Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2019
- 85 participants
- 90 discussions
Hi!
I am tryiing to recreate the old behaviour I had with freeRADIUS 2:
If User has correct credentials and no group the user belongs to matches,
read a default group, which rejects access.
We have no Fall-Through Attributes in the Database.
If I configure the sql module in freeRADIUS 3.0.18 like I had with FR2:
read_groups = yes
read_profiles = yes
default_user_profile = "DEFAULT"
Do you have a suggestion for me how to change the configuration, so it
behaves like the old Radius Server?
The default profile is always read, even if previous groups matched:
(7) sql: EXPAND %{User-Name}
(7) sql: --> test_account_dsl
(7) sql: SQL-User-Name set to 'test_account_dsl'
rlm_sql (sql): Reserved connection (1)
(7) sql: EXPAND SELECT id, UserName, Attribute, Value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' AND Status = 1 ORDER BY id
(7) sql: --> SELECT id, UserName, Attribute, Value, op FROM radcheck
WHERE username = 'test_account_dsl' AND Status = 1 ORDER BY id
(7) sql: Executing select query: SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE username = 'test_account_dsl' AND Status = 1 ORDER BY id
(7) sql: User found in radcheck table
(7) sql: Conditional check items matched, merging assignment check items
(7) sql: Cleartext-Password := "test12"
(7) sql: EXPAND SELECT id,UserName,Attribute,Value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id,UserName,Attribute,Value, op FROM radreply WHERE
username = 'test_account_dsl' ORDER BY id
(7) sql: Executing select query: SELECT id,UserName,Attribute,Value, op FROM
radreply WHERE username = 'test_account_dsl' ORDER BY id
rlm_sql (sql): Reserved connection (26)
rlm_sql (sql): Released connection (26)
(7) sql: EXPAND SELECT GroupName FROM usergroup WHERE Username =
'%{SQL-User-Name}' ORDER BY priority
(7) sql: --> SELECT GroupName FROM usergroup WHERE Username =
'test_account_dsl' ORDER BY priority
(7) sql: Executing select query: SELECT GroupName FROM usergroup WHERE
Username = 'test_account_dsl' ORDER BY priority
(7) sql: User found in the group table
(7) sql: EXPAND SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck
WHERE groupname = '%{sql-SQL-Group}' ORDER BY id
(7) sql: --> SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck
WHERE groupname = 'dsl_192_2048_filter' ORDER BY id
(7) sql: Executing select query: SELECT id,GroupName,Attribute,Value,op FROM
radgroupcheck WHERE groupname = 'dsl_192_2048_filter' ORDER BY id
(7) sql: Group "dsl_192_2048_filter": Conditional check items matched
(7) sql: Group "dsl_192_2048_filter": Merging assignment check items
(7) sql: Simultaneous-Use := 2
(7) sql: EXPAND SELECT id,GroupName,Attribute,Value,op FROM radgroupreply
WHERE groupname = '%{sql-SQL-Group}' ORDER BY id
(7) sql: --> SELECT id,GroupName,Attribute,Value,op FROM radgroupreply
WHERE groupname = 'dsl_192_2048_filter' ORDER BY id
(7) sql: Executing select query: SELECT id,GroupName,Attribute,Value,op FROM
radgroupreply WHERE groupname = 'dsl_192_2048_filter' ORDER BY id
(7) sql: Group "dsl_192_2048_filter": Merging reply items
(7) sql: ERX-Egress-Policy-Name = "ds_2048_filter"
(7) sql: ERX-Ingress-Policy-Name = "us_192"
(7) sql: Framed-Protocol = PPP
(7) sql: Service-Type = Framed-User
(7) sql: Session-Timeout = 86400
(7) sql: Checking profile DEFAULT
(7) sql: EXPAND DEFAULT
(7) sql: --> DEFAULT
(7) sql: SQL-User-Name set to 'DEFAULT'
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(7) sql: EXPAND SELECT GroupName FROM usergroup WHERE Username =
'%{SQL-User-Name}' ORDER BY priority
(7) sql: --> SELECT GroupName FROM usergroup WHERE Username = 'DEFAULT'
ORDER BY priority
(7) sql: Executing select query: SELECT GroupName FROM usergroup WHERE
Username = 'DEFAULT' ORDER BY priority
(7) sql: User found in the group table
(7) sql: EXPAND SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck
WHERE groupname = '%{sql-SQL-Group}' ORDER BY id
(7) sql: --> SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck
WHERE groupname = 'DEFAULT' ORDER BY id
(7) sql: Executing select query: SELECT id,GroupName,Attribute,Value,op FROM
radgroupcheck WHERE groupname = 'DEFAULT' ORDER BY id
(7) sql: Group "DEFAULT": Conditional check items matched
(7) sql: Group "DEFAULT": Merging assignment check items
(7) sql: Auth-Type := Reject
(7) sql: EXPAND SELECT id,GroupName,Attribute,Value,op FROM radgroupreply
WHERE groupname = '%{sql-SQL-Group}' ORDER BY id
(7) sql: --> SELECT id,GroupName,Attribute,Value,op FROM radgroupreply
WHERE groupname = 'DEFAULT' ORDER BY id
(7) sql: Executing select query: SELECT id,GroupName,Attribute,Value,op FROM
radgroupreply WHERE groupname = 'DEFAULT' ORDER BY id
(7) sql: Group "DEFAULT": Merging reply items
rlm_sql (sql): Released connection (1)
(7) [sql] = ok
The old behaviour:
[sql] expand: %{User-Name} -> test_account_dsl
[sql] sql_set_user escaped user --> 'test_account_dsl'
rlm_sql (sql): Reserving sql socket id: 64
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '%{SQL-User-Name}' AND Status = 1 ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'test_account_dsl' AND Status = 1 ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'test_account_dsl' ORDER BY id
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
usergroup WHERE UserName='test_account_dsl' ORDER BY priority
[sql] expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT
id,GroupName,Attribute,Value,op FROM radgroupcheck WHERE GroupName =
'dsl_192_2048_filter' ORDER BY id
[sql] User found in group dsl_192_2048_filter
[sql] expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupreply
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT
id,GroupName,Attribute,Value,op FROM radgroupreply WHERE GroupName =
'dsl_192_2048_filter' ORDER BY id
rlm_sql (sql): Released sql socket id: 64
++[sql] = ok
and if no check item matches:
[sql] expand: %{User-Name} -> test_account_dsl
[sql] sql_set_user escaped user --> 'test_account_dsl'
rlm_sql (sql): Reserving sql socket id: 61
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '%{SQL-User-Name}' AND Status = 1 ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'test_account_dsl' AND Status = 1 ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'test_account_dsl' ORDER BY id
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
usergroup WHERE UserName='test_account_dsl' ORDER BY priority
[sql] expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT
id,GroupName,Attribute,Value,op FROM radgroupcheck WHERE GroupName =
'dsl_192_2048_filter' ORDER BY id
[sql] Checking profile DEFAULT
[sql] sql_set_user escaped user --> 'DEFAULT'
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
usergroup WHERE UserName='DEFAULT' ORDER BY priority
[sql] expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT
id,GroupName,Attribute,Value,op FROM radgroupcheck WHERE GroupName =
'DEFAULT' ORDER BY id
[sql] User found in group DEFAULT
[sql] expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupreply
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT
id,GroupName,Attribute,Value,op FROM radgroupreply WHERE GroupName =
'DEFAULT' ORDER BY id
rlm_sql (sql): Released sql socket id: 61
++[sql] = ok
Greetings,
Daniel Finger
2
1
Hello,
i've got a litle problem with freeradius authentication.
I use a very simple configuration to make "MAC address" authentication.
My configuration works fine with alcatel switch (OS6450 OS6250)
For alcatel configuration i followed the informations from the
freeradius wiki and i use that :
clients.conf file :
client Alcatel {
ipaddr = 192.168.1.102
secret = password
}
authorize file :
5820B1784219 Cleartext-Password := "5820B1784219", Nom-Machine :=
"PORT-GIM-PRET-2"
Now i'm trying to make the same with Huawei switch
I use the same configuration
client Huawei {
ipaddr = 192.168.1.30
secret = FreeRadius
}
and as you can see the user 5820B1784219 exist in my authorize file.
but each time i try with huawei switch i've got this error message
Auth: (0) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [5820b1784219/5820b1784219] (from client
Switch-CM3 port 4098 cli 5820B1784219) - Machine Inconnue
When i launch freeradius -X here is the result but i cant understand
what is wrong :
-------------------------------------------------------------------
(0) Received Access-Request Id 122 from 192.168.1.30:56884 to
192.168.1.101:1812 length 277
(0) User-Name = "5820b1784219"
(0) User-Password = "5820b1784219"
(0) NAS-Port = 4098
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) Calling-Station-Id = "5820B1784219"
(0) NAS-Identifier = "Classe-Mobile-2"
(0) NAS-Port-Type = Ethernet
(0) NAS-Port-Id = "slot=0;subslot=0;port=1;vlanid=2"
(0) Called-Station-Id = "0C41E97831A3"
(0) NAS-IP-Address = 192.168.1.30
(0) Acct-Session-Id = "Classe-00001000000002e7263a000002a"
(0) Huawei-Startup-Stamp = 1554497501
(0) Huawei-IPHost-Addr = "255.255.255.255 58:20:b1:78:42:19"
(0) Huawei-Connect-ID = 42
(0) Huawei-Version = "Huawei S5720"
(0) Huawei-Product-ID = "S5720"
(0) Huawei-User-Mac = "\000\000\000\002"
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "5820b1784219", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) EXPAND - Machine Inconnue
(0) --> - Machine Inconnue
(0) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [5820b1784219/5820b1784219] (from client
Switch-CM3 port 4098 cli 5820B1784219) - Machine Inconnue
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> 5820b1784219
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 122 from 192.168.1.101:1812 to
192.168.1.30:56884 length 20
Waking up in 3.9 seconds.
-------------------------------------------------------------------
Thanks for your help
--
Pascal
2
4
Hi all,
Is it possible to change the behavior of freeradius so that all users
are allowed by default but then any users added to the db are then blocked?
2
7
How to prevent FreeRADIUS to send Access-Reject if Username not found
by nikolaos.hatzepanagiotides@iese.fraunhofer.de 08 Apr '19
by nikolaos.hatzepanagiotides@iese.fraunhofer.de 08 Apr '19
08 Apr '19
Hello, dear community!
I am struggeling on prevent freeradius to send a access-reject if the user does not exist in the LDAP-Database.
I did already query if user exist or not and send reply-message “uid not found” but instead I want to send absolutely nothing.
But I get Access-Reject because ldap can’t find the uid and set Auth-Type to nothing, so freeradius say “ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject”
Is there any way to tell freeradius to send no reject if user not found? Only if authentication fail because of invalid password, not non-existing username?
Here is some debug output from FreeRADIUS (I replaced my domain and ip address from the output)
[DEBUG]
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/sradutmp
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/debug
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client rada {
ipaddr = 192.168.1.10
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client radb {
ipaddr = 192.168.1.20
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = LDAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "localhost"
identity = "<<< secret >>>"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
cacheable_name = yes
cacheable_dn = no
cache_attribute = "CiscoSecure-Group-Id"
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=my,dc=domain,dc=com"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
instantiate {
}
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20444
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 49324
Listening on proxy address :: port 51145
Ready to process requests
(0) Received Access-Request Id 126 from 127.0.0.1:44847 to 127.0.0.1:1812 length 78
(0) User-Name = "haasdtze"
(0) User-Password = "1111123"
(0) NAS-IP-Address = 192.168.1.111
(0) NAS-Port = 0
(0) Message-Authenticator = 0x8e6b6717ec373b5fb5cd6da2ce942aed
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "haasdtze", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (uid=haasdtze)
(0) ldap: Performing search in "cn=users,cn=accounts,dc=my,dc=domain,dc=com" with filter "(uid=haasdtze)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = notfound
(0) if ((ok || updated) && User-Password) {
(0) if ((ok || updated) && User-Password) -> FALSE
(0) else {
(0) update {
(0) reply:Reply-Message = "uid not found in ldap-db"
(0) } # update = noop
(0) } # else = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> haasdtze
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 126 from 127.0.0.1:1812 to 127.0.0.1:44847 length 46
(0) Reply-Message = "uid not found in ldap-db"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 126 with timestamp +8
Ready to process requests
^C
[/DEBUG]
So there should be a way to send no Access-Reject and no Reply-Message if the uid is not found in ldap.
Thank you in advance!
--Niko
2
1
Hello Community,
Is there a way to split linelog file to hourly/daily based files?
e.g something like
filename= ${logdir}/acct_log-%Y-%M-%D-%H
Waqas Toor
2
1
Dear Team,
I am trying to remove specific attribute "Framed-Interface-Id" from proxy
accounting packet which do not need for the destination radius server.
I put entry in attr_filter in mods_config as follows.
*Framed-Interface-Id !* ANY*
This is not working and the attribute is not removing still it is receiving.
Kindly help me to solve this
Regards,
Nimesha
2
2
08 Apr '19
Hi All,
I currently use the freeradius 2.14 version. I am using Active Directory ldap. My users connect to the network using the mail attribute in the active directory user area. My users file and ldap settings are as follows;
Freeradius 2.14 Settings:
Ldap File:
-------------
server = "x.x.x.x"
identity = "CN=Administrator,CN=Users,DC=****,DC=****"
password = *****
basedn = "ou=people,dc=xxx,dc=com"
filter = "(mail=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=memberOf)"
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfU$
groupmembership_attribute = memberOf
----------------------------------------------------------------
Users File:
DEFAULT User-Name =~ "@xxx.com",Simultaneous-Use := 4
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Session-Timeout = 600,
Idle-Timeout = 300,
Tunnel-Private-Group-ID = 70
DEFAULT User-Name =~ "@abc.xxx.com",Simultaneous-Use := 3
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Session-Timeout = 600,
Idle-Timeout = 300,
Tunnel-Private-Group-ID = 71
--------------------------------------------------------------------
I work in version 2.14 without any problems.
Now I've installed 3.0.16. My radius is included active directory domain. I'm trying to Freeradius 2.14 make the same settings. But I didn't succeed. 3 version seems to have changed a lot. When I do a 'cn' filter in the ldap file, the user can connect with the user 'example', but the filter cannot connect with 'mail' user(a)xxx.com Also, what settings do I need to be able to enable and run freeradius 3.0.16?
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
filter = "(mail=%{%{Stripped-User-Name}:-%{User-Name}})"
Thank for your all answers.
Best Regards
freeradius -X
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/ldap
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/control
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client network_10_10 {
ipv4addr = 172.16.20.0/24
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = LDAP
# Creating Auth-Type = PAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "ntlm_auth --request-nt-key --domain=xxx.com --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
ldap {
server = "x.x.x.x"
identity = "CN=Administrator,CN=Users,DC=xxx,DC=com"
password = <<< secret >>>
sasl {
}
edir_autz = yes
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=*)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=*)"
scope = "sub"
base_dn = "ou=people,dc=xxx,dc=com"
}
profile {
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
instantiate {
}
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
rlm_mschap (mschap): Opening additional connection (0), 1 of 32 pending slots used
rlm_mschap (mschap): Opening additional connection (1), 1 of 31 pending slots used
rlm_mschap (mschap): Opening additional connection (2), 1 of 30 pending slots used
rlm_mschap (mschap): Opening additional connection (3), 1 of 29 pending slots used
rlm_mschap (mschap): Opening additional connection (4), 1 of 28 pending slots used
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/server.key"
certificate_file = "/etc/freeradius/3.0/certs/server.pem"
ca_file = "/etc/freeradius/3.0/certs/server.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
random_file = "/etc/freeradius/3.0/certs/random"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20445
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 5
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 10 pending slots used
rlm_ldap (ldap): Connecting to ldap://172.16.20.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 9 pending slots used
rlm_ldap (ldap): Connecting to ldap://172.16.20.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 8 pending slots used
rlm_ldap (ldap): Connecting to ldap://172.16.20.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 7 pending slots used
rlm_ldap (ldap): Connecting to ldap://172.16.20.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 6 pending slots used
rlm_ldap (ldap): Connecting to ldap://172.16.20.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:347
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 55290
Listening on proxy address :: port 43827
Ready to process requests
2
1
HI
One more question (sorry)
With each accounts call I am calling the sqlippool module. This is
wasteful as most sessions on the server *currently* are not from an IP
pool.
The connections that are in the pool all have Framed-IPs which are
'172.x'
I have added ...
if (Framed-IP-Address =~ /172\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/) {
sqlippool
}
Which seems to work and I am now only seeing the sqlippool calls when
the IP is that match...
Now my knowledge of regex is not the greatest - so I would really
appreciate someone here taking a quick look and saying if that looks
correct
Thanks in advance
Richard
On Saturday 06/04/2019 at 11:39 pm, Richard J Palmer wrote:
>
> Hi Alan
>
> That fixes it - thank you as ever for your help
>
> It is appreciated
>
>
> Richard
>>
>> --- Original message ---
>> Subject: Re: rlm_sqlippool Question
>> From: Alan DeKok <aland(a)deployingradius.com>
>> To: FreeRadius users mailing list
>> <freeradius-users(a)lists.freeradius.org>
>> Date: Saturday, 06/04/2019 10:53 PM
>>
>> On Apr 6, 2019, at 5:40 PM, Richard J Palmer <richard(a)merula.net>
>> wrote:
>>>
>>>
>>>
>>> Going back more (sorry I am talking to myself .....
>>>
>>> The config works file with 3.0.15
>>> BUT breaks with that error with 3.0.16 onwards
>>
>> Use the v3.0.x branch from GitHub. It has a fix. We're
>> releasing
>> 3.0.19 next week.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
3
2
Hi
I have sent an email to the company so will see what they can do -
these are Broadband L2TP sessions so the Calling-Staion-Id in these
cases are a circuid ID - I do get them at session start - I have asked
if they can be added to interim and end packets
I made a mistake with CUI - that's something that we send back with
the reply so we do generate this and it comes with every update - so I
may be able to work on that too.
On the positive side - even with that - because of the flexibility of
FreeRadius - I can make this work - and work properly - Hopefully they
can adjust the code on the devide to send the extra fields and that
will make things even easier
I'll let you know how I get on
Thanks again for the pointers
Richard
>
> --- Original message ---
> Subject: Re: Updating Multipe variables with one SQL Query
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Date: Sunday, 07/04/2019 8:33 PM
>
> On Apr 7, 2019, at 3:24 PM, Richard J Palmer <richard(a)merula.net>
> wrote:
>>
>> I have spoken to Adrian/RevK It's something they are looking at but
>> not a 'simple' change - so not something happening 'immediately'.
>
> If there's a User-Name, it should be sent in accounting packets.
> The same goes for Calling-Station-ID, which is usually the MAC
> address.
>
> Doing anything else is severely unfriendly to every other RADIUS
> system.
>
>>
>> Currently they set 'Chargeable-User-Identity' which is OK - and I
>> could use that. The Firebrick does not hold the username (as things
>> stand) once the session is setup
>
>>
>> - BUT we don't have the chargeable ID until the auth start hits
>> freeradius Which means it's not available at the time of the IP
>> allocation
>
> I'm not sure I understand that. CUI is sent by the RADIUS server
> to the NAS. The NAS *never* creates a CUI and sends it to the server.
> See RFC 4372 for details.
>
>>
>> The reason for not returning the Framed-IP they say is that the
>> devices allow multiple IPs and the framed IP can be changed with a CoA
>> request even - which can be nice - you can even have multiple routing
>> tables - so you can have the sane IP in multiple IPs in different
>> tables in a scenario like this (putting some users into walled
>> gardens). Obviously in this scenario it won't change
>
> That doesn't make sense.
>
> If the RADIUS server sends a Framed-IP-Address to the NAS, the NAS
> should echo it back in accounting packets. If the Framed-IP-Address
> is changed in a CoA request, then the NAS should echo the *new*
> Framed-IP-Address in subsequent accounting requests.
>
>>
>> I totally agree it is unhelpful in this case and I am not defending
>> them - Just some of their thinking when I asked them- I will continue
>> to nudge this one!
>
> They can ask RADIUS people for help.
>
> i.e. EVERYONE PLEASE ASK.
>
> It's better to fix things in the engineering stage. The
> alternative is to ship garbage, and then have the poor users wonder
> why the software isn't compatible with anything else.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
1
0
HI Matthew
I have spoken to Adrian/RevK It's something they are looking at but
not a 'simple' change - so not something happening 'immediately'.
Currently they set 'Chargeable-User-Identity' which is OK - and I
could use that. The Firebrick does not hold the username (as things
stand) once the session is setup - BUT we don't have the chargeable ID
until the auth start hits freeradius Which means it's not available at
the time of the IP allocation
The reason for not returning the Framed-IP they say is that the
devices allow multiple IPs and the framed IP can be changed with a CoA
request even - which can be nice - you can even have multiple routing
tables - so you can have the sane IP in multiple IPs in different
tables in a scenario like this (putting some users into walled
gardens). Obviously in this scenario it won't change
I totally agree it is unhelpful in this case and I am not defending
them - Just some of their thinking when I asked them- I will continue
to nudge this one!
These are the big brother of the 2900's (the 6000s :)
This is v3 here - though happy to use / test v4 if that works for this
scenario
Could you possibly point me at some documentation for either - Happy
to read and test with these. I have
https://networkradius.com/doc/3.0.8/raddb/mods-available/redis.html
which I am working through and seems sensible - but any pointers
welcomed
I'll have a read of that and see how I get on - I may come back with
more questions
Thanks for the pointers so far
Richard
On Sunday 07/04/2019 at 8:07 pm, Matthew Newton wrote:
> On Sun, 2019-04-07 at 14:47 -0400, Alan DeKok wrote:
>>
>> On Apr 7, 2019, at 11:07 AM, Richard J Palmer <richard(a)merula.net>
>> wrote:
>>>
>>> The cause it seems is what the Interim updates send to Freeradius -
>>> the Router (a firebrick LNS server)
>>
>> That's not only unusual, it's unfriendly. Most RADIUS clients
>> send
>> everything they know about the session in every accounting packet.
>>
>>>
>>> I can get round that in pre-acc by running:
>>
>> It doesn't event send the User-Name? What a piece of garbage.
>
> Richard, have you tried contacting RevK/Firebrick and asking if they
> can add that?
>
> As Alan says, it's pretty unusual not to include those attributes
> (even
> though I'm not sure if any RFCs actually specify they _have_ to be
> included).
>
> Firebricks are nice bits of kit (I've got a 2900), I'm guessing this
> is
> a case of "no need to do that if not explicitly stated in the RFCs".
>
>
>>
>>>
>>> is there a built in way to return the three columns from sql and
>>> then within FreeRadius and assign them into the items as need be.
>>
>> You can grab the 3 parameters in one SQL query, and then separate
>> them via a regex. But that's about it.
>
> Can use a map{} in v4. Or (in v3) backend it with Redis, which will
> pull this stuff back before SQL has even parsed the query.
>
> --
> Matthew
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
2
1