Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2022
- 29 participants
- 39 discussions
Hello,
I’m searching a way to cache authentification with EAP-GTC as a EAP phase 2.
It is currently very easy with PAP (as I have the User-Password in the
authenticate part) but I can’t succeed to find a way to cache it with
EAP-GTC.
Do I miss an attribute that would help me to cache an Access-Accept in that
way ?
Cyril Grosjean
2
7
Hello,
System version: freeradius-server-3.0.21
I follow this article“ https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind ”Guide and verify the ad domain user successfully; Now I want to return different VLAN IDs for different domain user groups. Can I do this? Are there any related reference articles?
Looking forward to your professional guidance.
Best regards
3
3
Re: Stuck on ntlm_auth/mschap setup between FreeRADIUS & Samba DC (Alan DeKok)
by Jesper Nemholt 13 Sep '22
by Jesper Nemholt 13 Sep '22
13 Sep '22
>
> Date: Mon, 12 Sep 2022 13:25:29 -0400
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Stuck on ntlm_auth/mschap setup between FreeRADIUS &
> Samba DC
> Message-ID: <3B99D14F-FF06-41CD-B1A5-103249CAA6ED(a)deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Sep 12, 2022, at 3:42 AM, Jesper Nemholt <jfn(a)dataradical.com> wrote:
> > As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and
> > AD. My AD is a Samba 4 server,
>
[clip]
> > On the radius debug log I get this :
>
> That's the only thing that matters. Everything else is not really
> helpful.
>
> > (0) mschap: EXPAND
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > (0) mschap: --> --username=BAR\\foo
> > (0) mschap: EXPAND --domain=%{mschap:NT-Domain}
> > (0) mschap: --> --domain=BAR
>
> Note that this username / domain is different than what you used when
> testing ntlm_auth on the command line.
>
> How about configuring FreeRADIUS to just use "foo" for the
> "--username=foo" field? The mschap module has extensive documentation on
> this subject. Perhaps try:
>
> ... --username=%{mschap:User-Name} ...
>
I did try that also. Mschap will then fail with an error about the missing
domain like this :
(0) Login incorrect (mschap: No NT-Domain was found in the User-Name):
[jfn/<via Auth-Type = mschap>] (from client localhost port 0)
To resolve that I can manually set the domain, like I did when manually
running ntlm_auth, just to verify whether it would work if it got the
domain provided properly.
> > So my guess is that my ntlm_auth line is not correct, or I missed some
> > other parameter somewhere, but I've tried quite a few options so far, and
> > they seem to all fail.
>
> It isn't helpful to try random things.
>
Did not do anything random but followed the guide at
http://deployingradius.com/documents/configuration/active_directory.html
and also the Samba FreeRADIUS guide for comparison.
The first one is the one you recommended to follow and the one I primarily
used.
In any case I resolved the issue and all works now. The problem was not in
the FreeRADIUS configuration, but on the domain controller.
/Jesper
2
1
Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not permitted (1)"
by CpServiceSPb 11 Sep '22
by CpServiceSPb 11 Sep '22
11 Sep '22
I use Freeradius 3.0.21 on Ubuntu 18.04 x64 LTS.
It is started under freerad:freerad, acts as DHCP as well listen to 0.0.0.0
IP and accept broadcast on one of two interfaces and listen to
192.168.0.254 and not accept broadcast on other one interface.
During DHCP conversation with clients using broadcast accepting (IP
0.0.0.0) interface, the following message is got and DHCP don' t assign to
the client:
"Failed adding ARP entry: Failed to add entry in ARP cache: Operation not
permitted (1)"
I don' t want to launch Freeradius under either root user or root/admin
group.
What is the best solution to avoid the error under freerad:freerad and move
on ?
4
7
Hi,
I would like to allow host access to the network according to these
restrictions (I am listing only those that require a RADIUS server):
1) wireless clients that connect to a specific SSID are required to
either use EAP-TLS or PEAP. If they pass the authorization and
authentication they will be dynamically assigned to vlan 112 (base on
a local SQL lookup of their MAC addresses). Rejected otherwise.
2) wired clients:
a) If they support dot1x, use either EAP-TLS or PEAP and pass then
they will be dynamically assigned to vlan 20 (base on a local SQL
lookup of their MAC addresses).
b) If dot1x fails try MAC Authentication Bypass. The MAC address
received by the Freeradius server will be looked up in a local DB, and
a VLAN ID will be dynamically assigned accordingly (different vlan IDs
except '1').
c) If the MAC address involved in MAB is not found in the local DB
then allow access but dynamically assign another vlan ID (eg. 1).
I have a FreeRADIUS server and a mix of Cisco and D-Link switches (but
I'll be focusing on Cisco because I don't think the D-Link models I
have support MAB).
Step 1 (wireless clients) has been working fine for years now.
I managed to get step 2 working, but then step 1 fails.
The configuration is quite long so I hope no one minds if I paste here
some sections.
Here is the "working" configuration for step 1 (for testing purposes
and to simplify debugging I'm just assigning vlan ID 112 when using
EAP and vlan ID 1 when not).
File 'sites-enabled/default' contains:
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
custom_split_username_nai
filter_username
preprocess
custom_filter_default
suffix
ntdomain
-ldap
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
unix
exec
attr_filter.accounting_response
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
linelog
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
linelog
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
if (EAP-Message) {
update reply {
&Tunnel-Type := VLAN
&Tunnel-Medium-Type := IEEE-802
&Tunnel-Private-Group-Id := 112
# &Auth-Type := Accept
}
} else {
update reply {
&Tunnel-Type := VLAN
&Tunnel-Medium-Type := IEEE-802
&Tunnel-Private-Group-Id := 1
# &Auth-Type := Accept
}
}
}
pre-proxy {
}
post-proxy {
eap
}
}
---
In file policy.d/filter custom_filter_default looks up MAC addresses
in local DB eventually denying some requests.
A debug log of a working authentication (step 1) would look something like this:
(32) Received Access-Request Id 200 from 192.168.216.22:43597 to
10.215.144.91:1812 length 435
(32) User-Name = "host/HM2214.domain.local"
(32) NAS-Identifier = "b4fbe475aed9"
(32) Called-Station-Id = "B4-FB-E4-75-AE-D9:HM private access"
(32) NAS-Port-Type = Wireless-802.11
(32) Service-Type = Framed-User
(32) Calling-Station-Id = "8C-55-4A-D5-73-57"
(32) Connect-Info = "CONNECT 0Mbps 802.11b"
(32) Acct-Session-Id = "E70814F5EF081437"
(32) Acct-Multi-Session-Id = "355A9CEC86878217"
(32) WLAN-Pairwise-Cipher = 1027076
(32) WLAN-Group-Cipher = 1027076
(32) WLAN-AKM-Suite = 1027073
(32) Framed-MTU = 1400
(32) EAP-Message =
0x025400ac0d80000000a2160303009d0100009903036317801de99d7d69b9fec9eb8e49887f7c0eb4abedee360ab1fc236b4de4a05800002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(32) State = 0x0081417701d54caa876904a5f97342cd
(32) Message-Authenticator = 0xaf1a468d4f13396bec05eaa4670f2bdc
[...]
(32) authorize {
[...]
[ntdomain] = noop
(32) [expiration] = noop
(32) [logintime] = noop
(32) } # authorize = updated
(32) Found Auth-Type = eap
(32) # Executing group from file /etc/raddb/sites-enabled/default
(32) authenticate {
(32) eap: Expiring EAP session with state 0x0081417701d54caa
(32) eap: Finished EAP session with state 0x0081417701d54caa
(32) eap: Previous EAP request found for state 0x0081417701d54caa,
released from the list
(32) eap: Peer sent packet with method EAP TLS (13)
(32) eap: Calling submodule eap_tls to process data
(32) eap_tls: (TLS) EAP Peer says that the final record size will be 162 bytes
(32) eap_tls: (TLS) EAP Got all data (162 bytes)
(32) eap_tls: (TLS) Handshake state - before SSL initialization (0)
(32) eap_tls: (TLS) Handshake state - Server before SSL initialization (0)
(32) eap_tls: (TLS) Handshake state - Server before SSL initialization (0)
(32) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
(32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (20)
(32) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello
(32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (22)
(32) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate
(32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (23)
(32) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (24)
(32) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest
(32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write
certificate request (25)
(32) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (26)
(32) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(32) eap_tls: (TLS) In Handshake Phase
(32) eap: Sending EAP Request (code 1) ID 85 length 1004
(32) eap: EAP session adding &reply:State = 0x0081417702d44caa
(32) [eap] = handled
(32) } # authenticate = handled
(32) Using Post-Auth-Type Challenge
(32) # Executing group from file /etc/raddb/sites-enabled/default
(32) Challenge { ... } # empty sub-section is ignored
(32) session-state: Saving cached attributes
(32) Framed-MTU = 994
(32) Sent Access-Challenge Id 200 from 10.215.144.91:1812 to
192.168.216.22:43597 length 0
[...]
(37) authenticate {
(37) eap: Expiring EAP session with state 0x0081417706d84caa
(37) eap: Finished EAP session with state 0x0081417706d84caa
(37) eap: Previous EAP request found for state 0x0081417706d84caa,
released from the list
(37) eap: Peer sent packet with method EAP TLS (13)
(37) eap: Calling submodule eap_tls to process data
(37) eap_tls: (TLS) EAP Got final fragment (1012 bytes)
(37) eap_tls: (TLS) EAP Done initial handshake
(37) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (26)
(37) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
(37) eap_tls: (TLS) Creating attributes from TLS-Client-Cert-Serial certificate
(37) eap_tls: (TLS) Creating attributes from server certificate
(37) eap_tls: TLS-Cert-Serial := "5b0000000f6866b08df40ccce300010000000f"
(37) eap_tls: TLS-Cert-Expiration := "320829094522Z"
(37) eap_tls: TLS-Cert-Valid-Since := "220901094522Z"
(37) eap_tls: TLS-Cert-Subject := "/DC=local/DC=domain/CN=SUBCAHM"
(37) eap_tls: TLS-Cert-Issuer := "/DC=local/DC=domain/CN=CAHM"
(37) eap_tls: TLS-Cert-Common-Name := "SUBCAHM"
(37) eap_tls: (TLS) Creating attributes from client certificate
(37) eap_tls: TLS-Client-Cert-Serial :=
"3100002953a699132464a0c6c4000800002953"
(37) eap_tls: TLS-Client-Cert-Expiration := "230906155017Z"
(37) eap_tls: TLS-Client-Cert-Valid-Since := "220906155017Z"
(37) eap_tls: TLS-Client-Cert-Subject := "/CN=HM2214.domain.local"
(37) eap_tls: TLS-Client-Cert-Issuer := "/DC=local/DC=domain/CN=SUBCAHM"
(37) eap_tls: TLS-Client-Cert-Common-Name := "HM2214.domain.local"
(37) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "HM2214.domain.local"
(37) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication, TLS Web Server Authentication"
(37) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"38:AE:B8:45:E3:FF:5F:E8:6B:E9:F8:CA:8A:DA:0C:C7:55:63:69:71"
(37) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"keyid:2B:A9:FC:BD:BA:C9:E4:C0:E2:55:23:36:EB:96:FD:F0:03:CC:53:2D\n"
(37) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(37) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.1"
(37) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client
certificate (27)
(37) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(37) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key
exchange (28)
(37) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify
(37) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read
certificate verify (29)
(37) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change
cipher spec (31)
(37) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished
(37) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished (32)
(37) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec
(37) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change
cipher spec (35)
(37) eap_tls: (TLS) send TLS 1.2 Handshake, Finished
(37) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished (36)
(37) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully (1)
(37) eap_tls: (TLS) Connection Established
(37) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(37) eap_tls: TLS-Session-Version = "TLS 1.2"
(37) eap: Sending EAP Request (code 1) ID 90 length 61
(37) eap: EAP session adding &reply:State = 0x0081417707db4caa
(37) [eap] = handled
(37) } # authenticate = handled
(37) Using Post-Auth-Type Challenge
(37) # Executing group from file /etc/raddb/sites-enabled/default
(37) Challenge { ... } # empty sub-section is ignored
(37) session-state: Saving cached attributes
(37) Framed-MTU = 994
(37) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(37) TLS-Session-Version = "TLS 1.2"
(37) Sent Access-Challenge Id 205 from 10.215.144.91:1812 to
192.168.216.22:43597 length 0
(37) EAP-Message =
0x015a003d0d80000000331403030001011603030028c62d4b915fa17f780d1eeed1c8df2666d86f908e5ffa52fb0f687cd05e9a61940f477283e89dfc87
(37) Message-Authenticator = 0x00000000000000000000000000000000
(37) State = 0x0081417707db4caa876904a5f97342cd
(37) Finished request
Waking up in 4.6 seconds.
(38) Received Access-Request Id 206 from 192.168.216.22:43597 to
10.215.144.91:1812 length 269
(38) User-Name = "host/HM2214.domain.local"
[...]
(38) authenticate {
(38) eap: Expiring EAP session with state 0x0081417707db4caa
(38) eap: Finished EAP session with state 0x0081417707db4caa
(38) eap: Previous EAP request found for state 0x0081417707db4caa,
released from the list
(38) eap: Peer sent packet with method EAP TLS (13)
(38) eap: Calling submodule eap_tls to process data
(38) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
(38) eap: Sending EAP Success (code 3) ID 90 length 4
(38) eap: Freeing handler
(38) [eap] = ok
(38) } # authenticate = ok
(38) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(38) post-auth {
(38) update {
(38) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(38) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] ->
'ECDHE-RSA-AES256-GCM-SHA384'
(38) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(38) } # update = noop
(38) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(38) linelog: --> messages.Access-Accept
(38) linelog: EXPAND Accepted user: %{User-Name}
(38) linelog: --> Accepted user: host/HM2214.domain.local
(38) linelog: EXPAND /var/log/radius/linelog
(38) linelog: --> /var/log/radius/linelog
(38) [linelog] = ok
(38) [exec] = noop
(38) policy remove_reply_message_if_eap {
(38) if (&reply:EAP-Message && &reply:Reply-Message) {
(38) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(38) else {
(38) [noop] = noop
(38) } # else = noop
(38) } # policy remove_reply_message_if_eap = noop
(38) if (EAP-Message) {
(38) if (EAP-Message) -> TRUE
(38) if (EAP-Message) {
(38) update reply {
(38) &Tunnel-Type := VLAN
(38) &Tunnel-Medium-Type := IEEE-802
(38) &Tunnel-Private-Group-Id := 112
(38) } # update reply = noop
(38) } # if (EAP-Message) = noop
(38) } # else = noop
(38) } # post-auth = ok
(38) Login OK: [host/HM2214.domain.local] (from client UH3B3 port 0
cli 8C-55-4A-D5-73-57)
(38) Sent Access-Accept Id 206 from 10.215.144.91:1812 to
192.168.216.22:43597 length 0
(38) MS-MPPE-Recv-Key =
0xf4306c74bb325ce7db5a69f321f82830cb28530f48748c69cf1df45cf32f8994
(38) MS-MPPE-Send-Key =
0xd246e7a33f6701cec10c067ab22350bf04080357151e849b8c6038a0e3762cf4
(38) EAP-Message = 0x035a0004
(38) Message-Authenticator = 0x00000000000000000000000000000000
(38) User-Name = "host/HM2214.domain.local"
(38) Framed-MTU += 994
(38) Tunnel-Type := VLAN
(38) Tunnel-Medium-Type := IEEE-802
(38) Tunnel-Private-Group-Id := "112"
(38) Finished request
---
So the host HM2214.domain.local is now within vlan 112 and has the
expected network access rights.
I then tried to modify the Freeradius configuration to allow wired
hosts access to the network. Again, to simplify things at first I did
not connect a client with dot1x - I just wanted to use MAB. Thus the
Cisco switch sends the client's MAC address as the "user name".
This is part of a debug log of a successful login of a wired host.
(36) Received Access-Request Id 139 from 172.28.175.244:1645 to
172.28.175.254:1812 length 261
(36) User-Name = "c4346b67d37f"
(36) User-Password = "c4346b67d37f"
(36) Service-Type = Call-Check
(36) Cisco-AVPair = "service-type=Call Check"
(36) Framed-MTU = 1500
(36) Called-Station-Id = "00-27-90-6C-BA-8D"
(36) Calling-Station-Id = "C4-34-6B-67-D3-7F"
(36) Message-Authenticator = 0x34433f3a86e93db1665f511096654022
(36) Cisco-AVPair = "audit-session-id=AC1CAFF40000001C2427594E"
(36) Cisco-AVPair = "method=mab"
(36) NAS-IP-Address = 172.28.175.244
(36) NAS-Port-Id = "GigabitEthernet1/0/13"
(36) NAS-Port-Type = Ethernet
(36) NAS-Port = 50113
(36) # Executing section authorize from file /etc/raddb/sites-enabled/default
(36) authorize {
[...]
(36) eap: No EAP-Message, not doing EAP
(36) [eap] = noop
[...]
(36) [ntdomain] = noop
(36) files: users: Matched entry c4346b67d37f at line 207
(36) [files] = ok
(36) [expiration] = noop
(36) [logintime] = noop
(36) [pap] = updated
(36) } # authorize = updated
(36) Found Auth-Type = PAP
(36) # Executing group from file /etc/raddb/sites-enabled/default
(36) Auth-Type PAP {
(36) pap: Login attempt with password
(36) pap: Comparing with "known good" Cleartext-Password
(36) pap: User authenticated successfully
(36) [pap] = ok
(36) } # Auth-Type PAP = ok
(36) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(36) post-auth {
(36) update {
(36) No attributes updated for RHS &session-state:
(36) } # update = noop
(36) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(36) linelog: --> messages.Access-Accept
(36) linelog: EXPAND Accepted user: %{User-Name}
(36) linelog: --> Accepted user: c4346b67d37f
(36) linelog: EXPAND /var/log/radius/linelog
(36) linelog: --> /var/log/radius/linelog
(36) [linelog] = ok
(36) [exec] = noop
(36) policy remove_reply_message_if_eap {
(36) if (&reply:EAP-Message && &reply:Reply-Message) {
(36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(36) else {
(36) [noop] = noop
(36) } # else = noop
(36) } # policy remove_reply_message_if_eap = noop
(36) if (EAP-Message) {
(36) if (EAP-Message) -> FALSE
(36) else {
(36) update reply {
(36) &Tunnel-Type := VLAN
(36) &Tunnel-Medium-Type := IEEE-802
(36) &Tunnel-Private-Group-Id := 1
(36) } # update reply = noop
(36) } # else = noop
(36) } # post-auth = ok
(36) Login OK: [c4346b67d37f] (from client D2423 port 50113 cli
C4-34-6B-67-D3-7F)
(36) Sent Access-Accept Id 139 from 172.28.175.254:1812 to
172.28.175.244:1645 length 0
(36) Tunnel-Type := VLAN
(36) Tunnel-Medium-Type := IEEE-802
(36) Tunnel-Private-Group-Id := "1"
(36) Tunnel-Preference = 0
(36) Finished request
In order to get this I modified 'sites-enabled/default' to include
'files' in the 'authorize' section. I also had to add the following in
the users file:
DEFAULT Auth-Type := Accept
That's because I was hoping to accomplish what is stated in Step 2
(c), ie. allow "any" MAC address but assign a different vlan ID.
With this configuration wired hosts access "as expected", but wireless
hosts with EAP-TLS fail to have access to the network even though the
freeradisu debug log reports a "Login OK" line. The EAP messages are
not seen in the log so it seems they're being by-passed.
I'd like to give more information, but this e-mail is long already --
maybe even too long.
What could I try from here?
Regards,
Vieri
3
4
Hi,
I work at a company with more than 300 APs and this number only increases.
To permit each AP to connect to Freeradius, I've configured a specified
VLAN with DHCPv4 and I've delivered to APs. The clients.conf has looked
like this:
client dhcp-aps {
ipaddr = 10.20.0.0/20
secret = testing123
shortname = dhcp-aps
nastype = other
}
But I would like to store the clients configuration on a LDAP base using
radiusClient scheme where the radiusClientIdentifier is the AP's MAC
address. Then I intend to configure dynamic clients to allow the same
created network to use Freeradius, but it will use Called-Station-ID to
auth the AP on LDAP.
I've googled it and found it
https://sourceforge.net/p/hotcakes/wiki/YfiTechDynamicClients/ using
Freeradius 2.1.12. Not 3.x though. Is it possible?
--
Igor Sousa
2
5
Freeradius 3.0.20 Fresh Install not storing radacct logs in mysql table radacct
by Pedro Daniel Costa 03 Sep '22
by Pedro Daniel Costa 03 Sep '22
03 Sep '22
Hi guys i am developing a small project using freeradius, and i have installed freeradius on ubuntu 20.04 version of freeradius is 3.0.20
configured mysql tables, configured sql modules in order to load all data from mysql..
Nas table loading server details ok,
radcheck, radgroupcheck, radgroupreply, radipools configured ok.. and client logs in using username and password, and can browse the web normaly, the issue is on radacct table mysql that is not storing data at all, i have rebooted clients device couple of times,to see if radacct would update the log, but nothing happens.. only think i can see is radpostauth storing username, pass xored md5 and login date.. nothing else..
i am pretty sure it must be a configuration mistake from my side surely.. so i will attach below the full output log of the freeradius -x , maybe someone can share some information that i might be missing on the configuration..
any help will be appreciated..
root@PSI-DEV:~# sudo freeradius -X
FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/sqlippool
including configuration file /etc/freeradius/3.0/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "radius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
logfile = "/var/log/freeradius/radacct/sql.log"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime,acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), acctstoptime = NULL, framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
logfile = "/var/log/freeradius/post-auth.sql"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôoùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOÙÛÜY"
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_sqlippool
# Loading module "sqlippool" from file /etc/freeradius/3.0/mods-enabled/sqlippool
sqlippool {
sql_module_instance = "sql"
lease_duration = 1600
pool_name = "Pool-Name"
default_pool = "main_pool"
allow_duplicates = no
attribute_name = "Framed-IP-Address"
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE pool_key = '%{Calling-Station-Id}'"
allocate_clear_timeout = 1
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time IS NULL ORDER BY RAND() LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{Calling-Station-Id}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 1600 SECOND WHERE framedipaddress = '%I'"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = "START TRANSACTION"
start_update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL 1600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{Calling-Station-Id}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = "COMMIT"
alive_begin = "START TRANSACTION"
alive_update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL 1600 SECOND WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' AND pool_key = '%{Calling-Station-Id}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = "COMMIT"
stop_begin = "START TRANSACTION"
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' AND pool_key = '%{Calling-Station-Id}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = "COMMIT"
on_begin = "START TRANSACTION"
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
on_commit = "COMMIT"
off_begin = "START TRANSACTION"
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
off_commit = "COMMIT"
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP Framed-IP-Address (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned using only TLS 1.2 for security
Please set: min_tls_version = "1.2"
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
rlm_sql_mysql: libmysql version: 8.0.30
mysql {
tls {
tls_required = no
check_cert = no
check_cert_cn = no
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 10.5.5.17 (BRAS RB4011 TEST) to global clients list
rlm_sql (10.5.5.17): Client "BRAS RB4011 TEST" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "sqlippool" from file /etc/freeradius/3.0/mods-enabled/sqlippool
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 36859
Listening on proxy address :: port 42334
Ready to process requests
(0) Received Access-Request Id 122 from 10.5.5.17:35276 to 10.7.7.20:1812 length 196
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15743036
(0) NAS-Port-Type = Ethernet
(0) User-Name = "isptest200"
(0) Calling-Station-Id = "80:8B:EB:B2:73:DB"
(0) Called-Station-Id = "PPPOE-FIBER"
(0) NAS-Port-Id = "VLAN1250 - FIBER"
(0) Acct-Session-Id = "81e03832"
(0) CHAP-Challenge = 0x5121406b2f5e153087cbb4adecd88780
(0) CHAP-Password = 0x019f2a968bf91f2df371a75863f391d707
(0) NAS-Identifier = "ROUTER PPPoE TEST"
(0) NAS-IP-Address = 10.5.5.17
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> isptest200
(0) sql: SQL-User-Name set to 'isptest200'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 77 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 77 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 77 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 77 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 77 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 77 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'isptest200' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'isptest200' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "123123"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'isptest200' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'isptest200' ORDER BY id
rlm_sql (sql): 1 of 1 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
rlm_sql (sql): Reserved connection (7)
rlm_sql (sql): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (8), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'isptest200' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'isptest200' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'fiber_test_500' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'fiber_test_500' ORDER BY id
(0) sql: Group "fiber_test_500": Conditional check items matched
(0) sql: Group "fiber_test_500": Merging assignment check items
(0) sql: Framed-Protocol := PPP
(0) sql: Pool-Name := "pool_freeradiustest"
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'fiber_test_500' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'fiber_test_500' ORDER BY id
(0) sql: Group "fiber_test_500": Merging reply items
(0) sql: Mikrotik-Rate-Limit := "500M/500M"
(0) sql: Acct-Interim-Interval := 300
(0) sql: MS-Primary-DNS-Server := 192.168.16.10
(0) sql: MS-Secondary-DNS-Server := 192.168.16.11
rlm_sql (sql): Released connection (6)
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "isptest200" authenticated successfully
(0) [chap] = ok
(0) } # Auth-Type CHAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND %{User-Name}
(0) sql: --> isptest200
(0) sql: SQL-User-Name set to 'isptest200'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'isptest200', '0x019f2a968bf91f2df371a75863f391d707', 'Access-Accept', '2022-09-01 21:34:59')
(0) sql: EXPAND /var/log/freeradius/post-auth.sql
(0) sql: --> /var/log/freeradius/post-auth.sql
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'isptest200', '0x019f2a968bf91f2df371a75863f391d707', 'Access-Accept', '2022-09-01 21:34:59')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
(0) [sql] = ok
rlm_sql (sql): Reserved connection (7)
(0) sqlippool: EXPAND %{User-Name}
(0) sqlippool: --> isptest200
(0) sqlippool: SQL-User-Name set to 'isptest200'
(0) sqlippool: EXPAND START TRANSACTION
(0) sqlippool: --> START TRANSACTION
(0) sqlippool: Executing query: START TRANSACTION
(0) sqlippool: EXPAND UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE pool_key = '%{Calling-Station-Id}'
(0) sqlippool: --> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE pool_key = '80:8B:EB:B2:73:DB'
(0) sqlippool: Executing query: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE pool_key = '80:8B:EB:B2:73:DB'
rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0
(0) sqlippool: EXPAND COMMIT
(0) sqlippool: --> COMMIT
(0) sqlippool: Executing query: COMMIT
(0) sqlippool: EXPAND START TRANSACTION
(0) sqlippool: --> START TRANSACTION
(0) sqlippool: Executing query: START TRANSACTION
(0) sqlippool: EXPAND SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time IS NULL ORDER BY RAND() LIMIT 1 FOR UPDATE
(0) sqlippool: --> SELECT framedipaddress FROM radippool WHERE pool_name = 'pool_freeradiustest' AND expiry_time IS NULL ORDER BY RAND() LIMIT 1 FOR UPDATE
(0) sqlippool: Executing select query: SELECT framedipaddress FROM radippool WHERE pool_name = 'pool_freeradiustest' AND expiry_time IS NULL ORDER BY RAND() LIMIT 1 FOR UPDATE
(0) sqlippool: Allocated IP 100.64.20.144
(0) sqlippool: EXPAND UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{Calling-Station-Id}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 1600 SECOND WHERE framedipaddress = '100.64.20.144'
(0) sqlippool: --> UPDATE radippool SET nasipaddress = '10.5.5.17', pool_key = '80:8B:EB:B2:73:DB', callingstationid = '80:8B:EB:B2:73:DB', username = 'isptest200', expiry_time = NOW() + INTERVAL 1600 SECOND WHERE framedipaddress = '100.64.20.144'
(0) sqlippool: Executing query: UPDATE radippool SET nasipaddress = '10.5.5.17', pool_key = '80:8B:EB:B2:73:DB', callingstationid = '80:8B:EB:B2:73:DB', username = 'isptest200', expiry_time = NOW() + INTERVAL 1600 SECOND WHERE framedipaddress = '100.64.20.144'
rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0
(0) sqlippool: EXPAND COMMIT
(0) sqlippool: --> COMMIT
(0) sqlippool: Executing query: COMMIT
rlm_sql (sql): Released connection (7)
(0) sqlippool: EXPAND Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})
(0) sqlippool: --> Allocated IP: 100.64.20.144 from pool_freeradiustest (did PPPOE-FIBRA cli 80:8B:EB:B2:73:DB port 15743036 user isptest200)
(0) [sqlippool] = ok
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 122 from 10.7.7.20:1812 to 10.5.5.17:35276 length 0
(0) Mikrotik-Rate-Limit = "500M/500M"
(0) Acct-Interim-Interval = 300
(0) MS-Primary-DNS-Server = 192.168.16.10
(0) MS-Secondary-DNS-Server = 192.168.16.11
(0) Framed-IP-Address = 100.64.20.144
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 122 with timestamp +77
Ready to process requests
3
11
Apparently I signed up for digest to the list and not sure how to change that back so your reply did not come to my inbox. I'm sorry if this starts a new thread.
Alan said:
"
What kind of "login attempt" do you mean?
FreeRADIUS only accepts packets from (a) clients with known IP addresses, and (b) clients who have the correct shared secret. So that solves essentially all of the "fake packet" problems.
For people trying username / password combinations, there isn't a lot you can do. Any unauthenticated system can do 802.1X, or anything similar which "tries to login". The NAS has to send such packets to the server.
You can't ban the NAS, because it's a real RADIUS client used by good users. You can't really ban the users based on multiple login attempts, because the names are used by "real" users, too. You can't usually ban by MAC address, because the attackers can easily spoof that.
So what are you trying to do? Your question is rather bit vague.
What kind of traffic are you seeing? What is common to the "bad" traffic, which you don't see in the "good" traffic?
Alan DeKok.
"
True, definitely not anything of that ilk.
I guess what I mean is for example, just combing through the logs of the soon to be retired server and I see one IP in particular that has made failed auth requests 1.9mil times since Jun 2022. That IP is not one of ours and it just seems to me reckless to allow that to happen unchecked.
I wanted to check if freeradius had some form of limiting/banning built in that I just didn't understand before trying to make something like fail2ban work.
I've only used f2b for ssh monitoring which uses already established filters to comb the logs looking for the failed attempts, and the logs for radius I think will be easy enough for a filter, I didn't want to reinvent the wheel if there was already a good method available.
My apologies again if faking a reply causes issues with the original thread.
Brantley Padgett
The question is not how far. The question is,
do you possess the constitution,
the depth of faith, to go as far as is needed?
-Boondock Saints
3
3
I'm trying to build a new radius server and add some security from our current system. I'm curious if there's any kind of abuse/banning type concept built in, or if anyone is running something like fail2ban along side freeradius?
In the process of building a new server (and migrating from Solaris to Linux) I've found a disturbing amount of login attempts from some IPs and was hoping if nothing else to slow that onslaught some.
Brantley
The question is not how far. The question is,
do you possess the constitution,
the depth of faith, to go as far as is needed?
-Boondock Saints
2
1