Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2020
- 73 participants
- 69 discussions
Hello
I have set up freeradius with the simple tutorial found on Google help
pages about their Secure LDAP:
https://support.google.com/a/answer/9089736?hl=en&ref_topic=9173976
I followed all steps, freeradius starts, I get Access-Accept responses when
I use the radtest tool. Perfect!
Although, when trying to connect to an AP with an Android device, I can
only connect with an EAP protocol, PAP seems to be unavailable.
This is a problem, as other protocols encrypt the password (TTLS + PAP) for
example shows no User-Password field in the incoming request. So freeradius
can't handle the request because Google really needs that unencrypted
User-Password field.
So, how do I connect with an Android device with the PAP protocol the
server needs after following that Google tutorial, or is there a way to let
Freeradius decrypt the password and pass it to Google?
Thanks for any insights, I'm pretty new with this.
Mathias Maes
2
6
Hello ! The Idea is to authenticate users with eap-tls with certficates. People without any certificate should use different vlan provided by Radius. Only supported authentication should be eap-tls. Is it possible to make authentication with eap-tls with certficates for valid users and some "guest vlan" for users which hasnt any or unknown certificates ? I'tried many things like default authenticate , post-auth-type (with update control Auth-Type :=Accept). Allways i had reject or stuck with no network configuration. Radius should provide attributes for valid users: Tunnel-Type � = 13 Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 2111 and Tunnel-Type � = 13 Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 2211 for invalid users. How i do it ? thanks for help Marcin
4
6
On centos at least, rotating the radius.log file (compress and rename)
results in lost log entries as a new log file is not opened. Before I go
off and code this so the server is stopped momentarily, is there another
strategy for handling log rotation while keeping the server up?
2
1
Cannot connect to Win10 PC with client certificate (no connection possible)
by uj2.hahn@posteo.de 16 Jan '20
by uj2.hahn@posteo.de 16 Jan '20
16 Jan '20
Hi, all!
I installed CA and client certificates on Win 10 Pro client PC and
configured a certificate based WLAN profile via Cisco AP (named ciscosb)
to freeradius. (login via certificate, no password).
But I dont't get it to work. PC says "no connection to this network
possible". Windows WLAN report says "Error during authentification of
EAP method type 13. Error: 0x54F. And it also says : Disconnect reason:
explicit Eap error.
I'm still not clear where to find the issue: Client PC or Cisco AP or
freeradius configuration.
Here is the log of one connection attempt. Could you please check if
from radius perspective everything looks ok?
Thanks a lot!
Uwe
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/ldap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file
/etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file
/etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
ipv4addr = *
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = LDAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_detail
# Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "exec" from file
/etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_unpack
# Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_digest
# Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_ldap
# Loading module "ldap" from file
/etc/freeradius/3.0/mods-enabled/ldap
ldap {
server = "LDAPServer"
port = 389
identity = "cn=admin,dc=kms,dc=de"
password = <<< secret >>>
sasl {
}
valuepair_attribute = "radiusAttribute"
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=groupOfNames)"
scope = "sub"
name_attribute = "cn"
membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
cacheable_name = yes
cacheable_dn = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=kms,dc=de"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file
/etc/freeradius/3.0/mods-enabled/utf8
# Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_mschap
# Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_always
# Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_expr
# Loading module "expr" from file
/etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüà âæçèéêëîïôÅùûüaÿÃÃÃÃÃÃÃÃÃÃÃÃÃÃÃÃÅÃÃß"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_files
# Loading module "files" from file
/etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile =
"/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loading module "echo" from file
/etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file
/etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_chap
# Loading module "chap" from file
/etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_linelog
# Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
# Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
instantiate {
}
# Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/server.key"
certificate_file = "/etc/freeradius/3.0/certs/server.pem"
ca_file = "/etc/freeradius/3.0/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file
/etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "ldap" from file
/etc/freeradius/3.0/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20447
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
slots used
rlm_ldap (ldap): Connecting to ldap://LDAPServer:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending
slots used
rlm_ldap (ldap): Connecting to ldap://LDAPServer:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending
slots used
rlm_ldap (ldap): Connecting to ldap://LDAPServer:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending
slots used
rlm_ldap (ldap): Connecting to ldap://LDAPServer:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending
slots used
rlm_ldap (ldap): Connecting to ldap://LDAPServer:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:334
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server
inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 39463
Listening on proxy address :: port 35211
Ready to process requests
(0) Received Access-Request Id 23 from 192.168.188.45:41837 to
192.168.188.50:1812 length 174
(0) User-Name = "host/RadiusClient"
(0) NAS-IP-Address = 192.168.1.245
(0) NAS-Port = 0
(0) Called-Station-Id = "88-90-8D-42-55-70:ciscosb"
(0) Calling-Station-Id = "24-41-8C-4E-CA-B9"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11g"
(0) EAP-Message = 0x0200001601686f73742f526164697573436c69656e74
(0) Message-Authenticator = 0x3b4fe4a59f73c0b31684f6b9c5a8387f
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
{
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "host/RadiusClient", looking up realm
NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 22
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0xc9df8823c9de8c01
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 23 from 192.168.188.50:1812 to
192.168.188.45:41837 length 0
(0) EAP-Message = 0x0101001604107528b5d8ffd31ed0736adf8aded7efa2
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xc9df8823c9de8c015646fbec6ae272f2
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 24 from 192.168.188.45:41837 to
192.168.188.50:1812 length 176
(1) User-Name = "host/RadiusClient"
(1) NAS-IP-Address = 192.168.1.245
(1) NAS-Port = 0
(1) Called-Station-Id = "88-90-8D-42-55-70:ciscosb"
(1) Calling-Station-Id = "24-41-8C-4E-CA-B9"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11g"
(1) EAP-Message = 0x02010006030d
(1) State = 0xc9df8823c9de8c015646fbec6ae272f2
(1) Message-Authenticator = 0x58b1b87c2350c89ce023b7c5a1152bea
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
{
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "host/RadiusClient", looking up realm
NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (uid=host/RadiusClient)
(1) ldap: Performing search in "dc=kms,dc=de" with filter
"(uid=host/RadiusClient)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: User object found at DN
"uid=host/RadiusClient,ou=people,dc=kms,dc=de"
(1) ldap: EXPAND
(&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(1) ldap: -->
(&(objectClass=groupOfNames)(|(member=uid\3dhost/RadiusClient\2cou\3dpeople\2cdc\3dkms\2cdc\3dde)(memberUid=host/RadiusClient)))
(1) ldap: Performing search in "dc=kms,dc=de" with filter
"(&(objectClass=groupOfNames)(|(member=uid\3dhost/RadiusClient\2cou\3dpeople\2cdc\3dkms\2cdc\3dde)(memberUid=host/RadiusClient)))",
scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: Search returned no results
(1) ldap: No cacheable group memberships found in group objects
(1) ldap: Processing user attributes
(1) ldap: control:Password-With-Header += 'mydummypassword'
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending
slots used
rlm_ldap (ldap): Connecting to ldap://LDAPServer:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) [ldap] = updated
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: No {...} in Password-With-Header, re-writing to
Cleartext-Password
(1) pap: Removing &control:Password-With-Header
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xc9df8823c9de8c01
(1) eap: Finished EAP session with state 0xc9df8823c9de8c01
(1) eap: Previous EAP request found for state 0xc9df8823c9de8c01,
released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Initiating new EAP-TLS session
(1) eap_tls: Setting verify mode to require certificate from client
(1) eap_tls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0xc9df8823c8dd8501
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 24 from 192.168.188.50:1812 to
192.168.188.45:41837 length 0
(1) EAP-Message = 0x010200060d20
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xc9df8823c8dd85015646fbec6ae272f2
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 25 from 192.168.188.45:41837 to
192.168.188.50:1812 length 174
(2) User-Name = "host/RadiusClient"
(2) NAS-IP-Address = 192.168.1.245
(2) NAS-Port = 0
(2) Called-Station-Id = "88-90-8D-42-55-70:ciscosb"
(2) Calling-Station-Id = "24-41-8C-4E-CA-B9"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 0Mbps 802.11g"
(2) EAP-Message = 0x0200001601686f73742f526164697573436c69656e74
(2) Message-Authenticator = 0x6bb8bc01b38cfbb96fd02f67096577e5
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
{
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "host/RadiusClient", looking up realm
NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 0 length 22
(2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_md5 to process data
(2) eap_md5: Issuing MD5 Challenge
(2) eap: Sending EAP Request (code 1) ID 1 length 22
(2) eap: EAP session adding &reply:State = 0xca374eaeca364a72
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 25 from 192.168.188.50:1812 to
192.168.188.45:41837 length 0
(2) EAP-Message = 0x01010016041040ba8bec57e9693bd0c6bc053ddb69c9
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xca374eaeca364a720219c4f185b69853
(2) Finished request
Waking up in 4.1 seconds.
(3) Received Access-Request Id 26 from 192.168.188.45:41837 to
192.168.188.50:1812 length 176
(3) User-Name = "host/RadiusClient"
(3) NAS-IP-Address = 192.168.1.245
(3) NAS-Port = 0
(3) Called-Station-Id = "88-90-8D-42-55-70:ciscosb"
(3) Calling-Station-Id = "24-41-8C-4E-CA-B9"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 0Mbps 802.11g"
(3) EAP-Message = 0x02010006030d
(3) State = 0xca374eaeca364a720219c4f185b69853
(3) Message-Authenticator = 0x631455556a9f0d894f13e6e3bbf1d50c
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
{
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "host/RadiusClient", looking up realm
NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 1 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(3) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap: --> (uid=host/RadiusClient)
(3) ldap: Performing search in "dc=kms,dc=de" with filter
"(uid=host/RadiusClient)", scope "sub"
(3) ldap: Waiting for search result...
(3) ldap: User object found at DN
"uid=host/RadiusClient,ou=people,dc=kms,dc=de"
(3) ldap: EXPAND
(&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(3) ldap: -->
(&(objectClass=groupOfNames)(|(member=uid\3dhost/RadiusClient\2cou\3dpeople\2cdc\3dkms\2cdc\3dde)(memberUid=host/RadiusClient)))
(3) ldap: Performing search in "dc=kms,dc=de" with filter
"(&(objectClass=groupOfNames)(|(member=uid\3dhost/RadiusClient\2cou\3dpeople\2cdc\3dkms\2cdc\3dde)(memberUid=host/RadiusClient)))",
scope "sub"
(3) ldap: Waiting for search result...
(3) ldap: Search returned no results
(3) ldap: No cacheable group memberships found in group objects
(3) ldap: Processing user attributes
(3) ldap: control:Password-With-Header += 'mydummypassword'
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending
slots used
rlm_ldap (ldap): Connecting to ldap://LDAPServer:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(3) [ldap] = updated
(3) [expiration] = noop
(3) [logintime] = noop
(3) pap: No {...} in Password-With-Header, re-writing to
Cleartext-Password
(3) pap: Removing &control:Password-With-Header
(3) pap: WARNING: Auth-Type already set. Not setting to PAP
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xc9df8823c8dd8501
(3) eap: Finished EAP session with state 0xca374eaeca364a72
(3) eap: Previous EAP request found for state 0xca374eaeca364a72,
released from the list
(3) eap: Peer sent packet with method EAP NAK (3)
(3) eap: Found mutually acceptable type TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: Initiating new EAP-TLS session
(3) eap_tls: Setting verify mode to require certificate from client
(3) eap_tls: [eaptls start] = request
(3) eap: Sending EAP Request (code 1) ID 2 length 6
(3) eap: EAP session adding &reply:State = 0xca374eaecb354372
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 26 from 192.168.188.50:1812 to
192.168.188.45:41837 length 0
(3) EAP-Message = 0x010200060d20
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xca374eaecb3543720219c4f185b69853
(3) Finished request
Waking up in 4.1 seconds.
3
9
If I have more than one "server" defined in sites-enabled, does each one have their own thread pool, or do they all share a common pool?
Thanks,
Adrian
2
1
Hi all
I would be grateful for some pointers with an issue I am experiencing at a
customer's site.
I need to strip the domain part of the username that users are
authenticating with. For example, a user will type in bob(a)example.com
during authentication to the wireless network, but the username at the
backend in the directory system is just 'bob'. I know that this is a common
request of freeradius and I have tried to configure it in the conf files,
but clearly I am not doing something correctly. I can't seem to get the
'Stripped-User-Name' to be used where I expect it.
If someone can prod me in the right direction, I'd really appreciate it.
The actual domain name in the below text has been replaced with
example.co.uk.
sh-3.2# radiusd -X
radiusd: FreeRADIUS Version 2.2.9, for host i386-apple-darwin13.0, built on
Sep 15 2016 at 12:27:36
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /Library/Server/radius/raddb/radiusd.conf
including configuration file /Library/Server/radius/raddb/proxy.conf
including configuration file /Library/Server/radius/raddb/clients.conf
including files in directory /Library/Server/radius/raddb/modules/
including configuration file
/Library/Server/radius/raddb/modules/acct_unique
including configuration file /Library/Server/radius/raddb/modules/always
including configuration file
/Library/Server/radius/raddb/modules/attr_filter
including configuration file
/Library/Server/radius/raddb/modules/attr_rewrite
including configuration file /Library/Server/radius/raddb/modules/cache
including configuration file /Library/Server/radius/raddb/modules/chap
including configuration file /Library/Server/radius/raddb/modules/checkval
including configuration file /Library/Server/radius/raddb/modules/counter
including configuration file /Library/Server/radius/raddb/modules/cui
including configuration file /Library/Server/radius/raddb/modules/detail
including configuration file /Library/Server/radius/raddb/modules/
detail.example.com
including configuration file /Library/Server/radius/raddb/modules/detail.log
including configuration file
/Library/Server/radius/raddb/modules/dhcp_sqlippool
including configuration file
/Library/Server/radius/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /Library/Server/radius/raddb/modules/digest
including configuration file
/Library/Server/radius/raddb/modules/dynamic_clients
including configuration file /Library/Server/radius/raddb/modules/echo
including configuration file /Library/Server/radius/raddb/modules/etc_group
including configuration file /Library/Server/radius/raddb/modules/exec
including configuration file /Library/Server/radius/raddb/modules/expiration
including configuration file /Library/Server/radius/raddb/modules/expr
including configuration file /Library/Server/radius/raddb/modules/files
including configuration file /Library/Server/radius/raddb/modules/inner-eap
including configuration file /Library/Server/radius/raddb/modules/ippool
including configuration file /Library/Server/radius/raddb/modules/krb5
including configuration file /Library/Server/radius/raddb/modules/ldap
including configuration file /Library/Server/radius/raddb/modules/linelog
including configuration file /Library/Server/radius/raddb/modules/logintime
including configuration file /Library/Server/radius/raddb/modules/mac2ip
including configuration file /Library/Server/radius/raddb/modules/mac2vlan
including configuration file /Library/Server/radius/raddb/modules/mschap
including configuration file /Library/Server/radius/raddb/modules/ntlm_auth
including configuration file
/Library/Server/radius/raddb/modules/opendirectory
including configuration file /Library/Server/radius/raddb/modules/otp
including configuration file /Library/Server/radius/raddb/modules/pam
including configuration file /Library/Server/radius/raddb/modules/pap
including configuration file /Library/Server/radius/raddb/modules/passwd
including configuration file /Library/Server/radius/raddb/modules/perl
including configuration file /Library/Server/radius/raddb/modules/policy
including configuration file /Library/Server/radius/raddb/modules/preprocess
including configuration file /Library/Server/radius/raddb/modules/radrelay
including configuration file /Library/Server/radius/raddb/modules/radutmp
including configuration file /Library/Server/radius/raddb/modules/realm
including configuration file /Library/Server/radius/raddb/modules/redis
including configuration file /Library/Server/radius/raddb/modules/rediswho
including configuration file /Library/Server/radius/raddb/modules/replicate
including configuration file /Library/Server/radius/raddb/modules/smbpasswd
including configuration file /Library/Server/radius/raddb/modules/smsotp
including configuration file /Library/Server/radius/raddb/modules/soh
including configuration file /Library/Server/radius/raddb/modules/sql_log
including configuration file
/Library/Server/radius/raddb/modules/sqlcounter_expire_on_login
including configuration file /Library/Server/radius/raddb/modules/sradutmp
including configuration file /Library/Server/radius/raddb/modules/unix
including configuration file /Library/Server/radius/raddb/modules/wimax
including configuration file /Library/Server/radius/raddb/eap.conf
including configuration file /Library/Server/radius/raddb/sql.conf
including configuration file
/Library/Server/radius/raddb/sql/sqlite/dialup.conf
including configuration file /Library/Server/radius/raddb/policy.conf
including files in directory /Library/Server/radius/raddb/sites-enabled/
including configuration file
/Library/Server/radius/raddb/sites-enabled/control-socket
including configuration file
/Library/Server/radius/raddb/sites-enabled/default
including configuration file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /Library/Server/radius/raddb/dictionary
main {
name = "radiusd"
prefix = "/Applications/Server.app/Contents/ServerRoot/usr"
localstatedir = "/private/var"
sbindir = "/Applications/Server.app/Contents/ServerRoot/usr/sbin"
logdir = "/private/var/log/radius"
run_dir = "/private/var"
libdir = "/Applications/Server.app/Contents/ServerRoot/usr/lib/freeradius"
radacctdir = "/private/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/private/var/radiusd.pid"
checkrad = "/Applications/Server.app/Contents/ServerRoot/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm example.co.uk {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/Library/Server/radius/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/Library/Server/radius/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/Library/Server/radius/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/Library/Server/radius/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file
/Library/Server/radius/raddb/sql.conf
sql {
driver = "rlm_sql_sqlite"
server = "localhost"
port = ""
login = "radius"
password = "radpass"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/private/var/log/radius/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_group_check_query = ""
authorize_group_reply_query = ""
accounting_onoff_query = ""
accounting_update_query = ""
accounting_update_query_alt = ""
accounting_start_query = ""
accounting_start_query_alt = ""
accounting_stop_query = ""
accounting_stop_query_alt = ""
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = ""
postauth_query = ""
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and
linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #0
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #1
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #2
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #3
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #4
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT
id,nasname,shortname,type,secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_sqlite: sqlite3_prepare() = 0
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.126,shortname=SCH-WAP-02,secret=testing123
rlm_sql (sql): Adding client 10.40.92.126 (SCH-WAP-02, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.127,shortname=SCH-WAP-01,secret=testing123
rlm_sql (sql): Adding client 10.40.92.127 (SCH-WAP-01, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.125,shortname=SCH-WAP-03,secret=testing123
rlm_sql (sql): Adding client 10.40.92.125 (SCH-WAP-03, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.179,shortname=Test-SG300,secret=testing123
rlm_sql (sql): Adding client 10.40.92.179 (Test-SG300, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.121,shortname=SCH-SWI-04-T13,secret=testing123
rlm_sql (sql): Adding client 10.40.92.121 (SCH-SWI-04-T13, server=<none>)
to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.122,shortname=SCH-SWI-03-T12,secret=testing123
rlm_sql (sql): Adding client 10.40.92.122 (SCH-SWI-03-T12, server=<none>)
to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.124,shortname=SCH-SWI-01-T11,secret=testing123
rlm_sql (sql): Adding client 10.40.92.124 (SCH-SWI-01-T11, server=<none>)
to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.123,shortname=SCH-SWI-02-T12,secret=testing123
rlm_sql (sql): Adding client 10.40.92.123 (SCH-SWI-02-T12, server=<none>)
to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry nasname=
192.168.236.32/28,shortname=clearpass,secret=HHNueA8LTj
rlm_sql (sql): Adding client 192.168.236.32 (clearpass, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.251,shortname=nana,secret=HHNueA8LTj
rlm_sql (sql): Adding client 10.40.92.251 (nana, server=<none>) to clients
list
rlm_sql_sqlite: sqlite3_step = 101
rlm_sql_sqlite: sqlite3_finalize() = 0
rlm_sql (sql): Released sql socket id: 4
}
radiusd: #### Loading Virtual Servers ####
server { # from file /Library/Server/radius/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = opendirectory
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/Library/Server/radius/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/Library/Server/radius/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/Library/Server/radius/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
use_open_directory = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/Library/Server/radius/raddb/modules/digest
Module: Linked to module rlm_opendirectory
Module: Instantiating module "opendirectory" from file
/Library/Server/radius/raddb/modules/opendirectory
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/Library/Server/radius/raddb/modules/unix
unix {
radwtmp = "/private/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file
/Library/Server/radius/raddb/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/Library/Server/radius/raddb/certs"
pem_file_type = yes
private_key_file = "/Library/Server/radius/raddb/certs/server.key"
certificate_file = "/Library/Server/radius/raddb/certs/server.crt"
CA_file = "/Library/Server/radius/raddb/certs/server.crt"
private_key_password = "whatever"
dh_file = "/Library/Server/radius/raddb/certs/dh"
random_file = "/Library/Server/radius/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/Library/Server/radius/raddb/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/Library/Server/radius/raddb/modules/preprocess
preprocess {
huntgroups = "/Library/Server/radius/raddb/huntgroups"
hints = "/Library/Server/radius/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /Library/Server/radius/raddb/huntgroups
reading pairlist file /Library/Server/radius/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/Library/Server/radius/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/Library/Server/radius/raddb/modules/files
files {
usersfile = "/Library/Server/radius/raddb/users"
acctusersfile = "/Library/Server/radius/raddb/acct_users"
preproxy_usersfile = "/Library/Server/radius/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /Library/Server/radius/raddb/users
reading pairlist file /Library/Server/radius/raddb/acct_users
reading pairlist file /Library/Server/radius/raddb/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/Library/Server/radius/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/Library/Server/radius/raddb/modules/detail
detail {
detailfile =
"/private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/Library/Server/radius/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/Library/Server/radius/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /Library/Server/radius/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/Library/Server/radius/raddb/modules/radutmp
radutmp {
filename = "/private/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/Library/Server/radius/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/Library/Server/radius/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /Library/Server/radius/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/private/var/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 53788
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /private/var/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=240,
length=225
User-Name = "radiustest(a)example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0xcb3673c30e1a008614b794492d7bdc13
Proxy-State = 0x3230
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name = "
radiustest(a)example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Proxying request from user radiustest to realm example.co.uk
[suffix] Preparing to proxy authentication request to realm "example.co.uk"
++[suffix] = updated
[eap] Request is supposed to be proxied to Realm example.co.uk. Not doing
EAP.
++[eap] = noop
++[files] = noop
[opendirectory] The host 192.168.236.44 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
[opendirectory] Setting Auth-Type = opendirectory
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 175 to 127.0.0.1 port 1812
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3230
Proxy-State = 0x323430
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 175 to 127.0.0.1 port 1812
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3230
Proxy-State = 0x323430
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=175,
length=211
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x3501877b8486b13298815dbd61d54947
Proxy-State = 0x3230
Proxy-State = 0x323430
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[opendirectory] The host 127.0.0.1 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Identity (radiustest(a)example.co.uk) does not match User-Name
(radiustest). Authentication failed.
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [radiustest/<via Auth-Type = EAP>] (from client localhost
port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0x3501877b8486b13298815dbd61d54947
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> radiustest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 175 to 127.0.0.1 port 1814
Proxy-State = 0x3230
Proxy-State = 0x323430
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=175,
length=53
Proxy-State = 0x3230
Proxy-State = 0x323430
EAP-Message = 0x04040004
Message-Authenticator = 0xe9f8dcb50c101f38f7426e72c427df74
# Executing section post-proxy from file
/Library/Server/radius/raddb/sites-enabled/default
+group post-proxy {
[eap] No pre-existing handler found
++[eap] = noop
+} # group post-proxy = noop
Login incorrect (Home Server says so): [radiustest(a)example.co.uk/<via
Auth-Type = opendirectory>] (from client clearpass port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0xcb3673c30e1a008614b794492d7bdc13
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> radiustest(a)example.co.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Sending Access-Reject of id 240 to 192.168.236.44 port 1815
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3230
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=241,
length=225
User-Name = "radiustest(a)example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0xf8eff948324a373824b6eeb749b7a675
Proxy-State = 0x3231
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name = "
radiustest(a)example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Proxying request from user radiustest to realm example.co.uk
[suffix] Preparing to proxy authentication request to realm "example.co.uk"
++[suffix] = updated
[eap] Request is supposed to be proxied to Realm example.co.uk. Not doing
EAP.
++[eap] = noop
++[files] = noop
[opendirectory] The host 192.168.236.44 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
[opendirectory] Setting Auth-Type = opendirectory
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 193 to 127.0.0.1 port 1812
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3231
Proxy-State = 0x323431
Proxying request 2 to home server 127.0.0.1 port 1812
Sending Access-Request of id 193 to 127.0.0.1 port 1812
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3231
Proxy-State = 0x323431
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=193,
length=211
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0xebdffca338692d279cfd1828df9606fe
Proxy-State = 0x3231
Proxy-State = 0x323431
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[opendirectory] The host 127.0.0.1 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Identity (radiustest(a)example.co.uk) does not match User-Name
(radiustest). Authentication failed.
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [radiustest/<via Auth-Type = EAP>] (from client localhost
port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0xebdffca338692d279cfd1828df9606fe
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> radiustest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 193 to 127.0.0.1 port 1814
Proxy-State = 0x3231
Proxy-State = 0x323431
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=193,
length=53
Proxy-State = 0x3231
Proxy-State = 0x323431
EAP-Message = 0x04040004
Message-Authenticator = 0xee1e8865c1c3badd0ed55be65dc5dbe9
# Executing section post-proxy from file
/Library/Server/radius/raddb/sites-enabled/default
+group post-proxy {
[eap] No pre-existing handler found
++[eap] = noop
+} # group post-proxy = noop
Login incorrect (Home Server says so): [radiustest(a)example.co.uk/<via
Auth-Type = opendirectory>] (from client clearpass port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0xf8eff948324a373824b6eeb749b7a675
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> radiustest(a)example.co.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Sending Access-Reject of id 241 to 192.168.236.44 port 1815
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3231
Finished request 2.
Going to the next request
Cleaning up request 1 ID 175 with timestamp +43
Cleaning up request 0 ID 240 with timestamp +43
Waking up in 4.9 seconds.
Thank you
Stuart
--
Crossover Solutions Ltd
Pound House, 62A Highgate High Street, London, N6
5HX
www.crossover.solutions <http://crossover.solutions> • 020 3637 4655
Registered in England and Wales No: 9593204 Registered address as stated
Members of the Apple Consultants Network
<https://consultants.apple.com/uk/988258>
Please submit new support
requests to support(a)crossover.solutions
<mailto:support@crossover.solutions>
2
5
I'm working with a third-party app that authenticates to a FreeRADIUS server
via MSCHAPv2 over PEAP and need up update a few parts of it, but I can't
figure out what FreeRADIUS is sending over the PEAP tunnel when it's not
sending MSCHAPv2 data. The current code doesn't try and break down the
messages, possibly because my predecessor also couldn't figure out what they
were, but there's now a requirement to do this.
The initial Identity Request sent by FreeRADIUS over the PEAP tunnel is:
01 // Identity-Request
06 // ?
00 05 // length = 5
01 // ?
The Identity Request sent by FreeRADIUS over the PEAP tunnel in response to an
incorrect identity in the MSCHAPv2 process, i.e. what you get instead of an
MSCHAPv2 response, is:
01 // Identity-Request
08 // ?
00 0B // length = 11
21 80 03 00 02 00 02 // ?
Problem is I can't translate these messages into anything useful (the field
names I've used above are guesswork), this doesn't correspond to any message
format that I can identify, RADIUS, EAP, DIAMETER, PEAP, there are bits and
pieces in there that could correspond to various things like EAP and RADIUS,
and the byte string starting 0x21 could be a MS-Authentication-TLV but what
follows doesn't match draft-hiller-eap-tlv-01.txt, and it also doesn't work as
an EAP-Request, also 0x21.
Can anyone tell me what format this is?
JG.
2
2
In FreeRadius, we are trying to use rlm_exec to call an external
script in a multithreaded fashion, but once "exec" is called, it
blocks other requests and only processes one request at a time. We
need to support multiple users signing in at the same time. How can
we make this multithreaded/multiprocessed?
Here is a simple example we used to verify the blocking issue:
# In file: raddb/sites-available/default
authorize {
...
exec
update reply {
Reply-Message = config:Reply-Message
State = config:State
}
handled
...
}
# In file: raddb/mods-enabled/exec
exec {
program = "/bin/bash -f
/etc/raddb/mods-config/.../execBashCustomAuthorization.sh"
wait = yes
input_pairs = request
output_pairs = config
shell_escape = yes
timeout = 30
}
# In file: raddb/mods-config/.../execBashCustomAuthorization.sh
#!/bin/bash
sleep 5
echo "Reply-Message = \"A short message\","
echo "State = \"2496578198c5447a8167fe3fe0398133\","
echo "Response-Packet-Type = \"Access-Challenge\""
exit 0
If we send 5 requests to our freeradius server, we expect all 5
responses to come back at about the same time, but they each respond 5
seconds apart, and it takes about 25 seconds for all to complete.
We know that "wait=yes" makes freeradius wait for the script to finish
and processes what the external script sent to stdout, but we thought
it could still handle multiple requests in parallel. We can't use
"wait=no" because we need output from the external script.
Here are the details of our runtime environment:
FreeRADIUS Version: 3.0.19
Python Version: 2.7.15
Please let us know if you need any additional environmental or
configuration information.
We thank you in advance for any help you can provide.
5
7
So in freeradius (version 3.0.19), we are using rlm_exec to call an
external shell script. The script sends all responses to standard out
(which gets returned back to freeradius), and that is working, but if
we put the "\n" newline character in our messages, that newline is
getting removed. We use "\n" to format some messages for the end
user.
Is there any way to create messages that keep the newline character?
Thank you for your help!
Ryan
2
1
I have successfully configured freeradius to authenticate against AD using
the winbind socket (not the ntlm_auth command). I find myself needing to
also authorize based on AD group membership, more precisely based on
negative group membership (We maintain a "deny wireless" group). It seems
like I could use the LDAP module and test for the group there, but I
noticed that the ntlm_auth command supports some notion of group checking
through the '--require-membership-of=STRING' option. It follows that
winbind has access to AD groups and could be used to check. I haven't been
able to find any guidance on the freeradius.org documentation site, so I
was wondering if there is a preferred method for AD-based group checking
when using winbind.
--
Munroe Sollog
Senior Network Engineer
munroe(a)lehigh.edu
3
3