Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2020
- 53 participants
- 61 discussions
Hi all,
We've upgraded freeradius from 2.x to 3.0.21. We note that LDAP attributes are always returned as hex string and we're unable to get the attribute as it is.
e.g. we defined in mods-enabled/ldap:
update {
control:NT-Password += 'sambaNtPassword'
while sambaNtPassword value in LDAP is just alphanumeric string without any escape character.
Debug log shows the value in hex (decoding the hex into ASCII matches with the value in LDAP):
Tue Jun 16 11:41:43 2020 : Debug: (8) ldap: Processing user attributes
Tue Jun 16 11:41:43 2020 : Debug: (8) ldap: NT-Password := 0x3034324544323534394233353637304441443342394130374444424339363233
Then we got error "NT-Password has not been normalized by the 'pap' module (likely still in hex format). ".
Tue Jun 16 11:51:43 2020 : Debug: (8) eap_mschapv2: authenticate {
Tue Jun 16 11:51:43 2020 : Debug: (8) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap)
Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: NT-Password has not been normalized by the 'pap' module (likely still in hex format). Authentication may fail
Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: No Cleartext-Password configured. Cannot create NT-Password
Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: No Cleartext-Password configured. Cannot create LM-Password
Data in LDAP server works in freeradius 2.x.
Would anyone please help?
Thanks a lot.
Regards
/ST Wong
1
1
Hello all,
i am trying to set the safe_characters in a sql configuration and it
looks that the safe characters are not working anymore (at least the
extra i add).
I have the following configuration:
```
sql sql_degraded {
database = "mysql"
driver = "rlm_sql_${database}"
server = "127.0.0.1"
port = 3306
login = "pf"
password = "inverse"
radius_db = "pf"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "password"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
sql_user_name = "%{User-Name}"
postauth_query = ""
group_membership_query = ""
pool = sql
client_table = "radius_nas"
# Read database-specific queries
$INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
}
```
I added (),' as extra char.
Followinf the trace from freeradius 3.0.21 (doesn't work) and from
freeradius-3.0.13 (works) for exactly the same radius request and
exactly the same configuration:
```
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including configuration file /usr/local/pf/raddb/clients.eduroam.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/pf/raddb/mods-enabled/pap
including configuration file /usr/local/pf/raddb/mods-enabled/passwd
including configuration file /usr/local/pf/raddb/mods-enabled/perl
including configuration file /usr/local/pf/raddb/mods-enabled/preprocess
including configuration file /usr/local/pf/raddb/mods-enabled/radutmp
including configuration file /usr/local/pf/raddb/mods-enabled/raw
including configuration file /usr/local/pf/raddb/mods-enabled/realm
including configuration file /usr/local/pf/raddb/mods-enabled/redis
including configuration file /usr/local/pf/raddb/mods-enabled/replicate
including configuration file /usr/local/pf/raddb/mods-enabled/soh
including configuration file /usr/local/pf/raddb/mods-enabled/sradutmp
including configuration file /usr/local/pf/raddb/mods-enabled/unix
including configuration file /usr/local/pf/raddb/mods-enabled/unpack
including configuration file /usr/local/pf/raddb/mods-enabled/utf8
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/rest
including configuration file /usr/local/pf/raddb/mods-enabled/sql
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/go
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including files in directory /usr/local/pf/raddb/policy.d/
including configuration file /usr/local/pf/raddb/policy.d/abfab-tr
including configuration file /usr/local/pf/raddb/policy.d/accounting
including configuration file /usr/local/pf/raddb/policy.d/canonicalization
including configuration file /usr/local/pf/raddb/policy.d/control
including configuration file /usr/local/pf/raddb/policy.d/cui
including configuration file /usr/local/pf/raddb/policy.d/debug
including configuration file /usr/local/pf/raddb/policy.d/dhcp
including configuration file /usr/local/pf/raddb/policy.d/eap
including configuration file /usr/local/pf/raddb/policy.d/filter
including configuration file /usr/local/pf/raddb/policy.d/operator-name
including configuration file /usr/local/pf/raddb/policy.d/packetfence.orig
including configuration file /usr/local/pf/raddb/policy.d/packetfence
including files in directory /usr/local/pf/raddb/sites-enabled/
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
including configuration file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/pf/raddb/sites-enabled/status
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
main {
security {
user = "pf"
group = "pf"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
sbindir = "/usr/sbin"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
libdir = "/usr/lib64/freeradius:/usr/lib/freeradius"
radacctdir = "/usr/local/pf/logs/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 5
max_requests = 20000
pidfile = "/usr/local/pf/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
auth: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
Ignoring "response_window = 20.000000", forcing to "response_window =
10.000000"
home_server pf.remote {
ipaddr = 172.20.135.10
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "172.20.135.4"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server degraded {
virtual_server = "pf.degraded"
port = 0
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
Ignoring "response_window = 30.000000", forcing to "response_window =
10.000000"
home_server pf0.cluster {
ipaddr = 172.20.135.4
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "172.20.135.5"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server pf0.cli.cluster {
ipaddr = 172.20.135.4
port = 1815
type = "auth"
secret = <<< secret >>>
src_ipaddr = "172.20.135.5"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
realm bob {
}
realm bibi {
}
realm inverse.inc {
}
realm eduroam.default {
}
realm eduroam.local {
}
realm eduroam.null {
}
realm eduroam.bob {
}
realm eduroam.bibi {
}
realm eduroam.inverse.inc {
}
home_server_pool pf_auth_pool {
type = fail-over
home_server = pf.remote
home_server = degraded
}
home_server_pool pf_acct_pool {
type = fail-over
home_server = pf.remote
}
realm remote {
auth_pool = pf_auth_pool
acct_pool = pf_acct_pool
}
home_server_pool pf_pool.cluster {
type = keyed-balance
home_server = pf0.cluster
}
home_server_pool pfacct_pool.cluster {
type = load-balance
home_server = pf0.cluster
}
realm packetfence {
auth_pool = pf_pool.cluster
acct_pool = pfacct_pool.cluster
}
home_server_pool pfcli_pool.cluster {
type = keyed-balance
home_server = pf0.cli.cluster
}
realm packetfence-cli {
auth_pool = pfcli_pool.cluster
}
auth: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.4 {
ipaddr = 172.20.135.4
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.5 {
ipaddr = 172.20.135.5
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.11 {
ipaddr = 172.20.135.11
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.12 {
ipaddr = 172.20.135.12
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.13 {
ipaddr = 172.20.135.13
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dynamic {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
dynamic_clients = "dynamic_clients"
lifetime = 300
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap-degraded
# Creating Autz-Type = Status-Server
auth: #### Instantiating modules ####
modules {
# Loaded module rlm_logintime
# Loading module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file
/usr/local/pf/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/pf/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_perl
# Loading module "perl" from file /usr/local/pf/raddb/mods-enabled/perl
perl {
filename = "/usr/local/pf/raddb/mods-config/perl/example.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
perl packetfence {
filename = "/usr/local/pf/raddb/mods-config/perl/packetfence.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
perl packetfence-multi-domain {
filename =
"/usr/local/pf/raddb/mods-config/perl/packetfence-multi-domain.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
perl reply_in_db {
filename = "/usr/local/pf/raddb/mods-config/perl/reply_in_db.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/pf/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/pf/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/usr/local/pf/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/pf/logs/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_raw
# Loading module "raw" from file /usr/local/pf/raddb/mods-enabled/raw
raw {
name = "raw"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/pf/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
# Loading module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_redis
# Loading module "redis" from file /usr/local/pf/raddb/mods-enabled/redis
redis {
server = "127.0.0.1"
port = 6379
database = 0
query_timeout = 5
}
rlm_redis: libhiredis version: 0.12.1
# Loading module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
redis redis_ntlm {
server = "127.0.0.1"
port = 6383
database = 0
query_timeout = 5
}
rlm_redis: libhiredis version: 0.12.1
# Loaded module rlm_replicate
# Loading module "replicate" from file
/usr/local/pf/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/pf/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file
/usr/local/pf/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/pf/logs/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/pf/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/pf/logs/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file
/usr/local/pf/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/pf/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/pf/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 20000
}
# Loading module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
eap eap-degraded {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 20000
}
# Loaded module rlm_rest
# Loading module "rest" from file /usr/local/pf/raddb/mods-enabled/rest
rest {
connect_uri = "http://127.0.0.1:7070/"
connect_timeout = 4.000000
}
# Loading module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
rest rest-cli {
connect_uri = "http://127.0.0.1:7070/"
connect_timeout = 4.000000
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/pf/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret,
server, tenant_id FROM radius_nas where 1=0"
authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "CALL acct_start ( '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Status-Type}','%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
}
interim-update {
query = "CALL acct_update (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Status-Type}','%{NAS-Identifier}',
'%{Called-Station-SSID}', '%{control:PacketFence-Tenant-Id}')"
}
stop {
query = "CALL acct_stop (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Terminate-Cause}', '%{Acct-Status-Type}',
'%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
}
}
}
post-auth {
reference = "type.accept.query"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loading module "pfguest" from file /usr/local/pf/raddb/mods-enabled/sql
sql pfguest {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "guest"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfguest): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfguest-SQL-Group
# Loading module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
sql pfsponsor {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sponsor"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfsponsor): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfsponsor-SQL-Group
# Loading module "pfsms" from file /usr/local/pf/raddb/mods-enabled/sql
sql pfsms {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sms" AND
( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfsms): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Creating attribute pfsms-SQL-Group
# Loading module "pflocal" from file /usr/local/pf/raddb/mods-enabled/sql
sql pflocal {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password WHERE pid =
'%{SQL-User-Name}' AND password.tenant_id =
'%{control:PacketFence-Tenant-Id}' AND NOT EXISTS (SELECT pid FROM
activation WHERE pid = '%{SQL-User-Name}')"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pflocal): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pflocal-SQL-Group
# Loading module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
sql sql_reject {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
group_membership_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = "type.reject.query"
}
}
rlm_sql (sql_reject): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute sql_reject-SQL-Group
# Loading module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
sql sql_degraded {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
group_membership_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = "type.reject.query"
}
}
rlm_sql (sql_degraded): Driver rlm_sql_mysql (module rlm_sql_mysql)
loaded and linked
Creating attribute sql_degraded-SQL-Group
# Loaded module rlm_mschap
# Loading module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --
--request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap chrooted_mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 -- --request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap chrooted_mschap_machine {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 -- --request-nt-key
--username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap mschap_machine {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --
--request-nt-key --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap mschap_local {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_always
# Loading module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/pf/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/pf/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/pf/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/pf/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/pf/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.packetfence_post_auth {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth"
key = "%{User-Name}"
relaxed = yes
}
# Loading module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.packetfence_pre_proxy {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy"
key = "%{User-Name}"
relaxed = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
cache cache_ntlm {
driver = "rlm_cache_rbtree"
key = "%{User-Name}%{Calling-Station-Id}"
ttl = 300
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache cache_password {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 3600
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache userprincipalname {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 3600
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache PacketFence-NTCacheHash {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 10
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/pf/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
detail {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file
/usr/local/pf/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
# Loading module "echo" from file /usr/local/pf/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/pf/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/pf/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/pf/raddb/mods-enabled/files
files {
filename = "/usr/local/pf/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/pf/raddb/mods-config/files/accounting"
preproxy_usersfile =
"/usr/local/pf/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
linelog {
filename = "syslog"
escape_filenames = no
syslog_facility = "local1"
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "syslog"
escape_filenames = no
syslog_facility = "local2"
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
instantiate {
# Instantiating module "redis" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
# Instantiating module "rest" from file
/usr/local/pf/raddb/mods-enabled/rest
authorize {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
preacct {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = "http://127.0.0.1:7070//radius/rest/accounting"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
pre-proxy {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-proxy {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-auth {
uri = "http://127.0.0.1:7070//radius/rest/authorize"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest: libcurl version: libcurl/7.29.0 NSS/3.44 zlib/1.2.7
libidn/1.28 libssh2/1.8.0
rlm_rest (rest): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
# Instantiating module "raw" from file
/usr/local/pf/raddb/mods-enabled/raw
}
# Instantiating module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
# Instantiating module "pap" from file
/usr/local/pf/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "perl" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis_ntlm): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
# Instantiating module "eap" from file
/usr/local/pf/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "packetfence-degraded-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
use_nonce = yes
timeout = 0
softfail = no
}
}
The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "packetfence-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
use_nonce = yes
timeout = 0
softfail = no
}
}
The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-degraded-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
authorize {
uri = "http://127.0.0.1:7070//radius/rest/switch/authorize"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-auth {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest (rest-cli): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
# Instantiating module "sql" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.21-MariaDB
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "pf"
rlm_sql (sql): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (0), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname,
type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): Released connection (0)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (1), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
# Instantiating module "pfguest" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (pfguest): Attempting to connect to database "pf"
# Instantiating module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (pfsponsor): Attempting to connect to database "pf"
# Instantiating module "pfsms" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (pfsms): Attempting to connect to database "pf"
# Instantiating module "pflocal" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (pflocal): Attempting to connect to database "pf"
# Instantiating module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_reject): groupmemb_query is empty. Please delete it from
the configuration
rlm_sql (sql_reject): authorize_check_query is empty. Please delete it
from the configuration
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (sql_reject): Attempting to connect to database "pf"
# Instantiating module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_degraded): groupmemb_query is empty. Please delete it from
the configuration
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (sql_degraded): Attempting to connect to database "pf"
# Instantiating module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap_machine): authenticating by calling 'ntlm_auth'
# Instantiating module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_machine): authenticating by calling 'ntlm_auth'
# Instantiating module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_local): using internal authentication
# Instantiating module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "fail" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "ok" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "noop" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_reject
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT".
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth
# Instantiating module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy
# Instantiating module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
rlm_cache (cache_ntlm): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (cache_password): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (userprincipalname): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (PacketFence-NTCacheHash): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
# Instantiating module "files" from file
/usr/local/pf/raddb/mods-enabled/files
reading pairlist file /usr/local/pf/raddb/mods-config/files/authorize
reading pairlist file /usr/local/pf/raddb/mods-config/files/accounting
reading pairlist file /usr/local/pf/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
} # modules
auth: #### Loading Virtual Servers ####
server { # from file /usr/local/pf/raddb/auth.conf
} # server
server packetfence { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence
server pf-remote { # from file /usr/local/pf/raddb/sites-enabled/packetfence
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
} # server pf-remote
server pf.degraded { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server pf.degraded
server packetfence-degraded-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-degraded-tunnel
server packetfence-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-tunnel
server packetfence-tunnel-fast { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-tunnel-fast
server packetfence-cli { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
# Loading authenticate {...}
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-cli
server dynamic_clients { # from file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
# Loading authorize {...}
} # server dynamic_clients
server status { # from file /usr/local/pf/raddb/sites-enabled/status
# Loading authorize {...}
} # server status
server pf.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
} # server pf.cluster
server pfcli.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
# Loading authorize {...}
# Loading post-proxy {...}
} # server pfcli.cluster
thread pool {
start_servers = 0
max_servers = 64
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread pool initialized
auth: #### Opening IP addresses and Ports ####
listen {
type = "status"
virtual_server = "status"
ipaddr = 127.0.0.1
port = 18121
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
virtual_server = "pf-remote"
ipaddr = 172.20.135.4
port = 0
}
listen {
type = "auth+acct"
virtual_server = "packetfence"
ipaddr = 172.20.135.4
port = 2083
proto = "tcp"
tls {
verify_depth = 0
ca_path = "/usr/local/pf/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/pf/raddb/certs/server.key"
certificate_file = "/usr/local/pf/raddb/certs/server.crt"
ca_file = "/usr/local/pf/raddb/certs/ca.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 8192
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
require_client_cert = yes
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "control"
listen {
socket = "/usr/local/pf/var/run/radiusd.sock"
mode = "rw"
peercred = yes
}
}
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on auth address 172.20.135.4 port 1812 bound to server pf-remote
Listening on auth+acct proto tcp address 172.20.135.4 port 2083 (TLS)
bound to server packetfence
Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on proxy address * port 63313
Ready to process requests
Threads: Spawning 3 spares
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Waking up in 0.3 seconds.
Thread 3 waiting to be assigned a request
Thread 3 got semaphore
Thread 2 waiting to be assigned a request
Thread 1 waiting to be assigned a request
Thread 3 handling request 0, (1 handled so far)
(0) Received Access-Request Id 187 from 172.20.135.5:65296 to
172.20.135.4:1812 length 243
(0) User-Name = "64-76-ba-89-71-4c"
(0) User-Password = "64-76-ba-89-71-4c"
(0) NAS-IP-Address = 172.20.110.250
(0) NAS-Port = 0
(0) Service-Type = Call-Check
(0) Called-Station-Id = "00:1a:1e:01:68:f8"
(0) Calling-Station-Id = "64:76:ba:89:71:4c"
(0) NAS-Port-Type = Wireless-802.11
(0) Aruba-Essid-Name = "CPS-District"
(0) Aruba-Location-Id = "MS-A181"
(0) Aruba-AP-Group = "MS"
(0) PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0) Message-Authenticator = 0xc9b164a131d9c0875f68c065f031408e
(0) Proxy-State = 0x323338
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) authorize {
(0) update control {
(0) EXPAND %{Calling-Station-Id}
(0) --> 64:76:ba:89:71:4c
(0) Load-Balance-Key := 64:76:ba:89:71:4c
(0) Proxy-To-Realm := "remote"
(0) } # update control = noop
(0) if (!NAS-IP-Address){
(0) if (!NAS-IP-Address) -> FALSE
(0) } # authorize = noop
(0) Starting proxy to home server 172.20.135.10 port 1812
(0) server pf-remote {
(0) }
(0) Proxying request to home server 172.20.135.10 port 1812 timeout 6.000000
(0) Sent Access-Request Id 211 from 172.20.135.4:41039 to
172.20.135.10:1812 length 248
(0) User-Name = "64-76-ba-89-71-4c"
(0) User-Password = "64-76-ba-89-71-4c"
(0) NAS-IP-Address = 172.20.110.250
(0) NAS-Port = 0
(0) Service-Type = Call-Check
(0) Called-Station-Id = "00:1a:1e:01:68:f8"
(0) Calling-Station-Id = "64:76:ba:89:71:4c"
(0) NAS-Port-Type = Wireless-802.11
(0) Aruba-Essid-Name = "CPS-District"
(0) Aruba-Location-Id = "MS-A181"
(0) Aruba-AP-Group = "MS"
(0) PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0) Message-Authenticator = 0xc9b164a131d9c0875f68c065f031408e
(0) Proxy-State = 0x323338
(0) Proxy-State = 0x313837
Thread 3 waiting to be assigned a request
Listening on proxy address 172.20.135.4 port 41039
Waking up in 0.3 seconds.
(0) Marking home server 172.20.135.10 port 1812 alive
Threads: total/active/spare threads = 3/0/3
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 0, (1 handled so far)
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 211 from 172.20.135.10:1812 to
172.20.135.4:41039 length 47
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Private-Group-Id:0 = "135"
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Proxy-State = 0x323338
(0) Proxy-State = 0x313837
(0) server pf-remote {
(0) # Executing section post-proxy from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) post-proxy {
(0) update control {
(0) EXPAND %{home_server:ipaddr}
(0) --> 172.20.135.10
(0) PacketFence-Proxied-To := 172.20.135.10
(0) } # update control = noop
(0) if (&proxy-reply:Packet-Type == Access-Accept) {
(0) EXPAND &proxy-reply:Packet-Type
(0) --> Access-Accept
(0) if (&proxy-reply:Packet-Type == Access-Accept) -> TRUE
(0) if (&proxy-reply:Packet-Type == Access-Accept) {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (2), 1 of 62 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
(0) EXPAND %{User-Name}
(0) --> 64-76-ba-89-71-4c
(0) SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (1)
(0) Executing query: DELETE FROM radreply where
username="64:76:ba:89:71:4c"
rlm_sql (sql): Released connection (1)
(0) EXPAND %{sql_degraded:DELETE FROM radreply where
username="%{Calling-Station-Id}"}
(0) --> 3
(0) reply_in_db: $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'User-Password'} =
&request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'NAS-IP-Address'} =
&request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
(0) reply_in_db: $RAD_REQUEST{'Service-Type'} = &request:Service-Type
-> 'Call-Check'
(0) reply_in_db: $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_REQUEST{'Proxy-State'} = &request:Proxy-State ->
'0x323338'
(0) reply_in_db: $RAD_REQUEST{'NAS-Port-Type'} =
&request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db: $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: $RAD_REQUEST{'Aruba-Essid-Name'} =
&request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db: $RAD_REQUEST{'Aruba-Location-Id'} =
&request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db: $RAD_REQUEST{'Aruba-AP-Group'} =
&request:Aruba-AP-Group -> 'MS'
(0) reply_in_db: $RAD_REQUEST{'Realm'} = &request:Realm -> 'remote'
(0) reply_in_db: $RAD_REQUEST{'SQL-User-Name'} =
&request:SQL-User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'PacketFence-KeyBalanced'} =
&request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: $RAD_CHECK{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_CHECK{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db: $RAD_CHECK{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db: $RAD_CONFIG{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_CONFIG{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db: $RAD_CONFIG{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db: $RAD_REQUEST_PROXY{'User-Name'} =
&proxy-request:User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'User-Password'} =
&proxy-request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-IP-Address'} =
&proxy-request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-Port'} =
&proxy-request:NAS-Port -> '0'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Service-Type'} =
&proxy-request:Service-Type -> 'Call-Check'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Called-Station-Id'} =
&proxy-request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Calling-Station-Id'} =
&proxy-request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Proxy-State'}[0] =
&proxy-request:Proxy-State -> '0x313837'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Proxy-State'}[1] =
&proxy-request:Proxy-State -> '0x323338'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-Port-Type'} =
&proxy-request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Message-Authenticator'} =
&proxy-request:Message-Authenticator -> '0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-Essid-Name'} =
&proxy-request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-Location-Id'} =
&proxy-request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-AP-Group'} =
&proxy-request:Aruba-AP-Group -> 'MS'
(0) reply_in_db: $RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} =
&proxy-request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[0] =
&proxy-reply:Proxy-State -> '0x323338'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[1] =
&proxy-reply:Proxy-State -> '0x313837'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Type'} =
&proxy-reply:Tunnel-Type -> 'VLAN'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type'} =
&proxy-reply:Tunnel-Medium-Type -> 'IEEE-802'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id'} =
&proxy-reply:Tunnel-Private-Group-Id -> '135'
(0) reply_in_db: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'}
-> 'Wireless-802.11'
(0) reply_in_db: &request:Proxy-State = $RAD_REQUEST{'Proxy-State'} ->
'0x323338'
(0) reply_in_db: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Call-Check'
(0) reply_in_db: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: &request:Realm = $RAD_REQUEST{'Realm'} -> 'remote'
(0) reply_in_db: &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &request:Aruba-Essid-Name =
$RAD_REQUEST{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &request:PacketFence-KeyBalanced =
$RAD_REQUEST{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &request:Aruba-AP-Group =
$RAD_REQUEST{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'64-76-ba-89-71-4c'
(0) reply_in_db: &request:Aruba-Location-Id =
$RAD_REQUEST{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &request:User-Password = $RAD_REQUEST{'User-Password'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(0) reply_in_db: &control:PacketFence-Proxied-To =
$RAD_CHECK{'PacketFence-Proxied-To'} -> '172.20.135.10'
(0) reply_in_db: &control:Load-Balance-Key =
$RAD_CHECK{'Load-Balance-Key'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &control:PacketFence-reply-insert =
$RAD_CHECK{'PacketFence-reply-insert'} -> 'INSERT into radreply
(username, attribute, value) values
('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')'
(0) reply_in_db: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'}
-> 'remote'
(0) reply_in_db: &proxy-request:NAS-Port-Type =
$RAD_REQUEST_PROXY{'NAS-Port-Type'} -> 'Wireless-802.11'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x313837'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x323338'
(0) reply_in_db: &proxy-request:Service-Type =
$RAD_REQUEST_PROXY{'Service-Type'} -> 'Call-Check'
(0) reply_in_db: &proxy-request:Aruba-Essid-Name =
$RAD_REQUEST_PROXY{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &proxy-request:Calling-Station-Id =
$RAD_REQUEST_PROXY{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &proxy-request:Called-Station-Id =
$RAD_REQUEST_PROXY{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &proxy-request:PacketFence-KeyBalanced =
$RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &proxy-request:Message-Authenticator =
$RAD_REQUEST_PROXY{'Message-Authenticator'} ->
'0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: &proxy-request:Aruba-AP-Group =
$RAD_REQUEST_PROXY{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &proxy-request:Aruba-Location-Id =
$RAD_REQUEST_PROXY{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &proxy-request:User-Name =
$RAD_REQUEST_PROXY{'User-Name'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:User-Password =
$RAD_REQUEST_PROXY{'User-Password'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:NAS-IP-Address =
$RAD_REQUEST_PROXY{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &proxy-request:NAS-Port =
$RAD_REQUEST_PROXY{'NAS-Port'} -> '0'
(0) reply_in_db: &proxy-reply:Tunnel-Private-Group-Id:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id:0'} -> '135'
(0) reply_in_db: &proxy-reply:Tunnel-Medium-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type:0'} -> 'IEEE-802'
(0) reply_in_db: &proxy-reply:Tunnel-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Type:0'} -> 'VLAN'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x323338'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x313837'
(0) [reply_in_db] = ok
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(0) EXPAND %{User-Name}
(0) --> 64-76-ba-89-71-4c
(0) SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (2)
(0) Executing query: INSERT into radreply =28username=2C
attribute=2C value=29 values
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Medium-Type:0=27=2C=27IEEE-802=27=29=2C
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Private-Group-Id:0=27=2C=27135=27=29=2C
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Type:0=27=2C=27VLAN=27=29
(0) ERROR: rlm_sql_mysql: ERROR 1064 (You have an error in your
SQL syntax; check the manual that corresponds to your MariaDB server
version for the right syntax to use near '=28username=2C attribute=2C
value=29 values =28=2764:76:ba:89:71:4c=27=2C=27Tunn' at line 1): 42000
(0) ERROR: SQL query failed: server error
rlm_sql (sql): Released connection (2)
(0) EXPAND %{sql_degraded:%{control:PacketFence-reply-insert}}
(0) -->
(0) } # if (&proxy-reply:Packet-Type == Access-Accept) = ok
(0) ... skipping else: Preceding "if" was taken
(0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(0) attr_filter.packetfence_post_auth: --> 64-76-ba-89-71-4c
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(0) [attr_filter.packetfence_post_auth] = updated
(0) } # post-proxy = updated
(0) }
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [64-76-ba-89-71-4c] (from client pf port 0 cli
64:76:ba:89:71:4c)
(0) Sent Access-Accept Id 187 from 172.20.135.4:1812 to
172.20.135.5:65296 length 0
(0) Tunnel-Private-Group-Id:0 = "135"
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Type:0 = VLAN
(0) Proxy-State = 0x323338
(0) Finished request
Thread 2 waiting to be assigned a request
Waking up in 4.6 seconds.
```
```
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including configuration file /usr/local/pf/raddb/clients.eduroam.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/pf/raddb/mods-enabled/pap
including configuration file /usr/local/pf/raddb/mods-enabled/passwd
including configuration file /usr/local/pf/raddb/mods-enabled/perl
including configuration file /usr/local/pf/raddb/mods-enabled/preprocess
including configuration file /usr/local/pf/raddb/mods-enabled/radutmp
including configuration file /usr/local/pf/raddb/mods-enabled/raw
including configuration file /usr/local/pf/raddb/mods-enabled/realm
including configuration file /usr/local/pf/raddb/mods-enabled/redis
including configuration file /usr/local/pf/raddb/mods-enabled/replicate
including configuration file /usr/local/pf/raddb/mods-enabled/soh
including configuration file /usr/local/pf/raddb/mods-enabled/sradutmp
including configuration file /usr/local/pf/raddb/mods-enabled/unix
including configuration file /usr/local/pf/raddb/mods-enabled/unpack
including configuration file /usr/local/pf/raddb/mods-enabled/utf8
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/rest
including configuration file /usr/local/pf/raddb/mods-enabled/sql
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/go
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including files in directory /usr/local/pf/raddb/policy.d/
including configuration file /usr/local/pf/raddb/policy.d/abfab-tr
including configuration file /usr/local/pf/raddb/policy.d/accounting
including configuration file /usr/local/pf/raddb/policy.d/canonicalization
including configuration file /usr/local/pf/raddb/policy.d/control
including configuration file /usr/local/pf/raddb/policy.d/cui
including configuration file /usr/local/pf/raddb/policy.d/debug
including configuration file /usr/local/pf/raddb/policy.d/dhcp
including configuration file /usr/local/pf/raddb/policy.d/eap
including configuration file /usr/local/pf/raddb/policy.d/filter
including configuration file /usr/local/pf/raddb/policy.d/operator-name
including configuration file /usr/local/pf/raddb/policy.d/packetfence
including files in directory /usr/local/pf/raddb/sites-enabled/
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
including configuration file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/pf/raddb/sites-enabled/status
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
main {
security {
user = "pf"
group = "pf"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
sbindir = "/usr/sbin"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
libdir = "/usr/lib64/freeradius:/usr/lib/freeradius"
radacctdir = "/usr/local/pf/logs/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 5
max_requests = 20000
pidfile = "/usr/local/pf/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
auth: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
WARNING: Ignoring "response_window = 20.000000", forcing to
"response_window = 10.000000"
home_server pf.remote {
ipaddr = 172.20.135.10
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "172.20.135.4"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server degraded {
virtual_server = "pf.degraded"
port = 0
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
WARNING: Ignoring "response_window = 30.000000", forcing to
"response_window = 10.000000"
home_server pf0.cluster {
ipaddr = 172.20.135.4
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "172.20.135.5"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server pf0.cli.cluster {
ipaddr = 172.20.135.4
port = 1815
type = "auth"
secret = <<< secret >>>
src_ipaddr = "172.20.135.5"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
realm bob {
}
realm bibi {
}
realm inverse.inc {
}
realm eduroam.default {
}
realm eduroam.local {
}
realm eduroam.null {
}
realm eduroam.bob {
}
realm eduroam.bibi {
}
realm eduroam.inverse.inc {
}
home_server_pool pf_auth_pool {
type = fail-over
home_server = pf.remote
home_server = degraded
}
home_server_pool pf_acct_pool {
type = fail-over
home_server = pf.remote
}
realm remote {
auth_pool = pf_auth_pool
acct_pool = pf_acct_pool
}
home_server_pool pf_pool.cluster {
type = keyed-balance
home_server = pf0.cluster
}
home_server_pool pfacct_pool.cluster {
type = load-balance
home_server = pf0.cluster
}
realm packetfence {
auth_pool = pf_pool.cluster
acct_pool = pfacct_pool.cluster
}
home_server_pool pfcli_pool.cluster {
type = keyed-balance
home_server = pf0.cli.cluster
}
realm packetfence-cli {
auth_pool = pfcli_pool.cluster
}
auth: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.4 {
ipaddr = 172.20.135.4
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.5 {
ipaddr = 172.20.135.5
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dynamic {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
dynamic_clients = "dynamic_clients"
lifetime = 300
}
Debugger not attached
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap-degraded
# Creating Autz-Type = Status-Server
auth: #### Instantiating modules ####
modules {
# Loaded module rlm_logintime
# Loading module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file
/usr/local/pf/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/pf/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_perl
# Loading module "perl" from file /usr/local/pf/raddb/mods-enabled/perl
perl {
filename = "/usr/local/pf/raddb/mods-config/perl/example.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
perl packetfence {
filename = "/usr/local/pf/raddb/mods-config/perl/packetfence.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
perl packetfence-multi-domain {
filename =
"/usr/local/pf/raddb/mods-config/perl/packetfence-multi-domain.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
perl reply_in_db {
filename = "/usr/local/pf/raddb/mods-config/perl/reply_in_db.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/pf/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/pf/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/usr/local/pf/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/pf/logs/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_raw
# Loading module "raw" from file /usr/local/pf/raddb/mods-enabled/raw
raw {
name = "raw"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/pf/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
# Loading module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_redis
# Loading module "redis" from file /usr/local/pf/raddb/mods-enabled/redis
redis {
server = "127.0.0.1"
port = 6379
database = 0
}
rlm_redis: libhiredis version: 0.12.1
# Loading module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
redis redis_ntlm {
server = "127.0.0.1"
port = 6383
database = 0
}
rlm_redis: libhiredis version: 0.12.1
# Loaded module rlm_replicate
# Loading module "replicate" from file
/usr/local/pf/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/pf/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file
/usr/local/pf/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/pf/logs/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/pf/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/pf/logs/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file
/usr/local/pf/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/pf/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/pf/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 20000
}
# Loading module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
eap eap-degraded {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 20000
}
# Loaded module rlm_rest
# Loading module "rest" from file /usr/local/pf/raddb/mods-enabled/rest
rest {
connect_uri = "http://127.0.0.1:7070/"
connect_timeout = 4.000000
}
# Loading module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
rest rest-cli {
connect_uri = "http://127.0.0.1:7070/"
connect_timeout = 4.000000
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/pf/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret,
server, tenant_id FROM radius_nas where 1=0"
authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "CALL acct_start ( '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Status-Type}','%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
}
interim-update {
query = "CALL acct_update (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Status-Type}','%{NAS-Identifier}',
'%{Called-Station-SSID}', '%{control:PacketFence-Tenant-Id}')"
}
stop {
query = "CALL acct_stop (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Terminate-Cause}', '%{Acct-Status-Type}',
'%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
}
}
}
post-auth {
reference = "type.accept.query"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loading module "pfguest" from file /usr/local/pf/raddb/mods-enabled/sql
sql pfguest {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "guest"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfguest): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfguest-SQL-Group
# Loading module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
sql pfsponsor {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sponsor"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfsponsor): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfsponsor-SQL-Group
# Loading module "pfsms" from file /usr/local/pf/raddb/mods-enabled/sql
sql pfsms {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sms" AND
( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfsms): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Creating attribute pfsms-SQL-Group
# Loading module "pflocal" from file /usr/local/pf/raddb/mods-enabled/sql
sql pflocal {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password WHERE pid =
'%{SQL-User-Name}' AND password.tenant_id =
'%{control:PacketFence-Tenant-Id}' AND NOT EXISTS (SELECT pid FROM
activation WHERE pid = '%{SQL-User-Name}')"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pflocal): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pflocal-SQL-Group
# Loading module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
sql sql_reject {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
group_membership_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = "type.reject.query"
}
}
rlm_sql (sql_reject): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute sql_reject-SQL-Group
# Loading module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
sql sql_degraded {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
group_membership_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = "type.reject.query"
}
}
rlm_sql (sql_degraded): Driver rlm_sql_mysql (module rlm_sql_mysql)
loaded and linked
Creating attribute sql_degraded-SQL-Group
# Loaded module rlm_mschap
# Loading module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --
--request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap chrooted_mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 -- --request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap chrooted_mschap_machine {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 -- --request-nt-key
--username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap mschap_machine {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --
--request-nt-key --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap mschap_local {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_always
# Loading module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/pf/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/pf/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/pf/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/pf/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/pf/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.packetfence_post_auth {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth"
key = "%{User-Name}"
relaxed = yes
}
# Loading module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.packetfence_pre_proxy {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy"
key = "%{User-Name}"
relaxed = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
cache cache_ntlm {
driver = "rlm_cache_rbtree"
key = "%{User-Name}%{Calling-Station-Id}"
ttl = 300
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache cache_password {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 3600
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache userprincipalname {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 3600
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache PacketFence-NTCacheHash {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 10
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/pf/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
detail {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file
/usr/local/pf/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
# Loading module "echo" from file /usr/local/pf/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/pf/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/pf/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/pf/raddb/mods-enabled/files
files {
filename = "/usr/local/pf/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/pf/raddb/mods-config/files/accounting"
preproxy_usersfile =
"/usr/local/pf/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
linelog {
filename = "syslog"
escape_filenames = no
syslog_facility = "local1"
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "syslog"
escape_filenames = no
syslog_facility = "local2"
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
instantiate {
# Instantiating module "redis" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
# Instantiating module "rest" from file
/usr/local/pf/raddb/mods-enabled/rest
authorize {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = "http://127.0.0.1:7070//radius/rest/accounting"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-auth {
uri = "http://127.0.0.1:7070//radius/rest/authorize"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest: libcurl version: libcurl/7.29.0 NSS/3.44 zlib/1.2.7
libidn/1.28 libssh2/1.8.0
rlm_rest (rest): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
# Instantiating module "raw" from file
/usr/local/pf/raddb/mods-enabled/raw
}
# Instantiating module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
# Instantiating module "pap" from file
/usr/local/pf/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "perl" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis_ntlm): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
# Instantiating module "eap" from file
/usr/local/pf/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "packetfence-degraded-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "packetfence-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-degraded-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
authorize {
uri = "http://127.0.0.1:7070//radius/rest/switch/authorize"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-auth {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest (rest-cli): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
# Instantiating module "sql" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.21-MariaDB
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "pf"
rlm_sql (sql): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (0), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname,
type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): Released connection (0)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (1), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
# Instantiating module "pfguest" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (pfguest): Attempting to connect to database "pf"
# Instantiating module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (pfsponsor): Attempting to connect to database "pf"
# Instantiating module "pfsms" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (pfsms): Attempting to connect to database "pf"
# Instantiating module "pflocal" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (pflocal): Attempting to connect to database "pf"
# Instantiating module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_reject): groupmemb_query is empty. Please delete it from
the configuration
rlm_sql (sql_reject): authorize_check_query is empty. Please delete it
from the configuration
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql_reject): Attempting to connect to database "pf"
# Instantiating module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_degraded): groupmemb_query is empty. Please delete it from
the configuration
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql_degraded): Attempting to connect to database "pf"
# Instantiating module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap_machine): authenticating by calling 'ntlm_auth'
# Instantiating module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_machine): authenticating by calling 'ntlm_auth'
# Instantiating module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_local): using internal authentication
# Instantiating module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "fail" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "ok" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "noop" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_reject
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT".
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth
# Instantiating module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy
# Instantiating module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
rlm_cache (cache_ntlm): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (cache_password): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (userprincipalname): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (PacketFence-NTCacheHash): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
# Instantiating module "files" from file
/usr/local/pf/raddb/mods-enabled/files
reading pairlist file /usr/local/pf/raddb/mods-config/files/authorize
reading pairlist file /usr/local/pf/raddb/mods-config/files/accounting
reading pairlist file /usr/local/pf/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
} # modules
auth: #### Loading Virtual Servers ####
server { # from file /usr/local/pf/raddb/auth.conf
} # server
server packetfence { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence
server pf-remote { # from file /usr/local/pf/raddb/sites-enabled/packetfence
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
} # server pf-remote
server pf.degraded { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server pf.degraded
server packetfence-degraded-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-degraded-tunnel
server packetfence-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-tunnel
server packetfence-tunnel-fast { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-tunnel-fast
server packetfence-cli { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
# Loading authenticate {...}
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-cli
server dynamic_clients { # from file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
# Loading authorize {...}
} # server dynamic_clients
server status { # from file /usr/local/pf/raddb/sites-enabled/status
# Loading authorize {...}
} # server status
server pf.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
} # server pf.cluster
server pfcli.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
# Loading authorize {...}
# Loading post-proxy {...}
} # server pfcli.cluster
thread pool {
start_servers = 0
max_servers = 64
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread pool initialized
auth: #### Opening IP addresses and Ports ####
listen {
type = "status"
virtual_server = "status"
ipaddr = 127.0.0.1
port = 18121
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
virtual_server = "pf-remote"
ipaddr = 172.20.135.4
port = 0
}
listen {
type = "auth+acct"
virtual_server = "packetfence"
ipaddr = 172.20.135.4
port = 2083
proto = "tcp"
tls {
verify_depth = 0
ca_path = "/usr/local/pf/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/pf/raddb/certs/server.key"
certificate_file = "/usr/local/pf/raddb/certs/server.crt"
ca_file = "/usr/local/pf/raddb/certs/ca.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 8192
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
require_client_cert = yes
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "control"
listen {
socket = "/usr/local/pf/var/run/radiusd.sock"
mode = "rw"
peercred = yes
}
}
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on auth address 172.20.135.4 port 1812 bound to server pf-remote
Listening on auth+acct proto tcp address 172.20.135.4 port 2083 (TLS)
bound to server packetfence
Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on proxy address * port 51771
Ready to process requests
Threads: Spawning 3 spares
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Waking up in 0.3 seconds.
Thread 1 waiting to be assigned a request
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
Thread 3 waiting to be assigned a request
(0) Received Access-Request Id 19 from 172.20.135.5:57221 to
172.20.135.4:1812 length 243
(0) User-Name = "64-76-ba-89-71-4c"
(0) User-Password = "64-76-ba-89-71-4c"
(0) NAS-IP-Address = 172.20.110.250
(0) NAS-Port = 0
(0) Service-Type = Call-Check
(0) Called-Station-Id = "00:1a:1e:01:68:f8"
(0) Calling-Station-Id = "64:76:ba:89:71:4c"
(0) NAS-Port-Type = Wireless-802.11
(0) Aruba-Essid-Name = "CPS-District"
(0) Aruba-Location-Id = "MS-A181"
(0) Aruba-AP-Group = "MS"
(0) PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0) Message-Authenticator = 0xe8f25d7438b80d1efc0f74b8a8951fcf
(0) Proxy-State = 0x323531
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) authorize {
(0) update control {
(0) EXPAND %{Calling-Station-Id}
(0) --> 64:76:ba:89:71:4c
(0) Load-Balance-Key := 64:76:ba:89:71:4c
(0) Proxy-To-Realm := "remote"
(0) } # update control = noop
(0) if (!NAS-IP-Address){
(0) if (!NAS-IP-Address) -> FALSE
(0) } # authorize = noop
(0) Starting proxy to home server 172.20.135.10 port 1812
(0) Proxying request to home server 172.20.135.10 port 1812 timeout 6.000000
Listening on proxy address 172.20.135.4 port 46328
Waking up in 0.3 seconds.
(0) Sent Access-Request Id 189 from 172.20.135.4:46328 to
172.20.135.10:1812 length 247
(0) User-Name = "64-76-ba-89-71-4c"
(0) User-Password = "64-76-ba-89-71-4c"
(0) NAS-IP-Address = 172.20.110.250
(0) NAS-Port = 0
(0) Service-Type = Call-Check
(0) Called-Station-Id = "00:1a:1e:01:68:f8"
(0) Calling-Station-Id = "64:76:ba:89:71:4c"
(0) NAS-Port-Type = Wireless-802.11
(0) Aruba-Essid-Name = "CPS-District"
(0) Aruba-Location-Id = "MS-A181"
(0) Aruba-AP-Group = "MS"
(0) PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0) Message-Authenticator = 0xe8f25d7438b80d1efc0f74b8a8951fcf
(0) Proxy-State = 0x323531
(0) Proxy-State = 0x3139
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
(0) Marking home server 172.20.135.10 port 1812 alive
Threads: total/active/spare threads = 3/0/3
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 0, (1 handled so far)
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 189 from 172.20.135.10:1812 to
172.20.135.4:46328 length 46
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Private-Group-Id:0 = "135"
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Proxy-State = 0x323531
(0) Proxy-State = 0x3139
(0) # Executing section post-proxy from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) post-proxy {
(0) update control {
(0) EXPAND %{home_server:ipaddr}
(0) --> 172.20.135.10
(0) PacketFence-Proxied-To := 172.20.135.10
(0) } # update control = noop
(0) if (&proxy-reply:Packet-Type == Access-Accept) {
(0) EXPAND &proxy-reply:Packet-Type
(0) --> Access-Accept
(0) if (&proxy-reply:Packet-Type == Access-Accept) -> TRUE
(0) if (&proxy-reply:Packet-Type == Access-Accept) {
(0) EXPAND %{User-Name}
(0) --> 64-76-ba-89-71-4c
(0) SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (0)
(0) Executing query: DELETE FROM radreply where
username="64:76:ba:89:71:4c"
rlm_sql (sql): Released connection (0)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (2), 1 of 62 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
(0) EXPAND %{sql_degraded:DELETE FROM radreply where
username="%{Calling-Station-Id}"}
(0) --> 3
(0) reply_in_db: $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'User-Password'} =
&request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'NAS-IP-Address'} =
&request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
(0) reply_in_db: $RAD_REQUEST{'Service-Type'} = &request:Service-Type
-> 'Call-Check'
(0) reply_in_db: $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_REQUEST{'Proxy-State'} = &request:Proxy-State ->
'0x323531'
(0) reply_in_db: $RAD_REQUEST{'NAS-Port-Type'} =
&request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db: $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: $RAD_REQUEST{'Aruba-Essid-Name'} =
&request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db: $RAD_REQUEST{'Aruba-Location-Id'} =
&request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db: $RAD_REQUEST{'Aruba-AP-Group'} =
&request:Aruba-AP-Group -> 'MS'
(0) reply_in_db: $RAD_REQUEST{'Realm'} = &request:Realm -> 'remote'
(0) reply_in_db: $RAD_REQUEST{'SQL-User-Name'} =
&request:SQL-User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'PacketFence-KeyBalanced'} =
&request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: $RAD_CHECK{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_CHECK{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db: $RAD_CHECK{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db: $RAD_CONFIG{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_CONFIG{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db: $RAD_CONFIG{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db: $RAD_REQUEST_PROXY{'User-Name'} =
&proxy-request:User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'User-Password'} =
&proxy-request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-IP-Address'} =
&proxy-request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-Port'} =
&proxy-request:NAS-Port -> '0'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Service-Type'} =
&proxy-request:Service-Type -> 'Call-Check'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Called-Station-Id'} =
&proxy-request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Calling-Station-Id'} =
&proxy-request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Proxy-State'}[0] =
&proxy-request:Proxy-State -> '0x3139'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Proxy-State'}[1] =
&proxy-request:Proxy-State -> '0x323531'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-Port-Type'} =
&proxy-request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Message-Authenticator'} =
&proxy-request:Message-Authenticator -> '0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-Essid-Name'} =
&proxy-request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-Location-Id'} =
&proxy-request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-AP-Group'} =
&proxy-request:Aruba-AP-Group -> 'MS'
(0) reply_in_db: $RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} =
&proxy-request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[0] =
&proxy-reply:Proxy-State -> '0x323531'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[1] =
&proxy-reply:Proxy-State -> '0x3139'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Type'} =
&proxy-reply:Tunnel-Type -> 'VLAN'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type'} =
&proxy-reply:Tunnel-Medium-Type -> 'IEEE-802'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id'} =
&proxy-reply:Tunnel-Private-Group-Id -> '135'
(0) reply_in_db: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'}
-> 'Wireless-802.11'
(0) reply_in_db: &request:Proxy-State = $RAD_REQUEST{'Proxy-State'} ->
'0x323531'
(0) reply_in_db: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Call-Check'
(0) reply_in_db: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: &request:Realm = $RAD_REQUEST{'Realm'} -> 'remote'
(0) reply_in_db: &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &request:Aruba-Essid-Name =
$RAD_REQUEST{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &request:PacketFence-KeyBalanced =
$RAD_REQUEST{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &request:Aruba-AP-Group =
$RAD_REQUEST{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'64-76-ba-89-71-4c'
(0) reply_in_db: &request:Aruba-Location-Id =
$RAD_REQUEST{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &request:User-Password = $RAD_REQUEST{'User-Password'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(0) reply_in_db: &control:PacketFence-Proxied-To =
$RAD_CHECK{'PacketFence-Proxied-To'} -> '172.20.135.10'
(0) reply_in_db: &control:Load-Balance-Key =
$RAD_CHECK{'Load-Balance-Key'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &control:PacketFence-reply-insert =
$RAD_CHECK{'PacketFence-reply-insert'} -> 'INSERT into radreply
(username, attribute, value) values
('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')'
(0) reply_in_db: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'}
-> 'remote'
(0) reply_in_db: &proxy-request:NAS-Port-Type =
$RAD_REQUEST_PROXY{'NAS-Port-Type'} -> 'Wireless-802.11'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x3139'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x323531'
(0) reply_in_db: &proxy-request:Service-Type =
$RAD_REQUEST_PROXY{'Service-Type'} -> 'Call-Check'
(0) reply_in_db: &proxy-request:Aruba-Essid-Name =
$RAD_REQUEST_PROXY{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &proxy-request:Calling-Station-Id =
$RAD_REQUEST_PROXY{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &proxy-request:Called-Station-Id =
$RAD_REQUEST_PROXY{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &proxy-request:PacketFence-KeyBalanced =
$RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &proxy-request:Message-Authenticator =
$RAD_REQUEST_PROXY{'Message-Authenticator'} ->
'0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: &proxy-request:Aruba-AP-Group =
$RAD_REQUEST_PROXY{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &proxy-request:Aruba-Location-Id =
$RAD_REQUEST_PROXY{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &proxy-request:User-Name =
$RAD_REQUEST_PROXY{'User-Name'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:User-Password =
$RAD_REQUEST_PROXY{'User-Password'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:NAS-IP-Address =
$RAD_REQUEST_PROXY{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &proxy-request:NAS-Port =
$RAD_REQUEST_PROXY{'NAS-Port'} -> '0'
(0) reply_in_db: &proxy-reply:Tunnel-Private-Group-Id:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id:0'} -> '135'
(0) reply_in_db: &proxy-reply:Tunnel-Medium-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type:0'} -> 'IEEE-802'
(0) reply_in_db: &proxy-reply:Tunnel-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Type:0'} -> 'VLAN'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x323531'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x3139'
(0) [reply_in_db] = ok
(0) EXPAND %{User-Name}
(0) --> 64-76-ba-89-71-4c
(0) SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (1)
(0) Executing query: INSERT into radreply (username, attribute,
value) values ('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')
rlm_sql_mysql: Records: 3 Duplicates: 0 Warnings: 0
rlm_sql (sql): Released connection (1)
(0) EXPAND %{sql_degraded:%{control:PacketFence-reply-insert}}
(0) --> 3
(0) } # if (&proxy-reply:Packet-Type == Access-Accept) = ok
(0) ... skipping else: Preceding "if" was taken
(0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(0) attr_filter.packetfence_post_auth: --> 64-76-ba-89-71-4c
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(0) [attr_filter.packetfence_post_auth] = updated
(0) } # post-proxy = updated
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [64-76-ba-89-71-4c] (from client pf port 0 cli
64:76:ba:89:71:4c)
(0) Sent Access-Accept Id 19 from 172.20.135.4:1812 to
172.20.135.5:57221 length 0
(0) Tunnel-Private-Group-Id:0 = "135"
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Type:0 = VLAN
(0) Proxy-State = 0x323531
(0) Finished request
Thread 3 waiting to be assigned a request
Waking up in 4.6 seconds.
```
--
Fabrice Durand
fdurand(a)inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
3
10
I'm setting up a Mikrotik router to authenticate via my FreeRadius server
which is also connected to a Kerberos server.
I've set up Juniper/JunOS routers to it and it's working fine.
However, with Mikrotik, FreeRadius seems to reject the request. I'm not
entirely sure how to move forward and rectify this one.
*user.conf:*
mihael Auth-Type := kerberos
> Service-Type = Administrative-User,
> Juniper-Local-User-Name := "super-users",
> Cisco-AVPair = "shell:priv-lvl=15",
> MikroTik-Group := “write”
*clients.conf:*
client 10.129.2.5 {
> secret = mysecret
> shortname = Miktrotik-Device
> nastype = other
> }
*tcpdump:*
>
> 11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS,
> Access Request (1), id: 0x22 length: 145
> 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS,
> Access Request (1), id: 0x22 length: 145
> 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS,
> Access Request (1), id: 0x22 length: 145
> 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS,
> Access Reject (3), id: 0x22 length: 20
> 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP
> czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56
Attached is the logs for the request acquired via `radiusd -X`
Thanks,
mihael
3
7
I'm copying server from one machine to another,
old machine is centos7, freeradius 3.0.14, compiled from sources.
new machine is centos7, freeradius 3.0.21, from repo networkradius
on old machine is all working just fine.
on new machine, when i copy and enable module sql_postgresql mod sql with dialect postgres, server crashes. radiusd -X prints
[cut[
Could not link driver rlm_sql_postgresql: /lib64/libldap_r-2.4.so.2: undefined symbol: ber_sockbuf_io_udp
Make sure it (and all its dependent libraries!) are in the search path of your system's ld
/etc/raddb/mods-enabled/sql_postgresql[20]: Instantiation failed for module "postgresql"
selinux it;s turned off, ldd doesn't show any errors, on 'old' machine' libldap is in tge same version. and this config there just works. i ran out of ideas. where should i look?
2
1
Good evening users,
I am currently trying to resolve an issue with calculating the
difference between the value of acctinputoctets and acctoutputoctets
from a MySQL lookup and the latest interim update received from the
carrier.
My calculation is currently in the preacct section which looks like this:-
preacct {
preprocess
if("%{sql:SELECT count(*) from radacct where
acctsessionid = '%{Acct-Session-Id}'}" >= 1) {
update request {
Acct-Diff = "%{sql:SELECT greatest(0, ('%{Acct-Input-Octets}'
+ '%{Acct-Output-Octets}') - (acctinputoctets + acctoutputoctets)) as
diff from radacct where acctsessionid = '%{Acct-Session-Id}'}"
}
}
The query works fine, until the values from the radacct table
(acctinputoctets + acctoutputoctets) are greater than 4 294 967 296
for the particular acctsessionid. When the value is larger than that
we get 0. Under that we get the actual difference.
*Above 4 294 967 296 Wed Jun 10 15:27:17 2020 :
Debug: (12) Acct-Diff = "0"
*Below 4 294 967 296 Tue Jun 9 15:10:42 2020 :
Debug: (9) Acct-Diff += "254631"
I changed the dictionary entry for Acct-Diff from Integer to String.
The calculation works again until the number is greater than
4294967296.
I suspect what might be happening is the sum (acctinputoctets +
acctoutputoctets) is getting treated as two integer values. So when
they reach a value higher than 4294967296 the calculation does not
work and sends 0 due to the SQL SELECT greatest(0,
I was hoping someone on the list would be able to point me in the
right direction...
Many thanks,
Gabriel
2
3
rlm_python: Access Request source IP Address is missing from authorize(p) function argument
by Gleb Lisikh 13 Jun '20
by Gleb Lisikh 13 Jun '20
13 Jun '20
Hi!
I'd like to be able to work in my python authorize function with the IP
address of the NAS interface from which Access-Request is received
(external). From the radiusd -X output this is the A1.A2.A3.A4 address I am
interested in.
=========================================
Received Access-Request Id 7 from A1.A2.A3.A4:54594 to B1.B2.B3.B4:1812
length 415
==========================================
This is the same IP address that gets tested against shared secret
configured in clients.conf
Unfortunately, the tuple (p) that gets passed to the authorize function
(authorize(p)) by rlm_python has a different (internal) NAS-IP-Address,
which is of no use to me.
If radiusd is in principle aware of the A1.A2.A3.A4 IP address I am
interested in, how can I gain access to it in my python authorize(p) or
any other function?
Thank you,
Gleb
2
6
Hii All,
It is possible to mark any user with custom attribute or any existing
attribute for like special/expired user on radius reply..and also that
custom/existing attribute value return in every accounting data.
Need: for mark expired login users.
Thanks
Imdad
2
1
Hi there,
Newbie here, so please be gentle :)
I've been setting up a FreeRADIUS server for a client, so they can
(finally!) break away from AD/NPS-based RADIUS (ugh) for company WiFi. I
have SCEP certificates pushed out to all machines, and I have iPhones
connecting perfectly (transparent connection to test SSID with
successful RADIUS validation). But I am banging my head against the wall
with Windows 10 devices...
Certificates valid (from the same source, same profile), CA configured
correctly, it _should_ be working (as iOS can connect), but freeradius
-X gives me this:
...
(42) eap_tls: ocsp: Cert status: good
(42) eap_tls: ocsp: Certificate is valid
(42) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(42) eap_tls: <<< recv TLS 1.2 [length 0066]
(42) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(42) eap_tls: <<< recv TLS 1.2 [length 0108]
(42) eap_tls: >>> send TLS 1.2 [length 0002]
(42) eap_tls: ERROR: TLS Alert write:fatal:decrypt error
(42) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
(42) eap_tls: ERROR: error:0407E086:rsa
routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
(42) eap_tls: ERROR: error:1417B07B:SSL
routines:tls_process_cert_verify:bad signature
(42) eap_tls: ERROR: System call (I/O) error (-1)
(42) eap_tls: ERROR: TLS receive handshake failed during operation
(42) eap_tls: ERROR: [eaptls process] = fail
(42) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed
(42) eap: Sending EAP Failure (code 4) ID 187 length 4
...
Sadly I can't work out _which_ signature it's having a problem with -
openssl verify is fine with the certificate and CA. The correct
certificate is being sent (I can see that elsewhere in the output), EKU
is all good.
Any pointers would be really appreciated - I'm not sure at the moment
whether to continue squinting at FreeRADIUS config, Windows config, SCEP
certificate properties, or what!
FreeRADIUS 3.0.21
OpenSSL 1.1.1
Windows fully updated
I have different CAs for FreeRADIUS (Let's Encrypt) and SCEP
(self-signed), but I understand this is fine, and as I mentioned it
works for iOS.
Has anyone seen this before? I've hunted all over the Internet, but
nothing quite matches :(
Thanks in advance.
--
Peter Bance
Information Security Adviser
2
7
Hello,
I wrote an authorize policy used to update some VPN attributes against
specific ldap groups.
I see a different behavior when I use a "switch case" logic versus using
"if" condition.
When using "switch case", the ldap module is not called. So, the ldap
group is not populated and the test doesn't work.
But if I do the same test using an "if" condition then it works.
Configuration using "switch case" - not working in authorize section :
switch &Ldap-group {
case "group1" {
update {
reply:Reply-message := "You are from group1."
}
return
}
case "group2" {
update {
reply:Reply-message := "You are from group1."
}
return
}
case {
update {
reply:Reply-message := "You are unknown."
}
return
}
}
Configuration using "if / elsif / else" - working in authorize section :
if (&Ldap-group == "group1") {
update {
reply:Reply-message := "You are from group1."
}
return
}
elsif (&Ldap-group == "group2") {
update {
reply:Reply-message := "You are from group1."
}
return
}
else {
update {
reply:Reply-message := "You are unknown."
}
return
}
I had a look on some documentations (man unlang, rlm_ldap) but I do not
understand if it is a normal behavior of the condition "switch case" or not.
Thank you for your help
--
Jérôme BERTHIER
DSI - Service Conception d'Infrastructure
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50
2
2
invoking the interim-update alternate query when accounting session not found
by Jeff Crowe 10 Jun '20
by Jeff Crowe 10 Jun '20
10 Jun '20
Hello,
I have a situation where one of my radius accounting servers was offline while users connected, now the interim accounting updates result in errors because it cannot find a matching accounting session (obviously). Is there a way to have freeradius invoke the alternate query in the queries.conf file to create the missing record?
From: /etc/freeradius/mods-config/sql/main/mysql/queries.conf
interim-update {
#
# Update an existing session and calculate the interval
# between the last data we received for the session and this
# update. This can be used to find stale sessions.
#
query = "\
UPDATE ${....acct_table1} \
SET \
acctupdatetime = (@acctupdatetime_old:=acctupdatetime), \
acctupdatetime = FROM_UNIXTIME(\
%{integer:Event-Timestamp}), \
acctinterval = %{integer:Event-Timestamp} - \
UNIX_TIMESTAMP(@acctupdatetime_old), \
framedipaddress = '%{Framed-IP-Address}', \
acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \
<< 32 | '%{%{Acct-Input-Octets}:-0}', \
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \
<< 32 | '%{%{Acct-Output-Octets}:-0}' \
WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
#
# The update condition matched no existing sessions. Use
# the values provided in the update to create a new session.
#
query = "\
INSERT INTO ${....acct_table1} \
(${...column_list}) \
VALUES \
('%{Acct-Session-Id}', \
'%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
'%{Realm}', \
'%{NAS-IP-Address}', \
'%{%{NAS-Port-ID}:-%{NAS-Port}}', \
'%{NAS-Port-Type}', \
FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), \
FROM_UNIXTIME(%{integer:Event-Timestamp}), \
NULL, \
%{%{Acct-Session-Time}:-NULL}, \
'%{Acct-Authentic}', \
'%{Connect-Info}', \
'', \
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \
'%{Called-Station-Id}', \
'%{Calling-Station-Id}', \
'', \
'%{Service-Type}', \
'%{Framed-Protocol}', \
'%{Framed-IP-Address}')"
}
Debug capture of failed update:
rad-acct-king-2:~# freeradius -X -d /etc/freeradius
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/sql
including configuration file /etc/freeradius/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/linelog
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/debug
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/status
including configuration file /etc/freeradius/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 205.189.48.17 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pm3-west"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 205.189.48.17. Please fix your configuration
Support for old-style clients will be removed in a future release
client 172.19.2.99 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = "aggr-wprt-asr1002-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 172.19.2.99. Please fix your configuration
Support for old-style clients will be removed in a future release
client 172.19.2.100 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = "aggr-wprt-asr1002-2"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 172.19.2.100. Please fix your configuration
Support for old-style clients will be removed in a future release
client 172.19.2.192 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = "aggr-wprt-mx104-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 172.19.2.192. Please fix your configuration
Support for old-style clients will be removed in a future release
Debugger not attached
# Creating Autz-Type = Status-Server
# Creating Auth-Type = digest
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/mods-enabled/sql
sql sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "freerad"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql-SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql-SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate, reason) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S', '%{reply:Reply-Message}')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute sql-SQL-Group
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
instantiate {
}
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "sql" from file /etc/freeradius/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.3.22
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 62 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 61 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 60 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server status { # from file /etc/freeradius/sites-enabled/status
# Loading authorize {...}
} # server status
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "status"
ipaddr = 127.0.0.1
port = 18121
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 46467
Listening on proxy address :: port 58309
Ready to process requests
(0) Received Accounting-Request Id 149 from 172.19.2.192:53535 to 172.19.2.35:1813 length 390
(0) User-Name = "cxusername"
(0) Acct-Status-Type = Interim-Update
(0) Acct-Session-Id = "24367"
(0) Event-Timestamp = "Jun 9 2020 09:35:00 EDT"
(0) Acct-Input-Octets = 1232081388
(0) Acct-Output-Octets = 862013286
(0) Acct-Session-Time = 5751579
(0) Acct-Input-Packets = 147817553
(0) Acct-Output-Packets = 335060766
(0) Acct-Delay-Time = 0
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) Attr-26.4874.177 = 0x506f72742073706565643a2032303030303030306b
(0) Acct-Authentic = RADIUS
(0) ERX-Dhcp-Mac-Addr = "78e3.b569.cfa7"
(0) Framed-IP-Address = 1.2.3.4
(0) Framed-IP-Netmask = 255.255.255.255
(0) ERX-Input-Gigapkts = 0
(0) Acct-Input-Gigawords = 7
(0) NAS-Identifier = "aggr-mx104-1"
(0) NAS-Port = 52
(0) NAS-Port-Id = "ae6.demux0.3221225847:52"
(0) NAS-Port-Type = Ethernet
(0) ERX-Output-Gigapkts = 0
(0) Acct-Output-Gigawords = 100
(0) ERX-IPv6-Acct-Input-Octets = 0
(0) ERX-IPv6-Acct-Output-Octets = 0
(0) ERX-IPv6-Acct-Input-Packets = 0
(0) ERX-IPv6-Acct-Output-Packets = 0
(0) ERX-IPv6-Acct-Input-Gigawords = 0
(0) ERX-IPv6-Acct-Output-Gigawords = 0
(0) ERX-Virtual-Router-Name = "default:internet"
(0) ERX-Pppoe-Description = "pppoe 78:e3:b5:69:cf:a7"
(0) NAS-IP-Address = 172.19.2.192
(0) # Executing section preacct from file /etc/freeradius/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) update request {
(0) &Tmp-String-9 := "ai:"
(0) } # update request = noop
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(0) EXPAND %{hex:&Class}
(0) -->
(0) EXPAND ^%{hex:&Tmp-String-9}
(0) --> ^61693a
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(0) else {
(0) update request {
(0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> f4e2b974a457942478b811ae16067bc6
(0) &Acct-Unique-Session-Id := f4e2b974a457942478b811ae16067bc6
(0) } # update request = noop
(0) } # else = noop
(0) } # policy acct_unique = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "cxusername", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) } # preacct = ok
(0) # Executing section accounting from file /etc/freeradius/sites-enabled/default
(0) accounting {
(0) [unix] = noop
(0) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(0) sql: --> type.interim-update.query
(0) sql: Using query template 'query'
(0) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(0) sql: --> cxusername
(0) sql: SQL-User-Name set to 'cxusername'
(0) sql: EXPAND UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'
(0) sql: --> UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1591709700), acctinterval = 1591709700 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '1.2.3.4', acctsessiontime = 5751579, acctinputoctets = '7' << 32 | '1232081388', acctoutputoctets = '100' << 32 | '862013286' WHERE AcctUniqueId = 'f4e2b974a457942478b811ae16067bc6'
(0) sql: Executing query: UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1591709700), acctinterval = 1591709700 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '1.2.3.4', acctsessiontime = 5751579, acctinputoctets = '7' << 32 | '1232081388', acctoutputoctets = '100' << 32 | '862013286' WHERE AcctUniqueId = 'f4e2b974a457942478b811ae16067bc6'
(0) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'acct_session_id' in 'where clause'): 42S22
(0) sql: SQL query returned: server error
(0) [sql] = fail
(0) } # accounting = fail
(0) Not sending reply to client.
(0) Finished request
(0) Cleaning up request packet ID 149 with timestamp +0
Ready to process request
Regards,
Jeff Crowe
2
1