Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2019
- 54 participants
- 61 discussions
Hello,
I am trying to use LDAP access to Open Directory on a 10.14.6 machine. I installed Freeradius from MacPorts. I am attempting to use Freeradius to authenticate wireless users. If I make the following edit to /opt/local/etc/raddb/mods-config/files/authorize, I can make a wireless connection without problems.
# The canonical testing user which is in most of the
# examples.
#
#bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"
#
#
ershler Cleartext-Password := “mypass"
Reply-Message := "Hello, %{User-Name}"
#
Here you can see the Reply-Message in several places as the authentication proceeds.
Received Access-Request Id 73 from 155.100.140.233:58880 to 155.100.140.85:1812 length 196
(9) User-Name = "ershler"
(9) NAS-IP-Address = 155.100.140.233
(9) NAS-Port = 0
(9) Called-Station-Id = "00-26-BB-74-F6-1F:CVRTI-G"
(9) Calling-Station-Id = "A0-99-9B-10-AF-65"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 0Mbps 802.11"
(9) EAP-Message = 0x02b200251900170303001a44ad024358ecd35da92afbb2e7970520a3c18852ced0f46ef259
(9) State = 0xe2201e71ea92079232d7793ca94d3ef5
(9) Message-Authenticator = 0x1383e35fceb57971f268e1e223750d27
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 178 length 37
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /opt/local/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x9638639a978a7940
(9) eap: Finished EAP session with state 0xe2201e71ea920792
(9) eap: Previous EAP request found for state 0xe2201e71ea920792, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x02b200061a03
(9) eap_peap: Setting User-Name to ershler
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x02b200061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "ershler"
(9) eap_peap: State = 0x9638639a978a79408050c69dcac660aa
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x02b200061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "ershler"
(9) State = 0x9638639a978a79408050c69dcac660aa
(9) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 178 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) files: users: Matched entry ershler at line 92
(9) files: EXPAND Hello, %{User-Name}
(9) files: --> Hello, ershler
(9) [files] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x9638639a978a7940
(9) eap: Finished EAP session with state 0x9638639a978a7940
(9) eap: Previous EAP request found for state 0x9638639a978a7940, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 178 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9) post-auth {
(9) if (0) {
(9) if (0) -> FALSE
(9) } # post-auth = noop
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) Reply-Message = "Hello, ershler"
(9) MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) MS-MPPE-Send-Key = 0x7a8a71ab9a85e2ccc32c93159586c440
(9) MS-MPPE-Recv-Key = 0x5731187423009b1ee0e1a8ce75e482ca
(9) EAP-Message = 0x03b20004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "ershler"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: Reply-Message = "Hello, ershler"
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0x7a8a71ab9a85e2ccc32c93159586c440
(9) eap_peap: MS-MPPE-Recv-Key = 0x5731187423009b1ee0e1a8ce75e482ca
(9) eap_peap: EAP-Message = 0x03b20004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "ershler"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: Reply-Message = "Hello, ershler”
**************************************************************************************
With dscl, I can see the following apple-enabled-auth-mech enabled
admin$ dscl /LDAPv3/127.0.0.1 read /Config/dirserv apple-enabled-auth-mech
dsAttrTypeNative:apple-enabled-auth-mech: DHX DIGEST-MD5 GSSAPI SRP CRAM-MD5 WEBDAV-DIGEST SMB-NTLMv3 EAP-MSCHAPv2 SMB-NTLMv2
If I take my name and password out of /opt/local/etc/raddb/mods-config/files/authorize, then I get the following errors from FreeRadius. I am wondering what or where the problem is.
**************************************************************************************
(30) FreeRADIUS-Proxied-To = 127.0.0.1
(30) User-Name = "ershler"
(30) State = 0xfdbd9f93fd6a85f8a445b5c272e47828
(30) WARNING: Outer and inner identities are the same. User privacy is compromised.
(30) server inner-tunnel {
(30) session-state: No cached attributes
(30) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /(a)\./) {
(30) if (&User-Name =~ /(a)\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [chap] = noop
(30) [mschap] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) update control {
(30) &Proxy-To-Realm := LOCAL
(30) } # update control = noop
(30) eap: Peer sent EAP Response (code 2) ID 215 length 66
(30) eap: No EAP Start, assuming it's an on-going EAP conversation
(30) [eap] = updated
(30) [files] = noop
(30) [expiration] = noop
(30) [logintime] = noop
(30) [pap] = noop
(30) } # authorize = updated
(30) Found Auth-Type = eap
(30) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) authenticate {
(30) eap: Expiring EAP session with state 0xfdbd9f93fd6a85f8
(30) eap: Finished EAP session with state 0xfdbd9f93fd6a85f8
(30) eap: Previous EAP request found for state 0xfdbd9f93fd6a85f8, released from the list
(30) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(30) eap: Calling submodule eap_mschapv2 to process data
(30) eap_mschapv2: # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) eap_mschapv2: authenticate {
(30) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(30) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(30) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(30) mschap: OD username_string = ershler, OD shortUserName=ershler (length = 7)
(30) mschap: ERROR: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported
(30) eap_mschapv2: [mschap] = reject
(30) eap_mschapv2: } # authenticate = reject
(30) eap: Sending EAP Failure (code 4) ID 215 length 4
(30) eap: Freeing handler
(30) [eap] = reject
(30) } # authenticate = reject
(30) Failed to authenticate the user
(30) Using Post-Auth-Type Reject
(30) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) Post-Auth-Type REJECT {
(30) attr_filter.access_reject: EXPAND %{User-Name}
(30) attr_filter.access_reject: --> ershler
(30) attr_filter.access_reject: Matched entry DEFAULT at line 11
(30) [attr_filter.access_reject] = updated
(30) update outer.session-state {
(30) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported'
(30) } # update outer.session-state = noop
(30) } # Post-Auth-Type REJECT = updated
(30) } # server inner-tunnel
************************************************************************************
Thanks,
Phil Ershler
2
1
Hello Guys,
I started seeing below errors related to TLS.
```
Fri Aug 23 09:57:32 2019 : Error: tls: Failed in proxy receive
Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
```
Any suggestion on this will really help.
Thanks & Regards,
Nitin Sharma
5
7
Re : example dictionary entries wanted for 6929 - for new Extended Type 241.XX and Long ExtendedType 246.XX
by robert.stannard@bt.com 30 Sep '19
by robert.stannard@bt.com 30 Sep '19
30 Sep '19
I am new to Radius and trying to implement the extensions to RFC2865 specified in RFC6929.
Are there any example dictionary entries showing how the new extensions are coded ? I am referring to,
1. Extended Type (e.g 241)
2. Long Extended Type (e.g. 245)
3. TLV
4. EVS
For example, for 1. should the entry in our vendor dictionary be like,
a) "ATTRIBUTE XY-NEW-EXTENDED Extended-Vendor-Specific-1.1 STRING"
or
b) "ATTRIBUTE XY-NEW-EXTENDED 241.1 STRING"
examples for the other would be helpful as well as any references to examples / docs etc.
thank you.
3
6
On Sep 27, 2019, at 10:33 AM, Thibault Lansiaux <thibault.lansiaux(a)wiconnect.fr> wrote:
>
> Hi Allan,
>
> The '==' seems not to be the problem, the same radreply (same base.table) is ok with our old freeradius.
That is not a useful response. It's quite rude.
You can (a) waste your time thinking that you're smarter than everyone else, or (b) follow instructions and fix the problem.
Alan DeKok.
1
0
Hi,
We are having a problem with a freeradius migration, from two different
servers.
The first (old) 1.x : is OK
On the new server (freeradius 3.0.12) FreeRadius select the user's
radreply but don't send them in the "Access-Accept"
We compared "sites-enabled/default" from the old and new, and didn't
find differences in "authorize {" and "preprocess {"
Bellow the Freeradius -X request :
Ready to process requests
(0) Received Access-Request Id 212 from 4.5.6.7:20506 to 1.2.3.4:1812
length 179
(0) Acct-Session-Id = "008fe531"
(0) NAS-Port = 0
(0) NAS-Port-Type = Virtual
(0) User-Name = "MY-NAS-ID"
(0) Calling-Station-Id = "01-02-03-04-05-06"
(0) Called-Station-Id = "11-12-13-14-15-16"
(0) Framed-IP-Address = 192.168.3.254
(0) User-Password = "mypassword"
(0) NAS-Identifier = "MY-NAS-ID"
(0) NAS-IP-Address = 10.0.50.1
(0) Framed-MTU = 1496
(0) Connect-Info = "HTTPS"
(0) Service-Type = Administrative-User
(0) Message-Authenticator = 0x26fc427cba3a98946382a756c6659634
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) update request {
(0) EXPAND %{User-Name}
(0) --> MY-NAS-ID
(0) SQL-User-Name set to 'MY-NAS-ID'
rlm_sql (sql): Reserved connection (0)
(0) Executing select query: SELECT groupname FROM radhuntgroup WHERE
nasipaddress="MY-NAS-ID"
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
(0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress="%{NAS-Identifier}"}
(0) --> my-nas-id-group
(0) &Huntgroup-Name := my-nas-id-group
(0) } # update request = noop
(0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup
WHERE username="%{User-Name}"}"){
(0) EXPAND %{User-Name}
(0) --> MY-NAS-ID
(0) SQL-User-Name set to 'MY-NAS-ID'
rlm_sql (sql): Reserved connection (1)
(0) Executing select query: SELECT groupname FROM radusergroup WHERE
username="MY-NAS-ID"
rlm_sql (sql): Released connection (1)
(0) EXPAND %{sql:SELECT groupname FROM radusergroup WHERE
username="%{User-Name}"}
(0) --> my-nas-id-group
(0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup
WHERE username="%{User-Name}"}") -> TRUE
(0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup
WHERE username="%{User-Name}"}") {
(0) [ok] = ok
(0) } # if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup
WHERE username="%{User-Name}"}") = ok
(0) ... skipping else: Preceding "if" was taken
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/4.5.6.7/auth-detail-20190927
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/4.5.6.7/auth-detail-20190927
(0) auth_log: EXPAND %t
(0) auth_log: --> Fri Sep 27 11:58:20 2019
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "MY-NAS-ID", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [unix] = notfound
(0) sql: EXPAND %{User-Name}
(0) sql: --> MY-NAS-ID
(0) sql: SQL-User-Name set to 'MY-NAS-ID'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'MY-NAS-ID' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'MY-NAS-ID' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "mypassword"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'MY-NAS-ID' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'MY-NAS-ID' ORDER BY id
(0) sql: User found in radreply table, merging reply items
(0) sql: Colubris-AVPair ==
"access-list=loginserver,DENY,all,192.168.0.0/18,all"
(0) sql: Colubris-AVPair ==
"access-list=loginserver,DENY,all,172.16.0.0/12,all"
(0) sql: Colubris-AVPair ==
"access-list=loginserver,DENY,all,10.0.0.0/8,all"
(0) sql: Colubris-AVPair ==
"access-list=loginserver,ACCEPT,tcp,www.mydomain.com,all"
(0) sql: Colubris-AVPair == "use-access-list=loginserver"
(0) sql: Colubris-AVPair ==
"logo=https://webportail.mydomain.com/directory/logo.gif"
(0) sql: Colubris-AVPair ==
"fail-page=https://webportail.mydomain.com/directory/fail.html"
(0) sql: Colubris-AVPair ==
"session-page=https://webportail.mydomain.com/directory/session.html"
(0) sql: Colubris-AVPair ==
"messages=https://webportail.mydomain.com/directory/messages.txt"
(0) sql: Colubris-AVPair ==
"transport-page=https://webportail.mydomain.com/directory/transport.html"
(0) sql: Colubris-AVPair ==
"login-err-url=https://webportail.mydomain.com/directory/login-error.php"
(0) sql: Colubris-AVPair ==
"goodbye-url=https://webportail.mydomain.com/directory/goodbye.php"
(0) sql: Colubris-AVPair ==
"login-url=https://webportail.mydomain.com/directory/index.php?mac=%m"
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username =
'MY-NAS-ID' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup
WHERE username = 'MY-NAS-ID' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'my-nas-id-group' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = 'my-nas-id-group' ORDER BY id
(0) sql: Group "my-nas-id-group": Conditional check items matched
(0) sql: Group "my-nas-id-group": Merging assignment check items
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'my-nas-id-group' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = 'my-nas-id-group' ORDER BY id
(0) sql: Group "my-nas-id-group": Merging reply items
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log: --> /var/log/freeradius/radacct/4.5.6.7/reply-detail-20190927
(0) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/4.5.6.7/reply-detail-20190927
(0) reply_log: EXPAND %t
(0) reply_log: --> Fri Sep 27 11:58:20 2019
(0) [reply_log] = ok
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> MY-NAS-ID
(0) sql: SQL-User-Name set to 'MY-NAS-ID'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'MY-NAS-ID', 'mypassword', 'Access-Accept', '2019-09-27 11:58:20')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( 'MY-NAS-ID', 'mypassword', 'Access-Accept',
'2019-09-27 11:58:20')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Login OK: [MY-NAS-ID/mypassword] (from client MY_CLIENT-WAN-IP port
0 cli 01-02-03-04-05-06)
(0) Sent Access-Accept Id 212 from 1.2.3.4:1812 to 4.5.6.7:20506 length 0
(0) Finished request
Waking up in 4.9 seconds.
Regards,
--
/Thibault Lansiaux/
2
1
27 Sep '19
I'm trying to implement external authentication for an appliance running
CentOS 7. My research turned up the easiest solution as simply
installing pam_radius from the repository. I did, and it works just
fine (tested against a Freeradius 3.0 server with a single test user.)
Running freeradiux with '-X' indicates that is using PAP:
(0) User-Name = "XXX"
(0) User-Password = "XXX"
(0) NAS-IP-Address = XXX.XXX.XXX.XXX
(0) NAS-Identifier = "sshd"
(0) NAS-Port = 15050
(0) NAS-Port-Type = Virtual
(0) Service-Type = Authenticate-Only
...
(0) Found Auth-Type = PAP
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
For security reasons, I'd really like to use CHAP instead, but it
doesn't seem to support that? The man pages and such don't mention
CHAP. I went as far as downloading 1.4.0 and extracting the tarball and
looking at the code. User-Password is Radius attribute 2, and looking
at the source:
0 radius.h <global> 71 #define PW_PASSWORD 2
and
1 pam_radius_auth.c add_password 541 attr =
find_attribute(request,
PW_PASSWORD);
2 pam_radius_auth.c add_password 543 if (type == PW_PASSWORD) {
3 pam_radius_auth.c build_radius_packet 721 add_password(request,
PW_PASSWORD,
password,
conf->server->secret);
4 pam_radius_auth.c build_radius_packet 727 add_password(request,
PW_PASSWORD,
"", conf->server->secret);
5 pam_radius_auth.c talk_radius 975 add_password(request,
PW_PASSWORD,
password, old_password);
6 pam_radius_auth.c talk_radius 978 add_password(request,
PW_PASSWORD,
password, server->secret);
Am I missing something? Or am I out of luck? Thanks!
4
8
Freeradius - how to reply "memberof" active directory information for Strongswan
by Sébastien Genesta 25 Sep '19
by Sébastien Genesta 25 Sep '19
25 Sep '19
Hi,
I'm using Freeradius for the Active Directory authentication of my
Strongswan clients.
My goal is to declare 2 vpn connections with different virtual IP leases,
allowing me to separate traffic (as an example, one vpn connection for
sales and the other for technicians).
To do it, I'm trying to use Group selection option (rightgroups) on
Strongswan.
According to Strongswan documentation (
https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have to
use class attribute on my freeradius server to return the group membership.
The issue is that I don't know how.
I'm using mschap for authentication to Active Directory.
*My current configuration:*
*/etc/freeradius/3.0/mods-available/mschap*
with_ntdomain_hack = yes
require_encryption = yes
require_strong = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
*/etc/freeradius/3.0/mods-enabled/eap*
eap {
[...]
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
*/etc/freeradius/3.0/clients.conf*
client localhost {
ipaddr = 127.0.0.1
proto = *
secret = <radius-secret>
require_message_authenticator = no
nas_type = other
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
# IPv6 Client
#client localhost_ipv6 {
# ipv6addr = ::1
# secret = testing123
#}
I've tried to follow this post but it didn't work
http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-t…
More precisaly below part (replacing ldap module by mschap module and also
changing path because my freeradius version is 3.0):
*1) Added a mapping in ldap mod.*
# /etc/raddb/mods-enabled/ldap
ldap {
...
update {
...
reply:memberOf += 'memberOf'
}
...
}
*2) Added an Attribute reference*
# /etc/raddb/dictionary
ATTRIBUTE memberOf 3001 string
*3) Added a update reply*
# /etc/raddb/sites-enabled/default
post-auth {
...
foreach &reply:memberOf {
update reply {
Class += "%{Foreach-Variable-0}"
}
}
...
}
I also tried to set below information (according to
http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td278105…
)
post-auth {
...
update reply {
Class += %{Group}
}
}
...
}
I've searched accross the Internet but didn't find a way to do it
properly.
Is there any official guide explaning how to reply memberOf attribute?
How can I do it?
Thanks for your help
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai…>
Garanti
sans virus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai…>
<#m_-4546190989838674270_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
2
4
Hi Team
Is there a way to set "Tag = 0x00" in Tunnel-Private-Group-ID attribute?
I have the following user listed in users file. When access-accept is
sent, tag-id is set to 0x00 in Tunnel-Medium-Type and Tunnel-Type
attributes. RFC 2868 didn't mention anything about tag=0x00 and I
assume thats the reason we are not sending it from Freeradius.
IxiaScale12000 Cleartext-Password := passwd12000
Tunnel-Medium-Type:0 = IEEE-802 ,
Tunnel-Type:0 = VLAN ,
Tunnel-Private-Group-Id:0 = "105",
Filter-id = "Radius-block",
Session-timeout = 500,
Termination-Action = RADIUS-Request
Version:
======
[root@yagna-freeradius1 ~]# radiusd -X
FreeRADIUS Version 3.0.17
Best Regards
Phani
2
4
Hello All,
I've recently setup FreeRADIUS 3.0.17 using MySQL (Mariadb) together with phpMyAdmin all running on a Raspberry Pi 3. I'm using FreeRADIUS to send Mikrotik attributes to my NAS for my PEAP authenticated wireless clients which works well.
I'm now moving to a production setup for a community, so I've obtained new certificates (DomainSSL) which have been issued by 'GoGetSSL'.
To do this, I've updated the 'snake-oil' certificates, including the 'private key' and 'server.crt' provided by the certificate issuer. With regard to the 'Trusted root CA' certificates', I've combined both the 'USERTrust_RSA_Certificate_Authority.crt' and 'AddTrustExternal_CA_Root.crt' into one file and updated the ./etc/mods-enabled/eap to use my keys and certificates.
The issue I'm having is that when using my updated certificates and authenticating my wireless clients via PEAP, some devices such as my Macbook Air (MacOS Mojave) mark the certificates as valid while others, such as my iPhone (iOS 12) mark the certificate as invalid. I believe this issue relates to the root trust certificate?
What could I do to improve compatibility and prevent this invalid certificate issue for my end users? Could this be solved by using a different certificate provider? such as LetsEncrypt with a public CA?
With Thanks,
Shan.
For reference, included below is the EAP config and Freeradius debug.
./etc/freeradius/3.0/mods-enabled/eap Config:
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id: f67cbdbff9b6560cec9f68da1adb82b59723d2ef $
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. For simplicity,
# this is taken from the "max_requests" directive in
# radiusd.conf.
max_sessions = ${max_requests}
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
#
# EAP-pwd -- secure password-based authentication
#
# pwd {
# group = 19
#
# server_id = theserver(a)example.com
# This has the same meaning as for TLS.
# fragment_size = 1020
# The virtual server which determines the
# "known good" password for the user.
# Note that unlike TLS, only the "authorize"
# section is processed. EAP-PWD requests can be
# distinguished by having a User-Name, but
# no User-Password, CHAP-Password, EAP-Message, etc.
# virtual_server = "inner-tunnel"
# }
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## Common TLS configuration for TLS-based EAP types
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# If you do not currently have certificates signed by
# a trusted CA you may use the 'snakeoil' certificates.
# Included with the server in raddb/certs.
#
# If these certificates have not been auto-generated:
# cd raddb/certs
# make
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
tls-config tls-common {
private_key_password = whatever
private_key_file = /etc/ssl/private/private.key
#MODIFIED 19SEP19
#private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
#MODIFIED 19SEP19
certificate_file = /etc/ssl/certs/server.crt
#certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
#MODIFIED 19SEP19
ca_file = /etc/ssl/certs/usertrust_and_addtrust_combined.crt
#ca_file = /etc/ssl/certs/ca-certificates.crt
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
# it sometimes gets the chains right from a certificate
# signature view, but wrong from the clients view.
#
# When setting "auto_chain = no", the server certificate
# file MUST include the full certificate chain.
# auto_chain = yes
#
# If OpenSSL supports TLS-PSK, then we can use
# a PSK identity and (hex) password. When the
# following two configuration items are specified,
# then certificate-based configuration items are
# not allowed. e.g.:
#
# private_key_password
# private_key_file
# certificate_file
# ca_file
# ca_path
#
# For now, the identity is fixed, and must be the
# same on the client. The passphrase must be a hex
# value, and can be up to 256 hex digits.
#
# Future versions of the server may be able to
# look up the shared key (hexphrase) based on the
# identity.
#
# psk_identity = "test"
# psk_hexphrase = "036363823"
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 2048
#
dh_file = ${certdir}/dh
#
# If your system doesn't have /dev/urandom,
# you will need to create this file, and
# periodically change its contents.
#
# For security reasons, FreeRADIUS doesn't
# write to files in its configuration
# directory.
#
# random_file = /dev/urandom
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accommodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the lines below.
# 5) Restart radiusd
# check_crl = yes
# Check if intermediate CAs have been revoked.
# check_all_crl = yes
ca_path = ${cadir}
# Accept an expired Certificate Revocation List
#
# allow_expired_crl = no
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the certificate verification will fail,
# rejecting the user.
#
# This check can be done more generally by checking
# the value of the TLS-Client-Cert-Issuer attribute.
# This check can be done via any mechanism you
# choose.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-CN attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
#
cipher_list = "DEFAULT"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
# for choosing right cipher suite rather than
# using client-specified list which is OpenSSl default
# behavior. Having it set to yes is a current best practice
# for TLS
cipher_server_preference = no
#
# You can selectively disable TLS versions for
# compatability with old client devices.
#
# If your system has OpenSSL 1.1.0 or greater, do NOT
# use these. Instead, set tls_min_version and
# tls_max_version.
#
# disable_tlsv1_2 = no
# disable_tlsv1_1 = no
# disable_tlsv1 = no
#
# Set min / max TLS version. Mainly for Debian
# "trusty", which disables older versions of TLS, and
# requires the application to manually enable them.
#
# If you are running Debian trusty, you should set
# these options, otherwise older clients will not be
# able to connect.
#
# Allowed values are "1.0", "1.1", and "1.2".
#
# The values must be in quotes.
#
# tls_min_version = "1.0"
# tls_max_version = "1.2"
#
# Elliptical cryptography configuration
#
# Only for OpenSSL >= 0.9.8.f
#
ecdh_curve = "prime256v1"
#
# Session resumption / fast reauthentication
# cache.
#
# The cache contains the following information:
#
# session Id - unique identifier, managed by SSL
# User-Name - from the Access-Accept
# Stripped-User-Name - from the Access-Request
# Cached-Session-Policy - from the Access-Accept
#
# The "Cached-Session-Policy" is the name of a
# policy which should be applied to the cached
# session. This policy can be used to assign
# VLANs, IP addresses, etc. It serves as a useful
# way to re-apply the policy from the original
# Access-Accept to the subsequent Access-Accept
# for the cached session.
#
# On session resumption, these attributes are
# copied from the cache, and placed into the
# reply list.
#
# You probably also want "use_tunneled_reply = yes"
# when using fast session resumption.
#
cache {
#
# Enable it. The default is "no". Deleting the entire "cache"
# subsection also disables caching.
#
# As of version 3.0.14, the session cache requires the use
# of the "name" and "persist_dir" configuration items, below.
#
# The internal OpenSSL session cache has been permanently
# disabled.
#
# You can disallow resumption for a particular user by adding the
# following attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT enable resumption for just one
# user by setting the above attribute to "yes".
#
enable = no
#
# Lifetime of the cached entries, in hours. The sessions will be
# deleted/invalidated after this time.
#
lifetime = 24 # hours
#
# Internal "name" of the session cache. Used to
# distinguish which TLS context sessions belong to.
#
# The server will generate a random value if unset.
# This will change across server restart so you MUST
# set the "name" if you want to persist sessions (see
# below).
#
#name = "EAP module"
#
# Simple directory-based storage of sessions.
# Two files per session will be written, the SSL
# state and the cached VPs. This will persist session
# across server restarts.
#
# The default directory is ${logdir}, for historical
# reasons. You should ${db_dir} instead. And check
# the value of db_dir in the main radiusd.conf file.
# It should not point to ${raddb}
#
# The server will need write perms, and the directory
# should be secured from anyone else. You might want
# a script to remove old files from here periodically:
#
# find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
#
# This feature REQUIRES "name" option be set above.
#
#persist_dir = "${logdir}/tlscache"
}
#
# As of version 2.1.10, client certificates can be
# validated via an external command. This allows
# dynamic CRLs or OCSP to be used.
#
# This configuration is commented out in the
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
# If OCSP checking is enabled, and the OCSP checks fail,
# the verify section is not run.
#
# If OCSP checking is disabled, the verify section is
# run on successful certificate validation.
#
verify {
# If the OCSP checks succeed, the verify section
# is run to allow additional checks.
#
# If you want to skip verify on OCSP success,
# uncomment this configuration item, and set it
# to "yes".
# skip_if_ocsp_ok = no
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
# and MUST not be accessible by any other
# users. When the server starts, it will do
# "chmod go-rwx" on the directory, for
# security reasons. The directory MUST
# exist when the server starts.
#
# You should also delete all of the files
# in the directory when the server starts.
# tmpdir = /tmp/radiusd
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
# The ${..ca_path} text is a reference to
# the ca_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
# client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
#
# OCSP Configuration
# Certificates can be verified against an OCSP
# Responder. This makes it possible to immediately
# revoke certificates without the distribution of
# new Certificate Revocation Lists (CRLs).
#
ocsp {
#
# Enable it. The default is "no".
# Deleting the entire "ocsp" subsection
# also disables ocsp checking
#
enable = no
#
# The OCSP Responder URL can be automatically
# extracted from the certificate in question.
# To override the OCSP Responder URL set
# "override_cert_url = yes".
#
override_cert_url = yes
#
# If the OCSP Responder address is not extracted from
# the certificate, the URL can be defined here.
#
url = "http://127.0.0.1/ocsp/"
#
# If the OCSP Responder can not cope with nonce
# in the request, then it can be disabled here.
#
# For security reasons, disabling this option
# is not recommended as nonce protects against
# replay attacks.
#
# Note that Microsoft AD Certificate Services OCSP
# Responder does not enable nonce by default. It is
# more secure to enable nonce on the responder than
# to disable it in the query here.
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
#
# use_nonce = yes
#
# Number of seconds before giving up waiting
# for OCSP response. 0 uses system default.
#
# timeout = 0
#
# Normally an error in querying the OCSP
# responder (no response from server, server did
# not understand the request, etc) will result in
# a validation failure.
#
# To treat these errors as 'soft' failures and
# still accept the certificate, enable this
# option.
#
# Warning: this may enable clients with revoked
# certificates to connect if the OCSP responder
# is not available. Use with caution.
#
# softfail = no
}
}
## EAP-TLS
#
# As of Version 3.0, the TLS configuration for TLS-based
# EAP types is above in the "tls-config" section.
#
tls {
# Point to the common TLS configuration
tls = tls-common
#
# As part of checking a client certificate, the EAP-TLS
# sets some attributes such as TLS-Client-Cert-CN. This
# virtual server has access to these attributes, and can
# be used to accept or reject the request.
#
# virtual_server = check-eap-tls
}
## EAP-TTLS
#
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
ttls {
# Which tls-config section the TLS negotiation parameters
# are in - see EAP-TLS above for an explanation.
#
# In the case that an old configuration from FreeRADIUS
# v2.x is being used, all the options of the tls-config
# section may also appear instead in the 'tls' section
# above. If that is done, the tls= option here (and in
# tls above) MUST be commented out.
#
tls = tls-common
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TTLS tunnel, we recommend
# using EAP-MD5. If the request does not contain an
# EAP conversation, then this configuration entry is
# ignored.
#
default_eap_type = md5
# The tunneled authentication request does not usually
# contain useful attributes like 'Calling-Station-Id',
# etc. These attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to 'yes',
# any attribute which is NOT in the tunneled
# authentication request, but which IS available
# outside of the tunnel, is copied to the tunneled
# request.
#
# allowed values: {no, yes}
#
copy_request_to_tunnel = no
#
# As of version 3.0.5, this configuration item
# is deprecated. Instead, you should use
#
# update outer.session-state {
# ...
#
# }
#
# This will cache attributes for the final Access-Accept.
#
# The reply attributes sent to the NAS are usually
# based on the name of the user 'outside' of the
# tunnel (usually 'anonymous'). If you want to send
# the reply attributes based on the user name inside
# of the tunnel, then set this configuration entry to
# 'yes', and the reply to the NAS will be taken from
# the reply to the tunneled request.
#
# allowed values: {no, yes}
#
use_tunneled_reply = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This has the same meaning, and overwrites, the
# same field in the "tls" configuration, above.
# The default value here is "yes".
#
# include_length = yes
#
# Unlike EAP-TLS, EAP-TTLS does not require a client
# certificate. However, you can require one by setting the
# following option. You can also override this option by
# setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
# Note that the majority of supplicants do not support using a
# client certificate with EAP-TTLS, so this option is unlikely
# to be usable for most people.
#
# require_client_cert = yes
}
## EAP-PEAP
#
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
#
# If is still doesn't work, and you're using Samba,
# you may be encountering a Samba bug. See:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
peap {
# Which tls-config section the TLS negotiation parameters
# are in - see EAP-TLS above for an explanation.
#
# In the case that an old configuration from FreeRADIUS
# v2.x is being used, all the options of the tls-config
# section may also appear instead in the 'tls' section
# above. If that is done, the tls= option here (and in
# tls above) MUST be commented out.
#
tls = tls-common
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
#
default_eap_type = mschapv2
# The PEAP module also has these configuration
# items, which are the same as for TTLS.
#
copy_request_to_tunnel = no
#
# As of version 3.0.5, this configuration item
# is deprecated. Instead, you should use
#
# update outer.session-state {
# ...
#
# }
#
# This will cache attributes for the final Access-Accept.
#
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
#
# proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This option enables support for MS-SoH
# see doc/SoH.txt for more info.
# It is disabled by default.
#
# soh = yes
#
# The SoH reply will be turned into a request which
# can be sent to a specific virtual server:
#
# soh_virtual_server = "soh-server"
#
# Unlike EAP-TLS, PEAP does not require a client certificate.
# However, you can require one by setting the following
# option. You can also override this option by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
# Note that the majority of supplicants do not support using a
# client certificate with PEAP, so this option is unlikely to
# be usable for most people.
#
# require_client_cert = yes
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
# Prior to version 2.1.11, the module never
# sent the MS-CHAP-Error message to the
# client. This worked, but it had issues
# when the cached password was wrong. The
# server *should* send "E=691 R=0" to the
# client, which tells it to prompt the user
# for a new password.
#
# The default is to behave as in 2.1.10 and
# earlier, which is known to work. If you
# set "send_error = yes", then the error
# message will be sent back to the client.
# This *may* help some clients work better,
# but *may* also cause other clients to stop
# working.
#
# send_error = no
# Server identifier to send back in the challenge.
# This should generally be the host name of the
# RADIUS server. Or, some information to uniquely
# identify it.
# identity = "FreeRADIUS"
}
## EAP-FAST
#
# The FAST module implements the EAP-FAST protocol
#
# fast {
# Point to the common TLS configuration
#
# tls = tls-common
#
# If 'cipher_list' is set here, it will over-ride the
# 'cipher_list' configuration from the 'tls-common'
# configuration. The EAP-FAST module has it's own
# over-ride for 'cipher_list' because the
# specifications mandata a different set of ciphers
# than are used by the other EAP methods.
#
# cipher_list though must include "ADH" for anonymous provisioning.
# This is not as straight forward as appending "ADH" alongside
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
#
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
#
# cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
# PAC lifetime in seconds (default: seven days)
#
# pac_lifetime = 604800
# Authority ID of the server
#
# if you are running a cluster of RADIUS servers, you should make
# the value chosen here (and for "pac_opaque_key") the same on all
# your RADIUS servers. This value should be unique to your
# installation. We suggest using a domain name.
#
# authority_identity = "1234"
# PAC Opaque encryption key (must be exactly 32 bytes in size)
#
# This value MUST be secret, and MUST be generated using
# a secure method, such as via 'openssl rand -hex 32'
#
# pac_opaque_key = "PAC_KEY"
# Same as for TTLS, PEAP, etc.
#
# virtual_server = inner-tunnel
# }
}
root@local:/# freeradius -X
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/cui
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "radius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôoeùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOEÙÛÜY"
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
instantiate {
}
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.3.15
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.15-MariaDB-1, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.15-MariaDB-1, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.15-MariaDB-1, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.15-MariaDB-1, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.15-MariaDB-1, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.0.0/16 (myNAS) to global clients list
rlm_sql (192.168.0.0): Client "myNAS" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.15-MariaDB-1, protocol version 10
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/private.key"
certificate_file = "/etc/ssl/certs/server.crt"
ca_file = "/etc/ssl/certs/usertrust_and_addtrust_combined.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 49830
Listening on proxy address :: port 50519
Ready to process requests
2
1
Hi All,
I have configured freeradius 3.0.19 as proxy server which forwards radius
accounting packets to specific home servers based on NAS IP. The problem I
am having is once the connectivity to the home server goes down, the radius
proxy can not reestablish the connection to the home server.
If I delete detail and detail.work files and restart the freeradius service
everything starts working well. I was wondering if I am missing something
in configuration that is causing this problem.
Here is the log
detail (/var/log/freeradius/radacct/detail): Read packet from
/var/log/freeradius/radacct/detail.work
Acct-Session-Id = "5D8840F4-8E040D01"
Framed-IP-Address = 192.168.0.1
Acct-Multi-Session-Id = "3087d99a131824da33a490c45d8840f5000d"
Acct-Link-Count = 1
Acct-Status-Type = Interim-Update
Acct-Authentic = RADIUS
User-Name = "abcd(a)abcd.co.nz"
NAS-IP-Address = 10.0.0.10
NAS-Identifier = "30-8D-D9-9D-13-18"
NAS-Port = 1
Called-Station-Id = "30-8D-D9-9D-13-18:ABC"
Calling-Station-Id = "24-DD-33-44-90-CA"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 802.11b/g/n"
Event-Timestamp = "Sep 23 2019 16:15:14 NZST"
Class = 0x436f6e74656e7446696c7465722d4a6e7253747564656e74
Ruckus-SSID = "ABC"
Ruckus-BSSID = 0x308dd99d1318
Ruckus-VLAN-ID = 999
Ruckus-SCG-CBlade-IP = 167837962
Ruckus-SCG-DBlade-IP = 167838210
Acct-Input-Packets = 41552
Acct-Output-Packets = 100454
Acct-Input-Octets = 3768396
Acct-Output-Octets = 130474153
Ruckus-Sta-RSSI = 50
Acct-Session-Time = 1500
Proxy-State = 0x3338
Huntgroup-Name = "NEWFortigateRealm"
SQL-User-Name = "abcd(a)abcd.co.nz"
Tmp-String-9 = "ai:"
Acct-Unique-Session-Id = "58e58a8fd7fbccadf08241d278e4d940"
Packet-Original-Timestamp = "Sep 23 2019 16:16:32 NZST"
Acct-Delay-Time = 65240
Packet-Transmit-Counter = 2172
(38207) # Executing section preacct from file
/etc/freeradius/3.0/sites-enabled/copy-acct-to-home-server
(38207) preacct {
(38207) [preprocess] = ok
(38207) if (request:User-Name =~ /@/){
(38207) if (request:User-Name =~ /@/) -> TRUE
(38207) if (request:User-Name =~ /@/) {
(38207) if (request:Huntgroup-Name != ''){
(38207) if (request:Huntgroup-Name != '') -> TRUE
(38207) if (request:Huntgroup-Name != '') {
(38207) update control {
(38207) Proxy-To-Realm := request:Huntgroup-Name ->
'NEWFortigateRealm'
(38207) } # update control = noop
(38207) } # if (request:Huntgroup-Name != '') = noop
(38207) } # if (request:User-Name =~ /@/) = noop
(38207) } # preacct = ok
(38207) # Executing section accounting from file
/etc/freeradius/3.0/sites-enabled/copy-acct-to-home-server
(38207) accounting {
(38207) [ok] = ok
(38207) } # accounting = ok
(38207) ERROR: Failed to find live home server: Cancelling proxy
(38207) WARNING: No home server selected
(38207) Clearing existing &reply: attributes
(38207) Found Post-Proxy-Type Fail-Accounting
(38207) Post-Proxy-Type sub-section not found. Ignoring.
(38207) detail (/var/log/freeradius/radacct/detail): No response to
request. Will retry in 30 seconds
(38207) Finished request
(38207) Cleaning up request packet ID 23 with timestamp +339624
Waking up in 6.1 seconds.
No response to status check 38206 ID 139 for home server xx.xx.xx.xx port
1813
Waking up in 1.5 seconds.
PING: Waiting 10 seconds for response to ping
(38208) Sent Status-Server Id 97 from 0.0.0.0:49764 to xx.xx.xx.xx:1813
length 0
(38208) Message-Authenticator := 0x00
(38208) NAS-Identifier := "Status Check 6430. Are you alive?"
PING: Next status packet in 10 seconds
Waking up in 9.5 seconds.
PING: Waiting 10 seconds for response to ping
(38209) Sent Status-Server Id 119 from 0.0.0.0:49764 to xx.xx.xx.xx:1813
length 0
(38209) Message-Authenticator := 0x00
(38209) NAS-Identifier := "Status Check 6431. Are you alive?"
PING: Next status packet in 10 seconds
Waking up in 0.4 seconds.
No response to status check 38208 ID 97 for home server 210.55.219.165 port
1813
Waking up in 9.5 seconds.
--
Kind Regards
Prem
2
1