Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
December 2023
- 27 participants
- 25 discussions
Hello everyone! :)
I have this working but it's not working for all of our users.
We have users in our Gsuite with to different email addresses:
domain.k12.in.us and students.domain.k12.in.us
I can authenticate users from one or the other by modifying the ldap file
under mods-enabled and changing the base_DN to match whichever group I want
to authenticate.
Can anyone, at a very simple level, explain to me how to allow the
freeradius server to authenticate users from two base_dn (domain.k12.in.us
and students.k12.in.us) using a single server? I've been tinkering with the
files and I'm not having any luck.
Thanks!
--
This message originated from Bartholomew Consolidated School Corporation,
Columbus, Indiana.
The message and any attachments may be confidential or
privileged and are intended only for the individual or entity identified
above as the addressee. This email should not be disseminated, distributed,
or copied. If you are not the addressee, or if this message has been
addressed to you in error, you are not authorized to read, copy or
distribute this message or any attachments; and we ask that you please
delete it and notify the sender by return e-mail. Delivery of this message
and any attachments to any person other than the intended recipient(s) is
not intended in any way to waive confidentiality or a privilege. All
personal messages express views only of the sender, which are not to be
attributed to Bartholomew Consolidated School Corporation, and may not be
copied or distributed without this statement.
3
2
hi,
Is it possible to configure a separate log file for the rlm_ldap module
through rlm_linelog or rlm_detail?
2
2
HI all,
We are handling interim-update for accounting purposes .so we
are getting interim-update every 10 sec. At that time we are using mysql
query to get data from mysql DB.
Like Below:
Executing select query: SELECT balance FROM users WHERE
username = '5656565'
We are getting below error sometimes while execute this query :
ERROR: rlm_sql_mysql: ERROR 2014 (Commands out of sync; you can't run this
command now): HY000
(17) ERROR: SQL query failed: server
suggest to me how i can avoid this error.
Thanks & Regards
Vinayak
--
*
*
*Disclaimer*
In addition to generic Disclaimer which you have agreed
on our website, any views or opinions presented in this email are solely
those of the originator and do not necessarily represent those of the
Company or its sister concerns. Any liability (in negligence, contract or
otherwise) arising from any third party taking any action, or refraining
from taking any action on the basis of any of the information contained in
this email is hereby excluded.
*Confidentiality*
This communication
(including any attachment/s) is intended only for the use of the
addressee(s) and contains information that is PRIVILEGED AND CONFIDENTIAL.
Unauthorized reading, dissemination, distribution, or copying of this
communication is prohibited. Please inform originator if you have received
it in error.
*Caution for viruses, malware etc.*
This communication,
including any attachments, may not be free of viruses, trojans, similar or
new contaminants/malware, interceptions or interference, and may not be
compatible with your systems. You shall carry out virus/malware scanning on
your own before opening any attachment to this e-mail. The sender of this
e-mail and Company including its sister concerns shall not be liable for
any damage that may incur to you as a result of viruses, incompleteness of
this message, a delay in receipt of this message or any other computer
problems.
2
1
Running Freeradius 3.2.3 (from freeradius rep)
installed with: sudo apt install freeradius freeradius-utils
freeradius-freetds
After running for 30-60 minutes this happens on all servers (3) (Debian
12-latetst)
Thu Dec 14 06:49:32 2023 : Error: rlm_sql_freetds: unable to send command
(ct_send())
Thu Dec 14 06:49:32 2023 : ERROR: (571) ERROR: rlm_sql_freetds: Server
msg from "mydbserver": severity(5701), number(0), origin(1), layer(1),
procedure "none": Changed database context to 'mydb'.
Thu Dec 14 06:49:32 2023 : ERROR: (571) ERROR: SQL query failed: server
error
Thu Dec 14 06:49:32 2023 : Auth: (571) Login incorrect (rlm_sql_freetds:
Server msg from "mydbserver": severity(5701), number(0), origin(1),
layer(1), procedure "none": Changed database context to 'mydblog'.):
[327700051207842] (from client 192.168.3.161/32 port 0 cli 327700051207842)
Thu Dec 14 06:49:32 2023 : Auth: (572) Login OK: [327700050547002] (from
client 192.168.3.161/32 port 0 cli 327700050547002)
Thu Dec 14 06:49:33 2023 : Auth: (573) Login OK: [327700050626183] (from
client 192.168.3.161/32 port 0 cli 327700050626183)
Thu Dec 14 06:49:33 2023 : Auth: (574) Login OK: [327700051319260] (from
client 192.168.3.161/32 port 0 cli 327700051319260)
Thu Dec 14 06:49:34 2023 : Auth: (575) Login OK: [327700051047968] (from
client 192.168.3.161/32 port 0 cli 327700051047968)
Thu Dec 14 06:49:35 2023 : Error: rlm_sql_freetds: unable to send command
(ct_send())
etc
etc
And start repeating like this forever. Most successful, some not.
Restarting freeradius solves it directly.
At that exact same moment my old centos server CAN connect with no issues
to that same db for years already.
I'm clueless whats going on here. But im almost sure it must be something
local.
Changing start servers did not help. Issue stays.
freetds.conf
# A typical Microsoft Azure SQL
[myserver]
host = mydb.database.windows.net
port = 1433
tds version = 7.3
database = mydb
Note that 7.4 does not connect but 7.3 or lower connects.
My Setup is a default as possible with 1 sql query that does accept for
unit or not.
freeradius-freetds seems to install:
freetds-common/stable,now 1.3.17+ds-2 all [installed,automatic]
Not sure what to do here to use latest from Freetds (1.4.1)
Any suggestions?
Thanks,
Olaf
3
3
HI team,
I am running freeradius -X and getting this error:
Failed creating control socket "/var/run/freeradius/freeradius.sock":
Control socket '/var/run/freeradius/freeradius.sock' is already in use
I have tried to delete the freeradius.sock file and then it gives me
another error:
Failed binding to auth address * port 1812 bound to server default: Address
already in use
/etc/freeradius/sites-enabled/default[59]: Error binding to port for
0.0.0.0 port 1812
I try killing the freeradius session and then it give me the same socket
error again. When I reboot, I don't see these errors, could you please help
on fixing this?
Below is the freeradius -X output
FreeRADIUS Version 3.2.3
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/date
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/krb5
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/totp
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/eap
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/rfc7542
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/eap
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
nonblock = no
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client private-network-1 {
ipaddr = 142.244.0.0/16
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = krb5
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = Kerberos
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/freeradius/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_date
# Loading module "date" from file /etc/freeradius/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loading module "auth_log" from file
/etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_krb5
# Loading module "krb5" from file /etc/freeradius/mods-enabled/krb5
krb5 {
keytab = "/etc/freeradius/keytab"
service_principal = "radius/sema"
}
# Loading module "sradutmp" from file
/etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/mods-enabled/expiration
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_totp
# Loading module "totp" from file /etc/freeradius/mods-enabled/totp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "ntlm_auth" from file
/etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
instantiate {
}
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/coa
# Instantiating module "detail" from file
/etc/freeradius/mods-enabled/detail
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "reject" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "logintime" from file
/etc/freeradius/mods-enabled/logintime
# Instantiating module "auth_log" from file
/etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "linelog" from file
/etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/mods-enabled/linelog
# Instantiating module "etc_passwd" from file
/etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "files" from file
/etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file
/etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "IPASS" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "bangpath" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "krb5" from file /etc/freeradius/mods-enabled/krb5
Using MIT Kerberos library
rlm_krb5 (krb5): Using service principal "radius/
sema.srv.ualberta.ca(a)UALBERTA.CA"
rlm_krb5 (krb5): Using keytab "FILE:/etc/freeradius/keytab"
rlm_krb5 (krb5): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 0
retry_delay = 1
max_retries = 5
spread = no
}
rlm_krb5 (krb5): Opening additional connection (0), 1 of 32 pending slots
used
rlm_krb5 (krb5): Opening additional connection (1), 1 of 31 pending slots
used
rlm_krb5 (krb5): Opening additional connection (2), 1 of 30 pending slots
used
rlm_krb5 (krb5): Opening additional connection (3), 1 of 29 pending slots
used
rlm_krb5 (krb5): Opening additional connection (4), 1 of 28 pending slots
used
# Instantiating module "expiration" from file
/etc/freeradius/mods-enabled/expiration
# Instantiating module "mschap" from file
/etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
Compiling Auth-Type Kerberos for attr Auth-Type
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/sites-enabled/inner-tunnel:366
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "control"
listen {
socket = "/var/run/freeradius/freeradius.sock"
peercred = yes
}
Failed creating control socket "/var/run/freeradius/freeradius.sock":
Control socket '/var/run/freeradius/freeradius.sock' is already in use
3
5
Hi,
I am trying to build freeradius for almalinux8. I see rlm_perl skipped in "make rpm" output so build failed.
It said EXTERN.h is not found in /usr/local/include, so I copied that file as a step in dockerfile. But it still throws not found error.
#35 51.14 checking for EXTERN.h in /usr/local/include/... no
I also see /usr/lib64/perl5/CORE/ is in include path(-isystem /usr/lib64/perl5/CORE), but not sure why it is not searching EXTERN.h in that path.
#35 51.10 checking for EXTERN.h... no
#35 51.14 checking for EXTERN.h in /usr/local/include/... no
#35 51.18 checking for EXTERN.h in /opt/include/... no
#35 51.23 checking for EXTERN.h in /usr/local/EXTERN/include/... no
#35 51.27 checking for EXTERN.h in /opt/homebrew/include/... no
#35 51.31 checking for EXTERN.h in /opt/homebrew/opt/EXTERN/include/... no
Below is the extracted output of the docker build.
#12 [build-stage 9/32] RUN cp /usr/lib64/perl5/CORE/*.h /usr/local/include/
#12 DONE 0.5s
#13 [build-stage 10/32] RUN cp /usr/lib64/perl5/CORE/*.so /usr/local/lib/
#13 DONE 0.5s
#14 [build-stage 11/32] RUN ls /usr/local/include/
#14 0.385 EXTERN.h
#14 0.385 INTERN.h
#14 0.385 XSUB.h
#14 0.385 av.h
...
...
#34 [build-stage 31/32] RUN ls /usr/local/include/
#34 0.558 EXTERN.h
#34 0.558 INTERN.h
#34 0.558 XSUB.h
...
...
#35 [build-stage 32/32] RUN --mount=type=ssh scl enable devtoolset-8 "CFLAGS=-g make rpm"
#35 1.067 rm -rf /usr/local/src/repositories/freeradius-server/build/freeradius-server-4.0
#35 1.071 mkdir -p /usr/local/src/repositories/freeradius-server/build
...
...
#35 50.11 Running tests for rlm_perl
#35 50.11
#35 50.21 checking for x86_64-redhat-linux-gnu-gcc... /opt/rh/devtoolset-8/root/usr/bin/gcc
#35 50.29 checking whether the C compiler works... yes
#35 50.37 checking for C compiler default output file name... a.out
#35 50.37 checking for suffix of executables...
#35 50.45 checking whether we are cross compiling... no
#35 50.53 checking for suffix of object files... o
#35 50.58 checking whether the compiler supports GNU C... yes
#35 50.63 checking whether /opt/rh/devtoolset-8/root/usr/bin/gcc accepts -g... yes
#35 50.67 checking for /opt/rh/devtoolset-8/root/usr/bin/gcc option to enable C11 features... none needed
#35 50.74 checking how to run the C preprocessor... /opt/rh/devtoolset-8/root/usr/bin/gcc -E
#35 50.86 checking whether perl executable path has been provided... no
#35 50.86 checking for perl... /usr/bin/perl
#35 50.86 configure: Calling ExtUtils::Embed to get 'ccopts'
#35 50.89 configure: ExtUtil's ccopts were " -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fwrapv -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/lib64/perl5/CORE "
#35 50.89 configure: Sanitized ccopts are "-D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fcf-protection -fwrapv -fno-strict-aliasing -isystem /usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -isystem /usr/lib64/perl5/CORE"
#35 50.89 configure: Calling ExtUtils::Embed to get 'ldflags'
#35 51.08 configure: ExtUtil's ldopts were "-Wl,--enable-new-dtags -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -fstack-protector-strong -L/usr/local/lib -L/usr/lib64/perl5/CORE -lperl -lpthread -lresolv -ldl -lm -lcrypt -lutil -lc"
#35 51.09 configure: Sanitized ldopts are "-Wl,--enable-new-dtags -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -fstack-protector-strong -L/usr/local/lib -L/usr/lib64/perl5/CORE -lperl -lpthread -lresolv -ldl -lm -lcrypt -lutil -lc"
#35 51.10 checking for EXTERN.h... no
#35 51.14 checking for EXTERN.h in /usr/local/include/... no
#35 51.18 checking for EXTERN.h in /opt/include/... no
#35 51.23 checking for EXTERN.h in /usr/local/EXTERN/include/... no
#35 51.27 checking for EXTERN.h in /opt/homebrew/include/... no
#35 51.31 checking for EXTERN.h in /opt/homebrew/opt/EXTERN/include/... no
#35 51.36 checking for perl.h... no
#35 51.40 checking for perl.h in /usr/local/include/... no
#35 51.44 checking for perl.h in /opt/include/... no
#35 51.48 checking for perl.h in /usr/local/perl/include/... no
#35 51.52 checking for perl.h in /opt/homebrew/include/... no
#35 51.55 checking for perl.h in /opt/homebrew/opt/perl/include/... no
#35 51.59 checking we can link to boot_DynaLoader... no
#35 51.64 checking we can link to Perl_hv_store()... no
#35 51.68 configure: WARNING: silently not building rlm_perl.
#35 51.68 configure: WARNING: FAILURE: rlm_perl requires: EXTERN.h EXTERN.h libperl.so libperl.so.
#35 51.73 configure: creating ./config.status
#35 52.01 config.status: creating all.mk
#35 52.04 config.status: creating config.h
...
...
#35 87.95 rlm_pap ................. OK
#35 87.96 rlm_passwd .............. OK
#35 87.98 rlm_perl ................ skipping (requires EXTERN.h EXTERN.h libperl.so libperl.so)
#35 87.99 rlm_python .............. OK
#35 88.00 rlm_radius .............. OK
...
...
#35 211.1 RPM build errors:
#35 211.1 error: File not found: /usr/local/src/repositories/freeradius-server/rpmbuild/BUILDROOT/freeradius-4.0-1.el8.x86_64/usr/lib64/freeradius/rlm_perl.so
#35 211.1 File listed twice: /etc/raddb/certs/bootstrap
#35 211.1 File listed twice: /etc/raddb/sites-enabled
#35 211.1 File not found: /usr/local/src/repositories/freeradius-server/rpmbuild/BUILDROOT/freeradius-4.0-1.el8.x86_64/usr/bin/*_tests
#35 211.1 File not found: /usr/local/src/repositories/freeradius-server/rpmbuild/BUILDROOT/freeradius-4.0-1.el8.x86_64/usr/lib64/freeradius/rlm_perl.so
#35 211.1 make: *** [Makefile:530: rpm] Error 1
#35 ERROR: process "/bin/sh -c scl enable devtoolset-8 \"CFLAGS=-g make rpm\"" did not complete successfully: exit code: 2
Regards,
Nagamani Chinnapaiyan
2
1
Hi everyone,
I am trying to authenticate using ldap on freeradius. But it keeps giving
me "could not start TLS" error.
Below are the freeradius debugs:
FreeRADIUS Version 3.0.26
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/ldap
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file
/etc/freeradius/3.0/mods-config/sql/main/sqlite/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/eap
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/tls
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_accept = no
auth_reject = no
auth_badpass = yes
auth_goodpass = yes
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server tls {
ipaddr = 127.0.0.1
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
tls {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
random_file = "/dev/urandom"
fragment_size = 8192
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ca_path_reload_interval = 0
ecdh_curve = "prime256v1"
tls_min_version = "1.2"
}
tls: Setting DH parameters from /etc/freeradius/3.0/certs/dh - this is no
longer necessary.
tls: You should comment out the 'dh_file' configuration item.
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
home_server_pool tls {
type = fail-over
home_server = tls
}
realm tls {
auth_pool = tls
}
radiusd: #### Loading Clients ####
client wireless {
ipaddr = 172.20.252.242
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client ldap {
ipaddr = 129.128.221.161
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = LDAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_unpack
# Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
ldap {
server = "directory.srv.ualberta.ca"
identity = "cn=wireless,ou=ldapaccess,dc=ualberta,dc=ca"
password = <<< secret >>>
sasl {
mech = "EXTERNAL"
}
user_dn = "LDAP-UserDn"
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "ou=people,dc=ualberta,dc=ca"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
certificate_file =
"/etc/ssl/certs/test-freeradius.corenet.ualberta.ca-cert.pem"
private_key_file =
"/etc/ssl/private/test-freeradius.corenet.ualberta.ca-key.pem"
random_file = "/dev/random"
start_tls = yes
}
}
Creating attribute LDAP-Group
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
sql {
driver = "rlm_sql_null"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol
FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference =
"%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime =
%{%{integer:Event-Timestamp}:-%l}, acctsessiontime =
(%{%{integer:Event-Timestamp}:-%l} - acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress =
'%{NAS-IP-Address}' AND acctstarttime <= %{%{integer:Event-Timestamp}:-%l}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime =
%{%{integer:Event-Timestamp}:-%l}, acctsessiontime =
(%{%{integer:Event-Timestamp}:-%l} - acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress =
'%{NAS-IP-Address}' AND acctstarttime <= %{%{integer:Event-Timestamp}:-%l}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype, acctstarttime,
acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, framedipv6address, framedipv6prefix,
framedinterfaceid, delegatedipv6prefix ) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}',
%{%{integer:Event-Timestamp}:-%l}, %{%{integer:Event-Timestamp}:-%l}, NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}',
'%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}',
'%{Delegated-IPv6-Prefix}' )"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime =
%{%{integer:Event-Timestamp}:-%l}, acctinterval = 0, framedipaddress =
'%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}',
framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid =
'%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}',
acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets =
%{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0},
acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 |
%{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId =
'%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime =
%{%{integer:Event-Timestamp}:-%l}, acctsessiontime =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets =
%{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0},
acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 |
%{%{Acct-Output-Octets}:-0}, acctterminatecause =
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate )
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S.%M' )"
}
}
rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_always
# Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile =
"/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_mschap
# Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_digest
# Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
instantiate {
}
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa
# Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "ldap" from file
/etc/freeradius/3.0/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20516
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://directory.srv.ualberta.ca:389
TLS: can't connect: (unknown error code).
rlm_ldap (ldap): Could not start TLS: Connect error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module
"ldap"
Could you please help me with this? I have a certificate installed and have
pointed my config files to it. Thanks.
Regards,
Deepansha Gaur
2
2
11 Dec '23
Dear users,
After 6 years running Freeradius on CentOS 7 successfully it's time to
migrate to Debian12.
CentOS7 setup: Freeradius 3, FreeTDS and unixodbc. No setup issues.
On my new Debian 12.2 server things seem not that easy.
By default, Freeradius is not compiled with unixdbc.
Ok, I'm not an advanced user on compile from source but ending up with
things like:
configure: WARNING: silently not building rlm_sql_unixodbc. configure:
WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h.
https://serverfault.com/questions/448365/debian-build-the-freeradius-packag…
.
No solution for Debian 12.unixodbc-(dev) is installed but still...
##############################################################
Next try is to use iODBC.
Also not working. iodbc modules on debian12 are 12+ years old.
Ok compiling from source and issues again;
configure.ac:320: error: possibly undefined macro: AM_PATH_GTK
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
make: *** [/usr/share/cdbs/1/class/autotools-files.mk:71:
debian/stamp-autotools-files] Error 1
dpkg-buildpackage: error: debian/rules build subprocess returned exit
status 2
Got stuck again.
##############################################################
Next try is to use FreeTDS module with
/usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so
odbc.ini, odbcinst.ini and FreeTDS.conf configured as it should be.
no luck still,
freeradius -X always show:
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_freetds: unable to establish db to symbolic servername mydatabasedsn
rlm_sql_freetds: client error: severity(0), number(34), origin(0),
layer(0): Adaptive Server connection failed
rlm_sql_freetds: socket destructor called, closing socket
rlm_sql (sql): Opening connection failed (0)
rlm_sql (sql): Removing connection pool
/etc/freeradius/mods-enabled/sql[27]: Instantiation failed for module "sql"
Got stuck again.
With isql and tsql i can connect manually, so the server>azure sql link
works.
No issues with that.
Summary of my request:
If anyone could provide me some help how to get a working sql connection
from Freeradius to azure sql on debian12 would be great, regardless of the
connection method.
Or it's a missing (for me unknown param in mods-enabled\sql)
Thanks,
Olaf
3
6
Dear All
I followed the step from
https://networkradius.com/packages/#fr32-debian-bullseye
```
root@freeradius32apt ~# freeradius -v
radiusd: FreeRADIUS Version 3.2.3 (git #db3d1924d), for host
x86_64-pc-linux-gnu
FreeRADIUS Version 3.2.3
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
```
I'm trying to do dynamic-clients with rest
so I did (as root)
```
apt install freeradius-rest
```
and here is freeradius/mods-enabled/rest
```
rest {
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to a HTTPS
# server.
#
tls {
}
# rlm_rest will open a connection to the server specified in connect_uri
# to populate the connection cache, ready for the first request.
# The server will not start if the server specified is unreachable.
#
# If you wish to disable this pre-caching and reachability check,
# comment out the configuration item below.
# connect_uri = "http://127.0.0.1/"
#
# How long before new connection attempts timeout, defaults to 4.0 seconds.
#
connect_timeout = 10.0
#
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0',
'2.0+auto',
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
#
# http_negotiation = 1.1
authorize {
uri = "http://192.168.56.1:5000/radius/authorize"
method = 'post'
body = 'JSON'
}
authenticate {
uri = "http://192.168.56.1:5000/radius/authenticate"
method = 'post'
body = JSON
}
preacct {
}
accounting {
uri = "http://192.168.56.1:5000/radius/accounting"
method = 'post'
body = JSON
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
# Options for calling rest xlats
# uri and method will be derived from the string provided to the xlat
xlat {
body_uri_encode = yes
}
#
# The connection pool is used to pool outgoing connections.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# web service being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
```
my sites-enabled/default
```
server default {
listen {
type = auth
ipaddr = 192.168.56.110
port = 0
limit {
#
# Limit the number of simultaneous TCP connections to the socket
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16
# The per-socket "max_requests" option does not exist.
#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0
#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
}
#
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = 192.168.56.110
port = 0
type = acct
limit {
# The number of packets received can be rate limited via the
# "max_pps" configuration item. When it is set, the server
# tracks the total number of packets received in the previous
# second. If the count is greater than "max_pps", then the
# new packet is silently discarded. This helps the server
# deal with overload situations.
#
# The packets/s counter is tracked in a sliding window. This
# means that the pps calculation is done for the second
# before the current packet was received. NOT for the current
# wall-clock second, and NOT for the previous wall-clock second.
#
# Useful values are 0 (no limit), or 100 to 10000.
# Values lower than 100 will likely cause the server to ignore
# normal traffic. Few systems are capable of handling more than
# 10K packets/s.
#
# It is most useful for accounting systems. Set it to 50%
# more than the normal accounting load, and you can be sure that
# the server will never get overloaded
#
# max_pps = 0
# Only for "proto = tcp". These are ignored for "udp" sockets.
#
# idle_timeout = 0
# lifetime = 0
# max_connections = 0
}
}
# IPv6 versions of the above - read their full config to understand options
authorize {
filter_username
preprocess
rest
chap
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
acct_unique
}
#
# Accounting. Log the accounting data.
#
accounting {
rest
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
Post-Auth-Type REJECT {
}
#
# Filter access challenges.
#
Post-Auth-Type Challenge {
}
Post-Auth-Type Client-Lost {
}
#
# If the client sends EAP-Key-Name in the request,
# then echo the real value back in the reply.
#
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
}
}
```
below is my freeradius/sites-enabled/dynamic-clients
```
# -*- text -*-
#
# Define a network where clients may be dynamically defined.
client dynamic {
#
# You MUST specify a netmask!
# IPv4 /32 or IPv6 /128 are NOT allowed!
ipaddr = 192.168.56.0/24
dynamic_clients = dynamic_clients
lifetime = 3600
}
#
# This is the virtual server referenced above by "dynamic_clients".
server dynamic_clients {
#
# The only contents of the virtual server is the "authorize" section.
authorize {
rest
#
# Tell the caller that the client was defined properly.
#
# If the authorize section does NOT return "ok", then
# the new client is ignored.
ok
}
}
```
When I try to connect my pppoe client to my pppoe-server, freeradius said
that the client (pppoe-server) is unknown
some Output from --> freeradius -XXX
```
Wed Dec 6 23:08:21 2023 : Debug: (0) server dynamic_clients {
Wed Dec 6 23:08:21 2023 : Debug: (0) # Executing section authorize from
file /etc/freeradius/sites-enabled/dynamic-clients
Wed Dec 6 23:08:21 2023 : Debug: (0) authorize {
Wed Dec 6 23:08:21 2023 : Debug: (0) modsingle[authorize]: calling
rest (rlm_rest)
Wed Dec 6 23:08:21 2023 : Debug: rlm_rest (rest): Reserved connection (0)
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Expanding URI components
Wed Dec 6 23:08:21 2023 : Debug: http://192.168.56.1:5000
Wed Dec 6 23:08:21 2023 : Debug: Parsed xlat tree:
Wed Dec 6 23:08:21 2023 : Debug: literal --> http://192.168.56.1:5000
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: EXPAND http://192.168.56.1:5000
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: --> http://192.168.56.1:5000
Wed Dec 6 23:08:21 2023 : Debug: /radius/authorize
Wed Dec 6 23:08:21 2023 : Debug: Parsed xlat tree:
Wed Dec 6 23:08:21 2023 : Debug: literal --> /radius/authorize
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: EXPAND /radius/authorize
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: --> /radius/authorize
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Sending HTTP POST to "
http://192.168.56.1:5000/radius/authorize"
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Adding custom headers:
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: X-FreeRADIUS-Section:
authorize
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: X-FreeRADIUS-Server:
dynamic_clients
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Request body content-type will
be "application/json"
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: JSON Data: {}
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Returning 2 bytes of JSON data
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Processing response header
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Status : 500 (INTERNAL SERVER
ERROR)
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Type : json
(application/json)
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Adding
reply:REST-HTTP-Status-Code = "500"
Wed Dec 6 23:08:21 2023 : ERROR: (0) rest: Server returned:
Wed Dec 6 23:08:21 2023 : ERROR: (0) rest: {}
Wed Dec 6 23:08:21 2023 : Debug: rlm_rest (rest): Released connection (0)
```
Kindly please look at line 22 of debug lines
```
Wed Dec 6 23:08:21 2023 : Debug: (0) rest: JSON Data: {}
```
I think freeradius did not wrap any data to json body
Is that a bug?
if not, kindly please tell me how to fix
Sincerely
-bino-
2
4
We are observing radiusd crash when we receive zero length option61 in the dhcp request message.(we are using 2 months old 4.x)
3d 00
Option: (61) Client identifier
Length: 0
Value: <MISSING>
Thanks,
Nagamani Chinnapaiyan
3
4