Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
October 2019
- 52 participants
- 55 discussions
Maybe I'm overthinking it, but we have currently the interval set to 300
seconds.
What happens if I set this permanently to 15 seconds? Based on currently
logged in users (around 700 users at a time), the database, as well as the
freeradius process (CPU/Memory), will be a lot more utilised than before
due to an increased number of updates.
post-auth {
update reply {
Acct-Interim-Interval = 15
}
Is there an industry standard value that is considered fair? Or can I go as
low as 15 seconds without fearing scalability issues?
Many Thanks,
Houman
2
7
Virtual server pre-proxy section not executed for proxied authentication on v3.0.18 and above
by paul.moser@bt.com 16 Oct '19
by paul.moser@bt.com 16 Oct '19
16 Oct '19
I've been attempting to upgrade some FreeRadius servers that have been following the v3.0.x line. Normally taking the existing running configuration from one minor version and applying to the next has just worked, however attempting to go from 3.0.17 to 3.0.18 (or 3.0.19 or the latest head) and it appears that the pre-proxy section of a virtual server isn't called when proxying authentication requests and the packet is sent straight to the remote radius server. Nothing in the change log or proxy.conf etc jumps out at me as indicating a deliberate change in this area.
I can reproduce the problem by applying a minimal realm/home_server_pool/home_server/virtual server combination to an out-of-the-box new install of each version so I don't think it is caused by carrying over some old/incompatible configuration from an old version, however it's quite possible my understanding of how proxying is suppose to work is wrong and my configuration worked by accident rather than design and later versions have tightened up the behaviour.
Two full outputs from radiusd -X included at end of the email.
An a minimal example to reproduce the problem to proxy.conf I've added:
home_server example_home_server {
ipaddr = 1.2.3.4
port = 1812
secret = password
}
home_server_pool example_home_server_pool {
home_server = example_home_server
virtual_server = example-virtual-server
}
realm example.net {
auth_pool = example_home_server_pool
}
And added a file to sites-enabled with:
server example-virtual-server {
pre-proxy {
# just as a simple example of something that could be done here, would normally add/modify attributes
reject
}
}
Up to and including 3.0.17 I see the authorize section completes and then the pre-proxy section get called and, with my simple example, a reject gets sent back to the client:
(0) [pap] = noop
(0) } # authorize = updated
(0) server example-virtual-server {
(0) # Executing section pre-proxy from file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/example-virtual-server
(0) pre-proxy {
(0) [reject] = reject
(0) } # pre-proxy = reject
(0) }
However on 3.0.18 and above it goes straight from completing the authorize section to sending the packet to the remote radius server. It does appear to know about the virtual server as on failure to proxy the request it looks for a Post-Proxy-Type Fail-Authentication in the virtual server
(0) [pap] = noop
(0) } # authorize = updated
(0) Starting proxy to home server 1.2.3.4 port 1812
(0) Proxying request to home server 1.2.3.4 port 1812 timeout 30.000000
(0) Sent Access-Request Id 182 from 0.0.0.0:40399 to 1.2.3.4:1812 length 117
(0) User-Name = "fred"
(0) Calling-Station-Id = "11-22-33-44-55-66"
(snip)
(0) ERROR: Failing proxied request for user "fred", due to lack of any response from home server 1.2.3.4 port 1812
(0) Clearing existing &reply: attributes
(0) Found Post-Proxy-Type Fail-Authentication
(0) server example-virtual-server {
(0) Post-Proxy-Type sub-section not found. Ignoring.
(0) }
Full log from 3.0.17:
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /opt/freeradius-server-3.0.17/share/freeradius/dictionary
including dictionary file /opt/freeradius-server-3.0.17/share/freeradius/dictionary.dhcp
including dictionary file /opt/freeradius-server-3.0.17/share/freeradius/dictionary.vqp
including dictionary file /opt/freeradius-server-3.0.17/etc/raddb/dictionary
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/radiusd.conf
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/proxy.conf
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/clients.conf
including files in directory /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/chap
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/unix
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/sradutmp
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/soh
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/pap
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/eap
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/passwd
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/mschap
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/replicate
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/utf8
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/expr
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/expiration
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/radutmp
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/cache_eap
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/digest
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/unpack
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/files
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/date
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/ntlm_auth
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/exec
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/echo
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/logintime
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/preprocess
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/dynamic_clients
including files in directory /opt/freeradius-server-3.0.17/etc/raddb/policy.d/
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/eap
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/dhcp
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/canonicalization
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/accounting
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/filter
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/control
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/cui
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/abfab-tr
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/operator-name
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/policy.d/debug
including files in directory /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/inner-tunnel
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/default
including configuration file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/example-virtual-server
main {
name = "radiusd"
prefix = "/opt/freeradius-server-3.0.17"
localstatedir = "/opt/freeradius-server-3.0.17/var"
sbindir = "/opt/freeradius-server-3.0.17/sbin"
logdir = "/opt/freeradius-server-3.0.17/var/log/radius"
run_dir = "/opt/freeradius-server-3.0.17/var/run/radiusd"
libdir = "/opt/freeradius-server-3.0.17/lib"
radacctdir = "/opt/freeradius-server-3.0.17/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/opt/freeradius-server-3.0.17/var/run/radiusd/radiusd.pid"
checkrad = "/opt/freeradius-server-3.0.17/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server example_home_server {
ipaddr = 1.2.3.4
port = 1812
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool example_home_server_pool {
virtual_server = example-virtual-server
home_server = example_home_server
}
realm example.net {
auth_pool = example_home_server_pool
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Found debugger attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_chap
# Loading module "chap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/chap
# Loaded module rlm_unix
# Loading module "unix" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/opt/freeradius-server-3.0.17/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_eap
# Loading module "eap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
linelog {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/replicate
# Loaded module rlm_utf8
# Loading module "utf8" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/utf8
# Loaded module rlm_expr
# Loading module "expr" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/expiration
# Loading module "radutmp" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "detail" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail
detail {
filename = "/opt/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/digest
# Loaded module rlm_unpack
# Loading module "unpack" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/unpack
# Loaded module rlm_files
# Loading module "files" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/files
files {
filename = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/files/authorize"
acctusersfile = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_always
# Loading module "reject" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_date
# Loading module "date" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "exec" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "echo" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/opt/freeradius-server-3.0.17/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/dynamic_clients
instantiate {
}
# Instantiating module "IPASS" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
# Instantiating module "pap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/pap
# Instantiating module "eap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/opt/freeradius-server-3.0.17/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/opt/freeradius-server-3.0.17/etc/raddb/certs/server.pem"
certificate_file = "/opt/freeradius-server-3.0.17/etc/raddb/certs/server.pem"
ca_file = "/opt/freeradius-server-3.0.17/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/opt/freeradius-server-3.0.17/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "linelog" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
# Instantiating module "etc_passwd" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "auth_log" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
# Instantiating module "mschap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "expiration" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/expiration
# Instantiating module "cache_eap" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail
# Instantiating module "files" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/files
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/files/authorize
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/files/accounting
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "reject" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/access_reject
[/opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "logintime" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/logintime
# Instantiating module "preprocess" from file /opt/freeradius-server-3.0.17/etc/raddb/mods-enabled/preprocess
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /opt/freeradius-server-3.0.17/etc/raddb/mods-config/preprocess/hints
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /opt/freeradius-server-3.0.17/etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
server default { # from file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server example-virtual-server { # from file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/example-virtual-server
# Loading pre-proxy {...}
} # server example-virtual-server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 60416
Listening on proxy address :: port 60153
Ready to process requests
(0) Received Access-Request Id 154 from 127.0.0.1:47428 to 127.0.0.1:1812 length 76
(0) User-Name = "fred(a)example.net"
(0) Calling-Station-Id = "11-22-33-44-55-66"
(0) CHAP-Password = 0x61de4bc19a729a75edcbb4bffa8b320da7
(0) # Executing section authorize from file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.net" for User-Name = "fred(a)example.net"
(0) suffix: Found realm "example.net"
(0) suffix: Adding Stripped-User-Name = "fred"
(0) suffix: Adding Realm = "example.net"
(0) suffix: Proxying request from user fred to realm example.net
(0) suffix: Preparing to proxy authentication request to realm "example.net"
(0) [suffix] = updated
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) server example-virtual-server {
(0) # Executing section pre-proxy from file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/example-virtual-server
(0) pre-proxy {
(0) [reject] = reject
(0) } # pre-proxy = reject
(0) }
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /opt/freeradius-server-3.0.17/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> fred(a)example.net
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Sent Access-Reject Id 154 from 127.0.0.1:1812 to 127.0.0.1:47428 length 0
(0) Finished request
Waking up in 4.9 seconds.
Full log from v3.0.18
FreeRADIUS Version 3.0.18
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /opt/freeradius-server-3.0.18/share/freeradius/dictionary
including dictionary file /opt/freeradius-server-3.0.18/share/freeradius/dictionary.dhcp
including dictionary file /opt/freeradius-server-3.0.18/share/freeradius/dictionary.vqp
including dictionary file /opt/freeradius-server-3.0.18/etc/raddb/dictionary
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/radiusd.conf
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/proxy.conf
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/clients.conf
including files in directory /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/chap
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/unix
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/sradutmp
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/soh
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/pap
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/eap
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/linelog
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/passwd
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/mschap
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/replicate
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/utf8
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/expr
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/expiration
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/radutmp
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/cache_eap
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/digest
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/unpack
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/files
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/date
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/ntlm_auth
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/exec
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/echo
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/logintime
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/preprocess
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/dynamic_clients
including files in directory /opt/freeradius-server-3.0.18/etc/raddb/policy.d/
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/eap
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/dhcp
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/canonicalization
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/accounting
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/filter
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/control
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/cui
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/abfab-tr
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/operator-name
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/debug
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/policy.d/rfc7542
including files in directory /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/inner-tunnel
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/default
including configuration file /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/example-virtual-server
main {
name = "radiusd"
prefix = "/opt/freeradius-server-3.0.18"
localstatedir = "/opt/freeradius-server-3.0.18/var"
sbindir = "/opt/freeradius-server-3.0.18/sbin"
logdir = "/opt/freeradius-server-3.0.18/var/log/radius"
run_dir = "/opt/freeradius-server-3.0.18/var/run/radiusd"
libdir = "/opt/freeradius-server-3.0.18/lib"
radacctdir = "/opt/freeradius-server-3.0.18/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/opt/freeradius-server-3.0.18/var/run/radiusd/radiusd.pid"
checkrad = "/opt/freeradius-server-3.0.18/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server example_home_server {
ipaddr = 1.2.3.4
port = 1812
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool example_home_server_pool {
virtual_server = example-virtual-server
home_server = example_home_server
}
realm example.net {
auth_pool = example_home_server_pool
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Found debugger attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_chap
# Loading module "chap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/chap
# Loaded module rlm_unix
# Loading module "unix" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/opt/freeradius-server-3.0.18/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_eap
# Loading module "eap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/linelog
linelog {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/replicate
# Loaded module rlm_utf8
# Loading module "utf8" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/utf8
# Loaded module rlm_expr
# Loading module "expr" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/expiration
# Loading module "radutmp" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "detail" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail
detail {
filename = "/opt/freeradius-server-3.0.18/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/digest
# Loaded module rlm_unpack
# Loading module "unpack" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/unpack
# Loaded module rlm_files
# Loading module "files" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/files
files {
filename = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/files/authorize"
acctusersfile = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_always
# Loading module "reject" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_date
# Loading module "date" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "exec" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "echo" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/opt/freeradius-server-3.0.18/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/dynamic_clients
instantiate {
}
# Instantiating module "IPASS" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/realm
# Instantiating module "pap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/pap
# Instantiating module "eap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/opt/freeradius-server-3.0.18/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/opt/freeradius-server-3.0.18/etc/raddb/certs/server.pem"
certificate_file = "/opt/freeradius-server-3.0.18/etc/raddb/certs/server.pem"
ca_file = "/opt/freeradius-server-3.0.18/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/opt/freeradius-server-3.0.18/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "linelog" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/linelog
# Instantiating module "etc_passwd" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "auth_log" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail.log
# Instantiating module "mschap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "expiration" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/expiration
# Instantiating module "cache_eap" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/detail
# Instantiating module "files" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/files
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/files/authorize
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/files/accounting
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "reject" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/attr_filter
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "logintime" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/logintime
# Instantiating module "preprocess" from file /opt/freeradius-server-3.0.18/etc/raddb/mods-enabled/preprocess
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /opt/freeradius-server-3.0.18/etc/raddb/mods-config/preprocess/hints
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /opt/freeradius-server-3.0.18/etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/inner-tunnel:339
} # server inner-tunnel
server default { # from file /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server example-virtual-server { # from file /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/example-virtual-server
# Loading pre-proxy {...}
} # server example-virtual-server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 40399
Listening on proxy address :: port 46152
Ready to process requests
(0) Received Access-Request Id 196 from 127.0.0.1:50186 to 127.0.0.1:1812 length 76
(0) User-Name = "fred(a)example.net"
(0) Calling-Station-Id = "11-22-33-44-55-66"
(0) CHAP-Password = 0x6fb6ef0cca81d7fd208a1a43fdfb5bc8d9
(0) # Executing section authorize from file /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.net" for User-Name = "fred(a)example.net"
(0) suffix: Found realm "example.net"
(0) suffix: Adding Stripped-User-Name = "fred"
(0) suffix: Adding Realm = "example.net"
(0) suffix: Proxying request from user fred to realm example.net
(0) suffix: Preparing to proxy authentication request to realm "example.net"
(0) [suffix] = updated
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) Starting proxy to home server 1.2.3.4 port 1812
(0) Proxying request to home server 1.2.3.4 port 1812 timeout 30.000000
(0) Sent Access-Request Id 182 from 0.0.0.0:40399 to 1.2.3.4:1812 length 117
(0) User-Name = "fred"
(0) Calling-Station-Id = "11-22-33-44-55-66"
(0) CHAP-Password = 0x6fb6ef0cca81d7fd208a1a43fdfb5bc8d9
(0) Event-Timestamp = "Sep 24 2019 14:43:46 BST"
(0) NAS-IP-Address = 127.0.0.1
(0) CHAP-Challenge = 0xbc81eb6f64bbe79822a9886a637d500a
(0) Message-Authenticator := 0x00
(0) Proxy-State = 0x313936
Waking up in 0.3 seconds.
(0) Expecting proxy response no later than 29.666644 seconds from now
Waking up in 29.6 seconds.
(0) No proxy response, giving up on request and marking it done
Marking home server 1.2.3.4 port 1812 as zombie (it has not responded in 30.000000 seconds).
(0) ERROR: Failing proxied request for user "fred", due to lack of any response from home server 1.2.3.4 port 1812
(0) Clearing existing &reply: attributes
(0) Found Post-Proxy-Type Fail-Authentication
(0) server example-virtual-server {
(0) Post-Proxy-Type sub-section not found. Ignoring.
(0) }
(0) Login incorrect (Home Server failed to respond): [fred(a)example.net] (from client localhost port 0 cli 11-22-33-44-55-66)
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /opt/freeradius-server-3.0.18/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> fred(a)example.net
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Sent Access-Reject Id 196 from 127.0.0.1:1812 to 127.0.0.1:50186 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 196 with timestamp +20
Waking up in 25.1 seconds.
PING: Zombie period is over for home server example_home_server
Marking home server 1.2.3.4 port 1812 as dead.
PING: Reviving home server example_home_server in 300 seconds
Waking up in 299.9 seconds.
2
4
rlm_ldap (ldap): Failed setting connection option new TLS context: Unknown error
by Shem Pasamba 16 Oct '19
by Shem Pasamba 16 Oct '19
16 Oct '19
Hello,
I have a problem connecting to an ldaps:// server using freeradius-ldap in
Ubuntu 18.04, it says, when I run freeradius -X -xxx:
Tue Oct 15 16:47:55 2019 : Debug: rlm_ldap (ldap): Connecting to ldaps://
ldap.aiias.edu:636
Tue Oct 15 16:47:55 2019 : Debug: rlm_ldap (ldap): New libldap handle
0x564a538dda60
Tue Oct 15 16:47:55 2019 : Error: rlm_ldap (ldap): Failed setting
connection option new TLS context: Unknown error
Here's what I did:
Installed freeradius using 'apt-get install freeradius-ldap'
then modified /etc/freeradius/3.0/mods-available/ldap to have:
server = 'ldaps://ldap.aiias.edu'
port = 636
identity = 'cn=Administrator,cn=users,dc=aiias,dc=edu'
password = not-the-real-password
base_dn = 'dc=aiias,dc=edu'
tls {
certificate_file = ${certdir}/aiias-edu.crt
private_key_file = ${certdir}/aiias-edu.key
}
then linked mods-available/ldap to ../mods-enabled/ldap
Thanks for your help in advance.
All the best,
Shem Pasamba
2
1
Sending Avaya-Fabric-Attach-VLAN-ISID and Avaya-Fabric-Attach-VLAN-PVID after successful authentication
by Jan Hugo Prins 15 Oct '19
by Jan Hugo Prins 15 Oct '19
15 Oct '19
Hello,
I have a cluster of freeradius servers running with an LDAP backend
which all works fine. I'm also able to return the correct VLAN
information after a successful authentication of a client. That way I
can put clients in the correct VLAN based on the authentication /
authorization matrix etc. Very nice.
In my core network I have Avaya / Extreme VSP 7000 switches in SPBM mode
and I would like to configure a port on those switches after successful
authentication, but they don't want VLAN information, but they want
something else:
VSAs
• Avaya-Fabric-Attach-VLAN-ISID
• Avaya-Auto-VLAN-Create
• Avaya-Fabric-Attach-VLAN-PVID
Documentation about this states the following:
Avaya-Fabric-Attach-VLAN-ISID
- This VSA consists of a (VLAN, I-SID) pair. Multiple (VLAN, I-SID)
pairs are processed only in MHSA mode.
Avaya-Auto-VLAN-Create
- If this VSA is set to TRUE, the VLANs received in all (VLAN, I-SID)
pairs will be automatically created if they do not exist. This VSA is
processed only in MHSA and MHMV modes.
Avaya-Fabric-Attach-VLAN-PVID
- This VSA contains the value of the PVID that should be set on the
port with the authenticated client. The Avaya-Fabric-Attach-VLAN-PVID
VSA is processed only in MHSA mode.
The switch send the following in an access request packet:
VSAs sent from switch to RADIUS server:
• Avaya-Fabric-Attach-Mode
This VSA can have the following values:
- 0 or not sent, when Switch is assumed to have no concept of SPB/AutoProv
- 1, when the switch is an FA Server in VLAN provision mode
- 2, when the switch is an FA Server in SPBM mode
- 3, when the switch is an FA Proxy with the connected FA Server in VLAN
provision mode
- 4, when the switch is an FA Proxy with the connected FA Server in SPBM
mode
- 5 , when the switch is a FA Standalone Proxy
• Avaya-Fabric-Attach-Client-Type
This VSA can have the following values:
- 1, FA Element Type Other
- 2, FA Server
- 3, FA Proxy
- 4, FA Server No Authentication
- 5, FA Proxy No Authentication
- 6, FA Client – Wireless AP Type 1 [clients direct network attachment]
- 7, FA Client – Wireless Ap Type 2 [clients tunneled to controller]
• Avaya-Fabric-Attach-Client-Id
This VSA contains the MAC address of the FA client, exported via FA
Signaling.
Does FreeRadius currently support this anywhere in a version?
Is there a way to get this working by correctly filling the dictionary file?
The man page for the dictionary file states that the VSA's configured
there will never be send in a radius packet, which makes me suspect that
this won't work?
Documentation on this can be found in
https://downloads.avaya.com/css/P8/documents/101026369
Thank you very much.
Jan Hugo Prins
2
3
Hello,
Is there a way to get the current date and time in
/etc/freeradius/3.0/sites-enabled/default?
I checked man unlang but couldn't find anything.
What I'm trying to achieve is if Now() > Expires-At then disconnect the
user.
preacct {
update request {
Expires-At = "%{sql:SELECT expires_at FROM main_db.`user`
WHERE main_db.`user`.username ='%{User-Name}'}"
}
if ("%{Now()}"} > Expires-At) {
update disconnect {
&User-Name = "%{User-Name}"
}
}
Many Thanks,
Houman
4
16
differences in handling of hashed passwords from LDAP between version 2 and 3
by Wirth, Oliver 14 Oct '19
by Wirth, Oliver 14 Oct '19
14 Oct '19
We are using freeradius for EDUROAM authentication with an oracle-ldap as password store. Actually we are using still radius version 2, but we now install a new radius version 3.
We found the following different behavior between version 2 and version3 which make our authentication fail:
freeradius receives user password from oracle-ldap in the following form:
(1) ldap: control:Password-With-Header += '{X- ORCLIFSMD5}***'
(1) ldap: control:Password-With-Header += '{X- ORCLWEBDAV}***'
(1) ldap: control:Password-With-Header += '{MD5}***'
(1) ldap: control:Password-With-Header += '{X- ORCLLMV}***'
(1) ldap: control:Password-With-Header += '{X- ORCLNTV}***'
The first two Headers are unknown to radius, that's why our Freeradius 2.2.5 is going to the next Password-with-Header until it finds a usable one and then can authenticate the user successfully:
- [pap] Found unknown header {{X- ORCLIFSMD5}}: Not doing anything
- [pap] Found unknown header {{X- ORCLWEBDAV}}: Not doing anything
- [pap] Normalizing MD5-Password from base64 encoding
- [pap] Normalizing LM-Password from hex encoding
- [pap] Normalizing NT-Password from hex encoding
BUT our new installed Freeradius 3.0.12 is no longer skipping unknown hashes, instead tries to re-write the first one to cleartext and ignores the other hashes. Of course the authentication fails:
(1) pap: Unknown header {{X- ORCLIFSMD5}} in Password-With-Header, re-writing to Cleartext-Password
(1) pap: Removing &control:Password-With-Header
(1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header
(1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header
(1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header
(1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header
Is there a reason for this change version 3?
Or are we doing something wrong or is it possible to tell freeradius 3 to ignore unknown password hashes?
Regards Oliver
2
1
Hi!
I wanted to know if has some way to check the response time of Radius when it receives a UDP packet and how to verify if server has a slow communication.
3
2
Greets -
I've been tasked with rolling over some of our *pple *pads which were
perfectly happy with EAP-TLS and and an FR3 service to Win10 PC
supplicants. Admittedly, the recent releases of ios have EAP-TLS as a
manual choice, and many of my commercial network friends advocate
EAP-TTLS instead as most of their supplicants are people who BYOD and
are thus user authenticated against a single huge network. For my
instance, I want to stay with machine auth; the devices may roam between
different smaller and independent networks (often without my direct
involvement which is ok), but I'd rather not have individual certs and
credentials for every supplicant that I would have to replicate to each
remote site. The convenience of manually installing a certificate then
handing off the device to others to deploy actually is the better path
for me. Bulking all the supplicants into a single username/pwd is little
different than wpa2-personal wherein eventually someone will write down
the credential and leak it to others. With me having to manually install
a certificate (ok, fine, a "Really, really long and difficult password
file"), at least there is mitigation of the "password on a post-it"
problem. The control over all the supplicants coming across my desk for
a certificate install is fine and preferred; once installed using the
same process, those devices then fan out and deploy to the field through
whatever path they need to take. It would be arduous to deal with
independent creds and mac address recording, then deploy those to field
sites, and then keep updating as the supplicants potentially move around
from site to site.
Having attempted WinXP/Vista/7/8.1 with the xpextensions fix but never
actually having success with it a long time ago, I was trying to find
recent tutorials (written preferably in 2019 at least) that walked
through a path of FR3, EAP-TLS and Win10. I have not really been
successful. Even the pointers to deployingradius.com didn't pan out,
(site seems to have been thinned of late) and I am of the belief through
some other research that EAP-TLS is becoming less useful and EAP-TTLS is
getting the preferential treatment despite apparently EAP-TTLS under
certain conditions being ranked as "less secure" (PAP-leading, for
example). I do recall a very in depth slide show a bit ago discussing
that topic.
Does anyone have an FR3/EAP-[T]TLS/Win10 tutorial that is tested
functional that they would be willing to point to? If TTLS, is there a
practice that would replicate the points above (the difficult to copy
credential aspect in particular) of TLS? Cert generation would
preferably be via openssl and FR3's scripting. Replicating certs to the
remote sites is already part of my existing workflow.
And of course, the great opinion request - is EAP-TLS under FR3 against
Win10 a lost proposition? One specific protocol and its traditional
implementation may not be the only option here; out of the box thinking
is encouraged, so suggest away.
My fully functional FR3 instances include Debian9, Cisco AP's under
EAP-TLS, Cisco switchgear and the aforementioned ipads/android devices.
(To date all my win PCs are hardwired....)
I was literally just about to try one other tutorial I googled, and as I
went to reach for the POE supply for my AP, it seems to have gone for a
walk itself...might be trying to tell me something....
Kindest regards,
Ted.
3
2
13 Oct '19
Hi,
I am using Simultaneous-Use := 1 . When I disconnect wifi or in a power
loss, I am facing an issue that I can't connect to the server again. I saw
that after 5/6 minutes later, I can connect again that means "
acctstoptime" is not null then.
so I guess after 5/6 minutes later freeradius server check if the user is
ideal then disconnect or send a account-stop request or fill "acctstoptime"
field.
Now I want to change that 5/6 minutes to seconds or at least 1 minute. How
can I archive that? I used Acct-Interim-Interval which keep updating even
after the user is not connected on a power loss.
Thanks
3
3
I'm looking to connect a Point to Site VPN endpoint to a RADIUS server
across the internet, and I'm looking for some guidance on whether my
understanding is correct.
My understanding is having a RADIUS server listening directly on the
internet would be bad security-wise, and should not be done, is this
correct?
Instead, a better architecture would be to connect the RADIUS server and
client over a secured channel, like a Site to Site VPN connection.
Is my understanding correct here? Would it be fine to connect a client to
the server over the internet directly? Is there an alternative simpler
solution that I am overlooking?
Thank you,
-Aaron Peschel
6
8