14 13:51:49 2016
> (7) cache: &reply:Reply-Message += Cache last updated at Thu Apr 14
> 13:51:49 2016
> (7) cache: EXPAND %{randstr:ssssssssssssssssssssssssssssssss}
> (7) cache: --> DWiDAixrzMh3hzN93m5QB9rWClbz.cMl
> (7) cache: &reply:Class :=
> 0x44576944416978727a4d6833687a4e39336d355142397257436c627a2e634d6c
> (7) cache: control:LDAP-Cached-Membership +=
> &control:LDAP-Cached-Membership -> 'Group8'
> (7) cache: Merging cache entry into request
> (7) cache: &reply:Reply-Message += "Cache last updated at Thu Apr 14
> 13:51:49 2016"
> (7) cache: &reply:Class :=
> 0x44576944416978727a4d6833687a4e39336d355142397257436c627a2e634d6c
> (7) cache: &control:LDAP-Cached-Membership += "Group8"
> (7) cache: Committed entry, TTL 3600 seconds
Post-Auth section:
(8) # Executing section post-auth from file
/opt/fr3/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) policy set_role_or_vlan {
(8) if (NAS-Port-Type == "Wireless-802.11") {
(8) if (NAS-Port-Type == "Wireless-802.11") -> TRUE
(8) if (NAS-Port-Type == "Wireless-802.11") {
(8) foreach &control:LDAP-Cached-Membership
(8) switch %{Foreach-Variable-0} {
(8) EXPAND Foreach-Variable-0
(8) --> Group8
(8) EXPAND %{Foreach-Variable-0}
(8) --> Group8
(8) } # switch %{Foreach-Variable-0} = noop
(8) } # foreach &control:LDAP-Cached-Membership = noop
(8) if ("%{mschap:User-Name}" =~/\$$/) {
Thank you for your help.
--
Jonathan Gryak
Infrastructure Manager
Westport Public Schools
Technology Center
136 Riverside Avenue
Westport, CT 06880
(203) 341-1211
2
2