Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2017
- 70 participants
- 79 discussions
Hello - I successfully got our Freeradius server to authenticate against our FreeIPA LDAP environment, allowing user access. Currently, all users in here will be granted successful access. However, I'm having trouble trying to identify what to setup to get only a single group in our FreeIPA environment allowed to authenticate while all other groups are denied. In a nutshell, I want to only allow the "network-team" group authenticated access via the Freeradius server, and any/all other groups to be denied. In my wiki and google searches, I've found reference to "group_authorization", but I can't find that module in the policy.d or mods-available folder. Also, I've seen the reference to huntgroups, but only when queried against SQL, which shouldn't be needed in my case. Can anyone point me in the right direction to get this working?
TL;DR = Need info on setting up Freeradius authentication to LDAP only for a specific group, denying all other groups.
Thank you!Jake
3
4
Hello before i ask this question, i already read and try the freeradius +
ldap authentication from https://wiki.freeradius.org/protocol/LDAP and
http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication….
But now i'm kinda stuck with that both documentation, because everytime i
test the user in ldap (using radtest) i get "no DN found". I already check
that the dn has properly set up (i'm using phpldapadmin to create user in
ldap to make it easier). Here is the debug log :
Tue Jun 27 05:54:40 2017 : Debug: (1) Received Access-Request Id 251 from
127.0.0.1:53093 to 127.0.0.1:1812 length 74
Tue Jun 27 05:54:41 2017 : Debug: (1) User-Name = "teke"
Tue Jun 27 05:54:41 2017 : Debug: (1) User-Password = "xxx"
Tue Jun 27 05:54:41 2017 : Debug: (1) NAS-IP-Address = 127.0.1.1
Tue Jun 27 05:54:41 2017 : Debug: (1) NAS-Port = 1812
Tue Jun 27 05:54:41 2017 : Debug: (1) Message-Authenticator =
0xef22ab207657169978bd2b65ef0f42c6
Tue Jun 27 05:54:41 2017 : Debug: (1) session-state: No State attribute
Tue Jun 27 05:54:41 2017 : Debug: (1) # Executing section authorize from
file /etc/freeradius/3.0/sites-enabled/default
Tue Jun 27 05:54:41 2017 : Debug: (1) authorize {
Tue Jun 27 05:54:41 2017 : Debug: (1) policy filter_username {
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name) {
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name) -> TRUE
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name) {
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /@[^@]*@/ )
{
Tue Jun 27 05:54:41 2017 : Debug: No matches
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /@[^@]*@/ )
-> FALSE
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /\.\./ ) {
Tue Jun 27 05:54:41 2017 : Debug: No matches
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /\.\./ )
-> FALSE
Tue Jun 27 05:54:41 2017 : Debug: (1) if ((&User-Name =~ /@/) &&
(&User-Name !~ /(a)(.+)\.(.+)$/)) {
Tue Jun 27 05:54:41 2017 : Debug: No matches
Tue Jun 27 05:54:41 2017 : Debug: (1) if ((&User-Name =~ /@/) &&
(&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /\.$/) {
Tue Jun 27 05:54:41 2017 : Debug: No matches
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /\.$/) ->
FALSE
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /(a)\./) {
Tue Jun 27 05:54:41 2017 : Debug: No matches
Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /(a)\./) ->
FALSE
Tue Jun 27 05:54:41 2017 : Debug: (1) } # if (&User-Name) = notfound
Tue Jun 27 05:54:41 2017 : Debug: (1) } # policy filter_username =
notfound
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling
preprocess (rlm_preprocess)
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned
from preprocess (rlm_preprocess)
Tue Jun 27 05:54:41 2017 : Debug: (1) [preprocess] = ok
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling
chap (rlm_chap)
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned
from chap (rlm_chap)
Tue Jun 27 05:54:41 2017 : Debug: (1) [chap] = noop
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling
mschap (rlm_mschap)
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned
from mschap (rlm_mschap)
Tue Jun 27 05:54:41 2017 : Debug: (1) [mschap] = noop
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling
digest (rlm_digest)
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned
from digest (rlm_digest)
Tue Jun 27 05:54:41 2017 : Debug: (1) [digest] = noop
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling
suffix (rlm_realm)
Tue Jun 27 05:54:41 2017 : Debug: (1) suffix: Checking for suffix after "@"
Tue Jun 27 05:54:41 2017 : Debug: (1) suffix: No '@' in User-Name = "teke",
looking up realm NULL
Tue Jun 27 05:54:41 2017 : Debug: (1) suffix: No such realm "NULL"
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned
from suffix (rlm_realm)
Tue Jun 27 05:54:41 2017 : Debug: (1) [suffix] = noop
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling eap
(rlm_eap)
Tue Jun 27 05:54:41 2017 : Debug: (1) eap: No EAP-Message, not doing EAP
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned
from eap (rlm_eap)
Tue Jun 27 05:54:41 2017 : Debug: (1) [eap] = noop
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling
files (rlm_files)
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned
from files (rlm_files)
Tue Jun 27 05:54:41 2017 : Debug: (1) [files] = noop
Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling
ldap (rlm_ldap)
Tue Jun 27 05:54:41 2017 : Info: rlm_ldap (ldap): Closing connection (1):
Hit idle_timeout, was idle for 118721 seconds
Tue Jun 27 05:54:41 2017 : Debug: rlm_ldap: Closing libldap handle
0x558ba43988d0
Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (2):
Hit idle_timeout, was idle for 118721 seconds
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle
0x558ba439cf90
Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (3):
Hit idle_timeout, was idle for 118721 seconds
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle
0x558ba438f2e0
Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (4):
Hit idle_timeout, was idle for 118721 seconds
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): You probably need to
lower "min"
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle
0x558ba4392d70
Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (0):
Hit idle_timeout, was idle for 118711 seconds
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): You probably need to
lower "min"
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle
0x558ba44fefb0
Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (5):
Hit idle_timeout, was idle for 118711 seconds
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): You probably need to
lower "min"
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle
0x558ba439f860
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): 0 of 0 connections in
use. You may need to increase "spare"
Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Opening additional
connection (6), 1 of 32 pending slots used
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): Connecting to
ldap://localhost:389
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): New libldap handle
0x558ba438e620
Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Bind successful
Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Reserved connection (6)
Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND TMPL XLAT
Tue Jun 27 05:54:43 2017 : Debug:
(uid=%{%{Stripped-User-Name}:-%{User-Name}})
Tue Jun 27 05:54:43 2017 : Debug: Parsed xlat tree:
Tue Jun 27 05:54:43 2017 : Debug: literal --> (uid=
Tue Jun 27 05:54:43 2017 : Debug: if {
Tue Jun 27 05:54:43 2017 : Debug: attribute --> Stripped-User-Name
Tue Jun 27 05:54:43 2017 : Debug: }
Tue Jun 27 05:54:43 2017 : Debug: else {
Tue Jun 27 05:54:43 2017 : Debug: attribute --> User-Name
Tue Jun 27 05:54:43 2017 : Debug: }
Tue Jun 27 05:54:43 2017 : Debug: literal --> )
Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND
(uid=%{%{Stripped-User-Name}:-%{User-Name}})
Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: --> (uid=teke)
Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND TMPL LITERAL
Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: Performing search in "" with
filter "(uid=teke)", scope "sub"
Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: Waiting for search result...
Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: The specified DN wasn't found
Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: Search returned no results
Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Released connection (6)
Tue Jun 27 05:54:43 2017 : Info: rlm_ldap (ldap): Need 2 more connections
to reach 10 spares
Tue Jun 27 05:54:43 2017 : Info: rlm_ldap (ldap): Opening additional
connection (7), 1 of 31 pending slots used
Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Connecting to
ldap://localhost:389
Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): New libldap handle
0x558ba439b660
Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Bind successful
Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[authorize]: returned
from ldap (rlm_ldap)
Tue Jun 27 05:54:43 2017 : Debug: (1) [ldap] = notfound
Tue Jun 27 05:54:43 2017 : Debug: (1) } # authorize = notfound
Tue Jun 27 05:54:43 2017 : ERROR: (1) No Auth-Type found: rejecting the
user via Post-Auth-Type = Reject
Tue Jun 27 05:54:43 2017 : Debug: (1) Failed to authenticate the user
Tue Jun 27 05:54:43 2017 : Debug: (1) Using Post-Auth-Type Reject
Tue Jun 27 05:54:43 2017 : Debug: (1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
Tue Jun 27 05:54:43 2017 : Debug: (1) Post-Auth-Type REJECT {
Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter)
Tue Jun 27 05:54:43 2017 : Debug: %{User-Name}
Tue Jun 27 05:54:43 2017 : Debug: Parsed xlat tree:
Tue Jun 27 05:54:43 2017 : Debug: attribute --> User-Name
Tue Jun 27 05:54:43 2017 : Debug: (1) attr_filter.access_reject: EXPAND
%{User-Name}
Tue Jun 27 05:54:43 2017 : Debug: (1) attr_filter.access_reject: --> teke
Tue Jun 27 05:54:43 2017 : Debug: (1) attr_filter.access_reject: Matched
entry DEFAULT at line 11
Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: returned
from attr_filter.access_reject (rlm_attr_filter)
Tue Jun 27 05:54:43 2017 : Debug: (1) [attr_filter.access_reject] =
updated
Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: calling eap
(rlm_eap)
Tue Jun 27 05:54:43 2017 : Debug: (1) eap: Request didn't contain an
EAP-Message, not inserting EAP-Failure
Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: returned
from eap (rlm_eap)
Tue Jun 27 05:54:43 2017 : Debug: (1) [eap] = noop
Tue Jun 27 05:54:43 2017 : Debug: (1) policy
remove_reply_message_if_eap {
Tue Jun 27 05:54:43 2017 : Debug: (1) if (&reply:EAP-Message &&
&reply:Reply-Message) {
Tue Jun 27 05:54:43 2017 : Debug: (1) if (&reply:EAP-Message &&
&reply:Reply-Message) -> FALSE
Tue Jun 27 05:54:43 2017 : Debug: (1) else {
Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: calling
noop (rlm_always)
Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]:
returned from noop (rlm_always)
Tue Jun 27 05:54:43 2017 : Debug: (1) [noop] = noop
Tue Jun 27 05:54:43 2017 : Debug: (1) } # else = noop
Tue Jun 27 05:54:43 2017 : Debug: (1) } # policy
remove_reply_message_if_eap = noop
Tue Jun 27 05:54:43 2017 : Debug: (1) } # Post-Auth-Type REJECT = updated
Tue Jun 27 05:54:43 2017 : Debug: (1) Delaying response for 1.000000 seconds
Tue Jun 27 05:54:43 2017 : Debug: Waking up in 0.9 seconds.
Tue Jun 27 05:54:44 2017 : Debug: (1) Sending delayed response
Tue Jun 27 05:54:44 2017 : Debug: (1) Sent Access-Reject Id 251 from
127.0.0.1:1812 to 127.0.0.1:53093 length 20
Tue Jun 27 05:54:44 2017 : Debug: Waking up in 3.9 seconds.
Tue Jun 27 05:54:48 2017 : Debug: (1) Cleaning up request packet ID 251
with timestamp +118720
Any kind of help, documentation recommendation would help. thankyou!
2
1
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users
from cell phones and notebooks.
In the case of cell phones, the users type the corresponding usernames and
passwords and after that Freeradius passes it to the AD and everything
works OK.
In the case of the notebooks, the Windows users are logged into our DC
domain, then they type the username or username@domain or domain\username
with the corresponding passwords but in theses cases they can't
authenticate against the AD (there is a reject message in the Freradius
log). In case they are not logged into the domain, and they are local users
in the notebooks, if they type just their usernames (without domain) they
authenticate OK.
So how can I authenticate Windows users against the AD when they are logged
into the domain??? Do I have to define a special directive in a config file
from freeradius, winbind or samba?
Thanks in advance, regards!!!
Alejandro
5
14
from freeradius 2 to freeradius 3 - Problems with unlang script
by hans.bornemann@tu-dortmund.de 26 Jun '17
by hans.bornemann@tu-dortmund.de 26 Jun '17
26 Jun '17
Hi,
we are using a separate password for wlan user, we called it
wlan-nt-password.
in freeradius 2 config we do a little check if the wlan password is set for
the user
and set it as the nt-password for authentication.
This works with no problems.
in freeradius 3 i got:
/usr/local/etc/raddb/sites-enabled/inner-wlan-peap[18]: Failed parsing
expanded string:
/usr/local/etc/raddb/sites-enabled/inner-wlan-peap[18]:
%{check:wlan-NT-Password}
/usr/local/etc/raddb/sites-enabled/inner-wlan-peap[18]: ^ Unknown module
-----------
if ("%{check:wlan-NT-Password}" == "") { # ist im SQL-Server ein
WLAN-Passwort gefunden worden?
# Ab Stichtag Authentifizierung ohne WLAN-Password verbieten.
update config { # nein, User ablehnen
Auth-Type := Reject
}
}
else {
update config { # ja, also
NT-Passwort mit WLAN-Passwort ueberschreiben,
# damit mschapv2
gegen das WLAN-Passwort authentifiziert.
NT-Password := "%{check:wlan-NT-Password}"
}
}
-------------------
regards
Hans
2
1
26 Jun '17
Hello.
Any idea or hint about why Framed-IP-Address into Access-Request seems to
be ignored by FreeRadius? Is it an unsupported feature?
Thank you.
On Tue, Jun 20, 2017 at 12:57 PM, José María López Otero <
jose.maria.lopez.otero(a)gmail.com> wrote:
> Hello Freeradius community,
>
> I'm trying configure FreeRadius (v2.2.6) + sql module for users +
> sqlippool module to provide an IP address which the NAS client has
> suggested. The suggested IP address only should be provided if it matches
> in the pool allocated for this user, in any other case, the server could
> answer other allowed IP from the selected pool. The client is sending the
> "Framed-IP-Address" field in the Access-Request message but FreeRadius
> ignores it.
>
> I'm basing this philosophy in the RFC2865, section 5.8, Framed-IP-Address:
>
> "It MAY be used in Access-Request packet as a hint by the NAS to the
> server that would prefer that address, but the server is not required to
> the hint."
>
> Probably this feature is not supported but I want to be sure before
> develop my own workaround. I wonder if I could get it using unlang code.
>
> A FreeRadius upgrade is not allowed by now but I would be interesting to
> know if this feature could be achieve in other version.
>
> Thank you in advance.
>
>
> PD: The radius -X log trace is as follows:
>
> radiusd -X
> radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built
> on Sep 10 2015 at 07:12:21
> Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> For more information about these matters, see the file named COPYRIGHT.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/dynamic_clients
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/soh
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/ntlm_auth
> including configuration file /etc/raddb/modules/detail.example.com
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/policy
> including configuration file /etc/raddb/modules/perl
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/rediswho
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/cache
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/redis
> including configuration file /etc/raddb/modules/opendirectory
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/modules/otp
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/dhcp_sqlippool
> including configuration file /etc/raddb/modules/cui
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/replicate
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/radrelay
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/smsotp
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/sql.conf
> including configuration file /etc/raddb/sql/mysql/dialup.conf
> including configuration file /etc/raddb/sqlippool.conf
> including configuration file /etc/raddb/sql/mysql/ippool.conf
> including configuration file /etc/raddb/policy.conf
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/default
> main {
> user = "radiusd"
> group = "radiusd"
> allow_core_dumps = no
> }
> including dictionary file /etc/raddb/dictionary
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 5
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = "testing123"
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> require_message_authenticator = yes
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> num_pings_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = "mysecret"
> nastype = "other"
> }
> radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_exec
> Module: Instantiating module "exec" from file /etc/raddb/modules/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> Module: Linked to module rlm_expr
> Module: Instantiating module "expr" from file /etc/raddb/modules/expr
> Module: Linked to module rlm_expiration
> Module: Instantiating module "expiration" from file
> /etc/raddb/modules/expiration
> expiration {
> reply-message = "Password Has Expired "
> }
> Module: Linked to module rlm_logintime
> Module: Instantiating module "logintime" from file
> /etc/raddb/modules/logintime
> logintime {
> reply-message = "You are calling outside your allowed timespan "
> minimum-timeout = 60
> }
> }
> radiusd: #### Loading Virtual Servers ####
> server { # from file
> modules {
> Module: Creating Post-Auth-Type = REJECT
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating module "preprocess" from file
> /etc/raddb/modules/preprocess
> preprocess {
> huntgroups = "/etc/raddb/huntgroups"
> hints = "/etc/raddb/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> reading pairlist file /etc/raddb/huntgroups
> reading pairlist file /etc/raddb/hints
> Module: Linked to module rlm_files
> Module: Instantiating module "files" from file /etc/raddb/modules/files
> files {
> usersfile = "/etc/raddb/users"
> acctusersfile = "/etc/raddb/acct_users"
> preproxy_usersfile = "/etc/raddb/preproxy_users"
> compat = "no"
> }
> reading pairlist file /etc/raddb/users
> reading pairlist file /etc/raddb/acct_users
> reading pairlist file /etc/raddb/preproxy_users
> Module: Linked to module rlm_sql
> Module: Instantiating module "sql" from file /etc/raddb/sql.conf
> sql {
> driver = "rlm_sql_mysql"
> server = "se3-PGW"
> port = "3306"
> login = "radius"
> password = "mypass"
> radius_db = "MY_DB"
> read_groups = yes
> sqltrace = no
> sqltracefile = "/var/log/radius/sqltrace.sql"
> readclients = no
> deletestalesessions = yes
> num_sql_socks = 32
> lifetime = 0
> max_queries = 0
> sql_user_name = "%{User-Name}"
> default_user_profile = ""
> nas_query = "SELECT id, nasname, shortname, type, secret, server
> FROM nas"
> authorize_check_query = "SELECT id, username, attribute, value, op
> FROM radcheck WHERE username = '%{SQL-User-Name}'
> ORDER BY id"
> authorize_reply_query = "SELECT id, username, attribute, value, op
> FROM radreply WHERE username = '%{SQL-User-Name}'
> ORDER BY id"
> authorize_group_check_query = "SELECT id, groupname, attribute,
> Value, op FROM radgroupcheck WHERE groupname =
> '%{Sql-Group}' ORDER BY id"
> authorize_group_reply_query = "SELECT id, groupname, attribute,
> value, op FROM radgroupreply WHERE groupname =
> '%{Sql-Group}' ORDER BY id"
> accounting_onoff_query = " UPDATE radacct SET
> acctstoptime = '%S', acctsessiontime =
> unix_timestamp('%S') -
> unix_timestamp(acctstarttime), acctterminatecause =
> '%{Acct-Terminate-Cause}', acctstopdelay =
> %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL
> AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime
> <= '%S'"
> accounting_update_query = " UPDATE radacct SET
> framedipaddress = '%{Framed-IP-Address}',
> acctsessiontime = '%{%{Acct-Session-Time}:-0}',
> acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
> '%{%{Acct-Input-Octets}:-0}',
> acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
> '%{%{Acct-Output-Octets}:-0}' WHERE
> acctsessionid = '%{Acct-Session-Id}' AND username =
> '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
> accounting_update_query_alt = " INSERT INTO radacct
> (acctsessionid, acctuniqueid, username, realm,
> nasipaddress, nasportid, nasporttype,
> acctstarttime, acctsessiontime, acctauthentic,
> connectinfo_start, acctinputoctets, acctoutputoctets,
> calledstationid, callingstationid, servicetype,
> framedprotocol, framedipaddress, acctstartdelay,
> xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}',
> '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
> '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
> '%{NAS-Port-Type}', DATE_SUB('%S',
> INTERVAL (%{%{Acct-Session-Time}:-0} +
> %{%{Acct-Delay-Time}:-0}) SECOND),
> '%{%{Acct-Session-Time}:-0}', '%{Acct-Authentic}', '',
> '%{%{Acct-Input-Gigawords}:-0}' << 32 |
> '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}'
> << 32 | '%{%{Acct-Output-Octets}:-0}',
> '%{Called-Station-Id}', '%{Calling-Station-Id}',
> '%{Service-Type}', '%{Framed-Protocol}',
> '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
> accounting_start_query = " INSERT INTO radacct
> (acctsessionid, acctuniqueid, username, realm,
> nasipaddress, nasportid, nasporttype,
> acctstarttime, acctstoptime, acctsessiontime,
> acctauthentic, connectinfo_start, connectinfo_stop,
> acctinputoctets, acctoutputoctets, calledstationid,
> callingstationid, acctterminatecause, servicetype,
> framedprotocol, framedipaddress, acctstartdelay,
> acctstopdelay, xascendsessionsvrkey) VALUES
> ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
> '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
> '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
> '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
> '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
> '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
> accounting_start_query_alt = " UPDATE radacct SET
> acctstarttime = '%S', acctstartdelay =
> '%{%{Acct-Delay-Time}:-0}', connectinfo_start =
> '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}'
> AND username = '%{SQL-User-Name}' AND nasipaddress
> = '%{NAS-IP-Address}'"
> accounting_stop_query = " UPDATE radacct SET
> acctstoptime = '%S', acctsessiontime =
> '%{%{Acct-Session-Time}:-0}', acctinputoctets =
> '%{%{Acct-Input-Gigawords}:-0}' << 32 |
> '%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
> '%{%{Acct-Output-Gigawords}:-0}' << 32 |
> '%{%{Acct-Output-Octets}:-0}', acctterminatecause =
> '%{Acct-Terminate-Cause}', acctstopdelay =
> '%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
> '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}'
> AND username = '%{SQL-User-Name}' AND
> nasipaddress = '%{NAS-IP-Address}'"
> accounting_stop_query_alt = " INSERT INTO radacct
> (acctsessionid, acctuniqueid, username, realm,
> nasipaddress, nasportid, nasporttype, acctstarttime,
> acctstoptime, acctsessiontime, acctauthentic,
> connectinfo_start, connectinfo_stop, acctinputoctets,
> acctoutputoctets, calledstationid, callingstationid,
> acctterminatecause, servicetype, framedprotocol,
> framedipaddress, acctstartdelay, acctstopdelay)
> VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
> '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',
> INTERVAL (%{%{Acct-Session-Time}:-0} +
> %{%{Acct-Delay-Time}:-0}) SECOND), '%S',
> '%{%{Acct-Session-Time}:-0}', '%{Acct-Authentic}', '',
> '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
> '%{%{Acct-Input-Octets}:-0}',
> '%{%{Acct-Output-Gigawords}:-0}' << 32 |
> '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
> '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
> '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
> '0', '%{%{Acct-Delay-Time}:-0}')"
> group_membership_query = "SELECT groupname FROM
> radusergroup WHERE username = '%{SQL-User-Name}' ORDER
> BY priority"
> connect_failure_retry_delay = 60
> simul_count_query = ""
> simul_verify_query = "SELECT radacctid, acctsessionid, username,
> nasipaddress, nasportid, framedipaddress,
> callingstationid, framedprotocol
> FROM radacct WHERE username =
> '%{SQL-User-Name}' AND acctstoptime IS NULL"
> postauth_query = "INSERT INTO radpostauth
> (username, pass, reply, authdate) VALUES (
> '%{User-Name}',
> '%{%{User-Password}:-%{Chap-Password}}',
> '%{reply:Packet-Type}', '%S')"
> safe-characters = "@abcdefghijklmnopqrstuvwxyzAB
> CDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
> }
> rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
> linked
> rlm_sql (sql): Attempting to connect to radius@se3-PGW:3306/DB_BICS
> rlm_sql (sql): starting 0
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
> rlm_sql_mysql: Starting connect to MySQL server for #0
> rlm_sql (sql): Connected new DB handle, #0
> rlm_sql (sql): starting 1
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
> rlm_sql_mysql: Starting connect to MySQL server for #1
> rlm_sql (sql): Connected new DB handle, #1
> rlm_sql (sql): starting 2
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
> rlm_sql_mysql: Starting connect to MySQL server for #2
> rlm_sql (sql): Connected new DB handle, #2
> rlm_sql (sql): starting 3
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
> rlm_sql_mysql: Starting connect to MySQL server for #3
> rlm_sql (sql): Connected new DB handle, #3
> rlm_sql (sql): starting 4
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
> rlm_sql_mysql: Starting connect to MySQL server for #4
> rlm_sql (sql): Connected new DB handle, #4
> rlm_sql (sql): starting 5
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #5
> rlm_sql_mysql: Starting connect to MySQL server for #5
> rlm_sql (sql): Connected new DB handle, #5
> rlm_sql (sql): starting 6
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #6
> rlm_sql_mysql: Starting connect to MySQL server for #6
> rlm_sql (sql): Connected new DB handle, #6
> rlm_sql (sql): starting 7
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #7
> rlm_sql_mysql: Starting connect to MySQL server for #7
> rlm_sql (sql): Connected new DB handle, #7
> rlm_sql (sql): starting 8
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #8
> rlm_sql_mysql: Starting connect to MySQL server for #8
> rlm_sql (sql): Connected new DB handle, #8
> rlm_sql (sql): starting 9
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #9
> rlm_sql_mysql: Starting connect to MySQL server for #9
> rlm_sql (sql): Connected new DB handle, #9
> rlm_sql (sql): starting 10
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #10
> rlm_sql_mysql: Starting connect to MySQL server for #10
> rlm_sql (sql): Connected new DB handle, #10
> rlm_sql (sql): starting 11
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #11
> rlm_sql_mysql: Starting connect to MySQL server for #11
> rlm_sql (sql): Connected new DB handle, #11
> rlm_sql (sql): starting 12
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #12
> rlm_sql_mysql: Starting connect to MySQL server for #12
> rlm_sql (sql): Connected new DB handle, #12
> rlm_sql (sql): starting 13
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #13
> rlm_sql_mysql: Starting connect to MySQL server for #13
> rlm_sql (sql): Connected new DB handle, #13
> rlm_sql (sql): starting 14
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #14
> rlm_sql_mysql: Starting connect to MySQL server for #14
> rlm_sql (sql): Connected new DB handle, #14
> rlm_sql (sql): starting 15
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #15
> rlm_sql_mysql: Starting connect to MySQL server for #15
> rlm_sql (sql): Connected new DB handle, #15
> rlm_sql (sql): starting 16
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #16
> rlm_sql_mysql: Starting connect to MySQL server for #16
> rlm_sql (sql): Connected new DB handle, #16
> rlm_sql (sql): starting 17
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
> rlm_sql_mysql: Starting connect to MySQL server for #17
> rlm_sql (sql): Connected new DB handle, #17
> rlm_sql (sql): starting 18
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
> rlm_sql_mysql: Starting connect to MySQL server for #18
> rlm_sql (sql): Connected new DB handle, #18
> rlm_sql (sql): starting 19
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
> rlm_sql_mysql: Starting connect to MySQL server for #19
> rlm_sql (sql): Connected new DB handle, #19
> rlm_sql (sql): starting 20
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #20
> rlm_sql_mysql: Starting connect to MySQL server for #20
> rlm_sql (sql): Connected new DB handle, #20
> rlm_sql (sql): starting 21
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #21
> rlm_sql_mysql: Starting connect to MySQL server for #21
> rlm_sql (sql): Connected new DB handle, #21
> rlm_sql (sql): starting 22
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #22
> rlm_sql_mysql: Starting connect to MySQL server for #22
> rlm_sql (sql): Connected new DB handle, #22
> rlm_sql (sql): starting 23
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #23
> rlm_sql_mysql: Starting connect to MySQL server for #23
> rlm_sql (sql): Connected new DB handle, #23
> rlm_sql (sql): starting 24
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #24
> rlm_sql_mysql: Starting connect to MySQL server for #24
> rlm_sql (sql): Connected new DB handle, #24
> rlm_sql (sql): starting 25
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #25
> rlm_sql_mysql: Starting connect to MySQL server for #25
> rlm_sql (sql): Connected new DB handle, #25
> rlm_sql (sql): starting 26
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #26
> rlm_sql_mysql: Starting connect to MySQL server for #26
> rlm_sql (sql): Connected new DB handle, #26
> rlm_sql (sql): starting 27
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #27
> rlm_sql_mysql: Starting connect to MySQL server for #27
> rlm_sql (sql): Connected new DB handle, #27
> rlm_sql (sql): starting 28
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #28
> rlm_sql_mysql: Starting connect to MySQL server for #28
> rlm_sql (sql): Connected new DB handle, #28
> rlm_sql (sql): starting 29
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #29
> rlm_sql_mysql: Starting connect to MySQL server for #29
> rlm_sql (sql): Connected new DB handle, #29
> rlm_sql (sql): starting 30
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #30
> rlm_sql_mysql: Starting connect to MySQL server for #30
> rlm_sql (sql): Connected new DB handle, #30
> rlm_sql (sql): starting 31
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #31
> rlm_sql_mysql: Starting connect to MySQL server for #31
> rlm_sql (sql): Connected new DB handle, #31
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
> Module: Instantiating module "acct_unique" from file
> /etc/raddb/modules/acct_unique
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
> NAS-Port"
> }
> Module: Linked to module rlm_realm
> Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> Module: Checking accounting {...} for more modules to load
> Module: Linked to module rlm_detail
> Module: Instantiating module "detail" from file /etc/raddb/modules/detail
> detail {
> detailfile = "/var/log/radius/radacct/%{%{P
> acket-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> }
> Module: Linked to module rlm_sqlippool
> Module: Instantiating module "sqlippool" from file
> /etc/raddb/sqlippool.conf
> sqlippool {
> sql-instance-name = "sql"
> lease-duration = 3601
> pool-name = ""
> allocate-begin = "START TRANSACTION"
> allocate-clear = "UPDATE radippool SET nasipaddress = '',
> pool_key = 0, callingstationid = '', username = '', calledstationid =
> '', expiry_time = NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND
> AND pool_name = '%{control:Pool-Name}'"
> allocate-find = "SELECT framedipaddress FROM radippool WHERE
> pool_name = '%{control:Pool-Name}' AND (expiry_time < NOW() OR expiry_time
> IS NULL) LIMIT 1 FOR UPDATE"
> allocate-update = "UPDATE radippool SET nasipaddress =
> '%{NAS-IP-Address}', pool_key = '%{3GPP-IMSI}-%{3GPP-NSAPI}',
> callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}',
> calledstationid = '%{Called-Station-Id}', expiry_time = NOW() + INTERVAL
> 3601 SECOND WHERE framedipaddress = '%I' AND (expiry_time < NOW() OR
> expiry_time IS NULL)"
> allocate-commit = "COMMIT"
> allocate-rollback = "ROLLBACK"
> pool-check = "SELECT id FROM radippool WHERE
> pool_name='%{control:Pool-Name}' LIMIT 1"
> start-begin = "START TRANSACTION"
> start-update = "UPDATE radippool SET expiry_time = NOW() +
> INTERVAL 3601 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND
> pool_key = '%{3GPP-IMSI}-%{3GPP-NSAPI}' AND username = '%{User-Name}'
> AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress =
> '%{Framed-IP-Address}'"
> start-commit = "COMMIT"
> start-rollback = "ROLLBACK"
> alive-begin = "START TRANSACTION"
> alive-update = "UPDATE radippool SET expiry_time = NOW() +
> INTERVAL 3601 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key
> = '%{3GPP-IMSI}-%{3GPP-NSAPI}' AND username = '%{User-Name}' AND
> callingstationid = '%{Calling-Station-Id}' AND framedipaddress =
> '%{Framed-IP-Address}'"
> alive-commit = "COMMIT"
> alive-rollback = "ROLLBACK"
> stop-begin = "START TRANSACTION"
> stop-clear = "UPDATE radippool SET nasipaddress = '', pool_key =
> 0, callingstationid = '', username = '', calledstationid = '', expiry_time
> = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
> '%{3GPP-IMSI}-%{3GPP-NSAPI}' AND username = '%{User-Name}' AND
> callingstationid = '%{Calling-Station-Id}' AND framedipaddress =
> '%{Framed-IP-Address}'"
> stop-commit = "COMMIT"
> stop-rollback = "ROLLBACK"
> on-begin = "START TRANSACTION"
> on-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0,
> callingstationid = '', username = '', expiry_time = NULL WHERE
> nasipaddress = '%{Nas-IP-Address}'"
> on-commit = "COMMIT"
> on-rollback = "ROLLBACK"
> off-begin = "START TRANSACTION"
> off-clear = "UPDATE radippool SET nasipaddress = '', pool_key =
> 0, callingstationid = '', username = '', expiry_time = NULL WHERE
> nasipaddress = '%{Nas-IP-Address}'"
> off-commit = "COMMIT"
> off-rollback = "ROLLBACK"
> sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address}
> (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
> %{User-Name})"
> sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address}
> from %{control:Pool-Name} (did %{Called-Station-Id} cli
> %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
> sqlippool_log_clear = "Released IP %{Framed-IP-Address} (did
> %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
> sqlippool_log_failed = "IP Allocation FAILED from
> %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id}
> port %{NAS-Port} user %{User-Name})"
> sqlippool_log_nopool = "No Pool-Name defined (did
> %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
> %{User-Name})"
> defaultpool = "main_pool"
> }
> Module: Linked to module rlm_attr_filter
> Module: Instantiating module "attr_filter.accounting_response" from file
> /etc/raddb/modules/attr_filter
> attr_filter attr_filter.accounting_response {
> attrsfile = "/etc/raddb/attrs.accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/attrs.accounting_response
> Module: Checking session {...} for more modules to load
> Module: Linked to module rlm_radutmp
> Module: Instantiating module "radutmp" from file
> /etc/raddb/modules/radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> perm = 384
> callerid = yes
> }
> Module: Checking post-proxy {...} for more modules to load
> Module: Linked to module rlm_eap
> Module: Instantiating module "eap" from file /etc/raddb/eap.conf
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 1024
> }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> Module: Linked to sub-module rlm_eap_leap
> Module: Instantiating eap-leap
> Module: Linked to sub-module rlm_eap_gtc
> Module: Instantiating eap-gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> CA_path = "/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/etc/raddb/certs/server.pem"
> certificate_file = "/etc/raddb/certs/server.pem"
> CA_file = "/etc/raddb/certs/ca.pem"
> private_key_password = "whatever"
> dh_file = "/etc/raddb/certs/dh"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
> ttls {
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
> peap {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> Module: Checking post-auth {...} for more modules to load
> Module: Linked to module rlm_always
> Module: Instantiating module "noop" from file /etc/raddb/modules/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> Module: Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/modules/attr_filter
> attr_filter attr_filter.access_reject {
> attrsfile = "/etc/raddb/attrs.access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/attrs.access_reject
> } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 0
> }
> listen {
> type = "acct"
> ipaddr = 127.0.0.1
> port = 0
> }
> ... adding new socket proxy address * port 40388
> Listening on authentication address 127.0.0.1 port 1812
> Listening on accounting address 127.0.0.1 port 1813
> Listening on proxy address * port 1297
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 54156, id=187,
> length=103
> User-Name = "123123000@internet"
> Framed-IP-Address = 5.17.0.15
> Called-Station-Id = "internet"
> Calling-Station-Id = "0034687947939"
> 3GPP-IMSI = "123123000000000"
> 3GPP-NSAPI = "5"
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [files] users: Matched entry DEFAULT at line 50
> ++[files] = ok
> [sql] expand: %{User-Name} -> 123123000@internet
> [sql] sql_set_user escaped user --> '123123000@internet'
> rlm_sql (sql): Reserving sql socket id: 30
> [sql] expand: SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
> id -> SELECT id, username, attribute, value, op FROM radcheck
> WHERE username = '123123000@internet' ORDER BY id
> [sql] User found in radcheck table
> [sql] expand: SELECT id, username, attribute, value, op FROM
> radreply WHERE username = '%{SQL-User-Name}' ORDER BY
> id -> SELECT id, username, attribute, value, op FROM radreply
> WHERE username = '123123000@internet' ORDER BY id
> [sql] expand: SELECT groupname FROM radusergroup
> WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
> groupname FROM radusergroup WHERE username =
> '123123000@internet' ORDER BY priority
> rlm_sql (sql): Released sql socket id: 30
> ++[sql] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> +} # group authorize = ok
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user
> # Executing section post-auth from file /etc/raddb/sites-enabled/default
> +group post-auth {
> ++? if ("%{User-Name}" == "XTaskRadiusServerPing")
> expand: %{User-Name} -> 123123000@internet
> ? Evaluating ("%{User-Name}" == "XTaskRadiusServerPing") -> FALSE
> ++? if ("%{User-Name}" == "XTaskRadiusServerPing") -> FALSE
> ++else else {
> rlm_sql (sql): Reserving sql socket id: 29
> [sqlippool] expand: %{User-Name} -> 123123000@internet
> [sqlippool] sql_set_user escaped user --> '123123000@internet'
> [sqlippool] expand: START TRANSACTION -> START TRANSACTION
> [sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key
> = 0, callingstationid = '', username = '', calledstationid = '',
> expiry_time = NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND
> pool_name = '%{control:Pool-Name}' -> UPDATE radippool SET nasipaddress =
> '', pool_key = 0, callingstationid = '', username = '', calledstationid
> = '', expiry_time = NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND
> AND pool_name = 'tochada'
> [sqlippool] expand: COMMIT -> COMMIT
> [sqlippool] expand: START TRANSACTION -> START TRANSACTION
> [sqlippool] expand: SELECT framedipaddress FROM radippool WHERE
> pool_name = '%{control:Pool-Name}' AND (expiry_time < NOW() OR expiry_time
> IS NULL) LIMIT 1 FOR UPDATE -> SELECT framedipaddress FROM radippool
> WHERE pool_name = 'tochada' AND (expiry_time < NOW() OR expiry_time IS
> NULL) LIMIT 1 FOR UPDATE
> [sqlippool] expand: UPDATE radippool SET nasipaddress =
> '%{NAS-IP-Address}', pool_key = '%{3GPP-IMSI}-%{3GPP-NSAPI}',
> callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}',
> calledstationid = '%{Called-Station-Id}', expiry_time = NOW() + INTERVAL
> 3601 SECOND WHERE framedipaddress = '5.0.0.5' AND (expiry_time < NOW() OR
> expiry_time IS NULL) -> UPDATE radippool SET nasipaddress = '127.0.0.1',
> pool_key = '123123000000000-5', callingstationid = '0034687947939',
> username = '123123000@internet', calledstationid = 'internet',
> expiry_time = NOW() + INTERVAL 3601 SECOND WHERE framedipaddress =
> '5.0.0.5' AND (expiry_time < NOW() OR expiry_time IS NULL)
> [sqlippool] Allocated IP 5.0.0.5 [05000005]
> [sqlippool] expand: COMMIT -> COMMIT
> rlm_sql (sql): Released sql socket id: 29
> [sqlippool] expand: Allocated IP: %{reply:Framed-IP-Address} from
> %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id}
> port %{NAS-Port} user %{User-Name}) -> Allocated IP: 5.0.0.5 from tochada
> (did internet cli 0034687947939 port user 123123000@internet)
> Allocated IP: 5.0.0.5 from tochada (did internet cli 0034687947939 port
> user 123123000@internet)
> +++[sqlippool] = ok
> +++update reply {
> expand: modules.sqlippool.lease-duration ->
> modules.sqlippool.lease-duration
> expand: %{config:modules.sqlippool.lease-duration} -> 3601
> +++} # update reply = noop
> ++} # else else = ok
> ++[exec] = noop
> +} # group post-auth = ok
> Sending Access-Accept of id 187 to 127.0.0.1 port 54156
> MS-Primary-DNS-Server = 8.8.8.8
> Framed-IP-Address = 5.0.0.5
> Session-Timeout = 3601
> Finished request 1.
> Going to the next request
> Waking up in 4.7 seconds.
>
>
>
2
1
Hello
I need to map ldap authenticated (389directory) users to juniper nas local
accounts that all have different access rights. I clearly run the ldap
module, and do a group search to verify a user can access based on group.
Is it possible to take the group the ldap module finds and map it to a same
named account on the juniper nas ?
I want to avoid using the remote user id on the juniper nas with the access
class that I assign, and instead use the different accounts on the juniper
nas which are different access levels:
user-ro
user-op
user-su
I have not messed with the git pulled 3.0.14 config files other than ldap,
clients.conf and users file. See radiusd -X below for run info. In my
users file I have:
DEFAULT LDAP-Group == "admins", Auth-Type := Accept
Junipers instructions are as follow, which I have tried:
In this example a freeradius server is used (more info about freeradius at
http://freeradius.org/) The following users are configured in the file
/etc/freeradius/users on the freeradius server:
tom Cleartext-Password := "tom123"
Service-Type = Login-User,
Juniper-Local-User-Name := "readonly-users",
jerry Cleartext-Password := "jerry123"
Service-Type = Login-User,
Juniper-Local-User-Name := "super-users",
The VSA (vendor specific attribute) "Juniper-Local-User-Name" is used here.
This VSA is already present in file /usr/share/freeradius/dictionary.juniper by
default and does not need to be configured.
On the radius server in file /etc/freeradius/clients.conf the radius secret
and client IP address (in this case 0/0, so any IP address) is configured
like this example:
client 0/0 {
secret = juniper
shortname = JUNOS-devices
}
Thank you
FreeRADIUS Version 3.0.14
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/expiration
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/control
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/var/log"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client scinet-login-node {
ipaddr = 10.1.4.46
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client mx480-nal-g04-1 {
ipaddr = 10.10.0.10
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "juniper"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client mx480-Albany-3036 {
ipaddr = 10.50.0.11
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "juniper"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client QFX5100-ALB-NWF1-IDF-1 {
ipaddr = 10.0.60.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client QFX5100-ALB-Rm3034-1 {
ipaddr = 10.0.66.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "juniper"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client mx960-ames-core1 {
ipaddr = 10.10.0.11
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client mlxe16-CC-131-1 {
ipaddr = 10.20.0.11
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client mlx8e-SV-07 {
ipaddr = 10.30.0.11
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client mlxe16-ftc-3020-1 {
ipaddr = 10.40.0.11
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client SRX550-FTC-SCInet-Rm3020-1 {
ipaddr = 10.150.0.2
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "juniper"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "10.1.0.9"
identity = "cn=Directory Manager"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter =
"(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
instantiate {
}
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20440
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = 10.1.0.150
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 60
}
}
listen {
type = "acct"
ipaddr = 10.1.0.150
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address 10.1.0.150 port 1812 bound to server default
Listening on acct address 10.1.0.150 port 1813 bound to server default
Listening on proxy address * port 51049
Ready to process requests
1) Received Access-Request Id 70 from 10.10.0.10:51639 to 10.1.0.150:1812
length 112
(1) User-Name = "darrain.waters-admin"
(1) User-Password = "*"
(1) NAS-Identifier = "mx480-nal-g04-1"
(1) Calling-Station-Id = "10.99.99.10"
(1) NAS-IP-Address = 192.168.0.1
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/radacct/10.10.0.10/auth-detail-20170624
(1) auth_log:
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.10.0.10/auth-detail-20170624
(1) auth_log: EXPAND %t
(1) auth_log: --> Sat Jun 24 16:46:10 2017
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "darrain.waters-admin", looking up realm
NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 79
seconds
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 79
seconds
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 79
seconds
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (uid=darrain.waters-admin)
(1) ldap: Performing search in
"cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" with filter
"(uid=darrain.waters-admin)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: User object found at DN
"uid=darrain.waters-admin,cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov"
(1) ldap: Processing user attributes
(1) ldap: control:Password-With-Header +=
'{SSHA}xOm2VtJIOjqbxdDvam0B27+oqrLsRiBxfVZyaw=='
rlm_ldap (ldap): Released connection (0)
Need 7 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 29 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) [ldap] = updated
(1) files: Searching for user in group "admins"
rlm_ldap (ldap): Reserved connection (5)
(1) files: Using user DN from request
"uid=darrain.waters-admin,cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov"
(1) files: Checking for user in group objects
(1) files: EXPAND
(&(cn=admins)(objectClass=posixGroup)(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
(1) files: -->
(&(cn=admins)(objectClass=posixGroup)(memberof=uid\3ddarrain.waters-admin\2ccn\3dusers\2ccn\3daccounts\2cdc\3dscinet\2cdc\3dars\2cdc\3dusda\2cdc\3dgov)(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3ddarrain.waters-admin\2ccn\3dusers\2ccn\3daccounts\2cdc\3dscinet\2cdc\3dars\2cdc\3dusda\2cdc\3dgov)))
(1) files: Performing search in
"cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" with filter
"(&(cn=admins)(objectClass=posixGroup)(memberof=uid\3ddarrain.waters-admin\2ccn\3dusers\2ccn\3daccounts\2cdc\3dscinet\2cdc\3dars\2cdc\3dusda\2cdc\3dgov)(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3ddarrain.waters-admin\2ccn\3dusers\2ccn\3daccounts\2cdc\3dscinet\2cdc\3dars\2cdc\3dusda\2cdc\3dgov)))",
scope "sub"
(1) files: Waiting for search result...
(1) files: Search returned no results
(1) files: Checking user object's memberOf attributes
(1) files: Performing unfiltered search in
"uid=darrain.waters-admin,cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov",
scope "base"
(1) files: Waiting for search result...
(1) files: Processing memberOf value
"cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" as a DN
(1) files: Resolving group DN
"cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" to group
name
(1) files: Performing unfiltered search in
"cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov", scope
"base"
(1) files: Waiting for search result...
(1) files: Group DN
"cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" resolves
to name "admins"
(1) files: User found in group "admins". Comparison between membership:
name (resolved from DN
"cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov"), check:
name
rlm_ldap (ldap): Released connection (5)
(1) files: users: Matched entry DEFAULT at line 72
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password
(1) pap: Removing &control:Password-With-Header
(1) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
bytes
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = Accept
(1) Auth-Type = Accept, accepting the user
(1) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(1) post-auth {
(1) update {
(1) No attributes updated
(1) } # update = noop
(1) [exec] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # post-auth = noop
(1) Sent Access-Accept Id 70 from 10.1.0.150:1812 to 10.10.0.10:51639
length 0
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 70 with timestamp +79
2
4
Is there a way to always log in debug mode?
2
1
I need some help setting up users. Here is what I have in my config:
Untitled - Modern Paste
|
| |
Untitled - Modern Paste
| |
|
1
1
Hi I am running CentOS 7.3 with the latest FreeRADIUS available. I am having trouble getting radmin working getting the following error when trying to run it.
[root@asm-rancid01 ~]# radmin -f /etc/raddb/sites-enabled/control-socketradmin: Failed connecting to /etc/raddb/sites-enabled/control-socket: Too many levels of symbolic links[root@asm-rancid01 ~]# radminradmin: Could not find control socket in /etc/raddb/radiusd.conf
[root@asm-rancid01 ~]# cd /etc/raddb/sites-enabled/[root@asm-rancid01 sites-enabled]# ls -latotal 4drwxr-x---. 2 root radiusd 63 Jun 22 10:42 .drwxr-xr-x. 9 root radiusd 4096 Jun 22 10:41 ..lrwxrwxrwx. 1 root root 14 Jun 22 10:42 control-socket -> control-socketlrwxrwxrwx. 1 root radiusd 26 Jun 17 17:56 default -> ../sites-available/defaultlrwxrwxrwx. 1 root radiusd 31 Jun 17 17:56 inner-tunnel -> ../sites-available/inner-tunnel[root@asm-rancid01 sites-enabled]#
Radiusd start and I see no errors in the logs.
sudo cat /etc/raddb/sites-available/control-socket |grep "^[^#;]"listen { # # Listen on the control socket. #type = control
# # Socket location. # # This file is created with the server's uid and gid. # It's permissions are r/w for that user and group, and # no permissions for "other" users. These permissions form # minimal security, and should not be relied on. # socket = ${run_dir}/${name}.sock # # The following two parameters perform authentication and # authorization of connections to the control socket. # # If not set, then ANYONE can connect to the control socket, # and have complete control over the server. This is likely # not what you want. # # One, or both, of "uid" and "gid" should be set. If set, the # corresponding value is checked. Unauthorized users result # in an error message in the log file, and the connection is # closed. # # # Name of user that is allowed to connect to the control socket. # uid = radius # # Name of group that is allowed to connect to the control socket. # gid = radius # # Access mode. # # This can be used to give *some* administrators access to # monitor the system, but not to change it. # # ro = read only access (default) # rw = read/write access. # mode = rw}
2
2
Hi Saurabh
You don't require a third party NAS server. Your Dlink is enough to work
like a NAS or you can make your local radius server machine a NAS.
Yes,you configure your wireless security using radius authentication and
configure the client credential on the page,that's it.
Regards
Yusuf
On 21-Jun-2017 3:21 am, "Saurabh Shandilya" <saurabhshandilya.1991(a)gmail.com>
wrote:
On Wed, Jun 21, 2017 at 3:02 AM, Alan DeKok <aland(a)deployingradius.com>
wrote:
> On Jun 20, 2017, at 5:23 PM, Saurabh Shandilya <
> saurabhshandilya.1991(a)gmail.com> wrote:
> > Now how to know about my NAS, as far as i know, its a very simple router
> > Dlink 850l Hardware Version A1, Firmware 1.12WW.
> > I mean what is the measuring axis for this to know about the kind of NAS
> I
> > have and what all features it support ?
>
> Ask the NAS vendor.
>
> There are a 1000 companies selling NAS equipment. Each company has 1000
> products and/or firmware revisions.
>
> We can't keep track of them all.
>
> Ask the NAS vendor for documentation on how their equipment works.
>
>
Indeed Alan, I didn't mean to put that way to show you people that you
should do any such sort of thing. All I meant was just to know about if
at all, there exists any such method(a call or functionality in the deivce
itself) that can tell on request if it supports these functions or not.
Anyway I understand your point and will search it out with my vendor.
Thanks
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
--
Regards,
saurabh shandilya
www.embedded4fun.com
https://in.linkedin.com/in/shandilyasaurabh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
1
0